add huaweicloud kms as the seal wrapper#8590
Closed
zengchen1024 wants to merge 2 commits into
Closed
Conversation
zengchen1024
force-pushed
the
huaweicloud
branch
2 times, most recently
from
d17bacc to
88c0a2e
Compare
jefferai
changed the title
Member
|
Please do not merge until the configutil branch is merged and this is updated to the new paradigm. |
Author
|
@jefferai Is configutil branch merged? Thanks!!! |
Member
|
Not yet. See #8362 to track. |
Contributor
|
@zengchen1024 - FYI, Jeff's configutil branch was merged |
Author
|
@pbernal thanks |
zengchen1024
force-pushed
the
huaweicloud
branch
from
88c0a2e to
a11e9e6
Compare
zengchen1024
force-pushed
the
huaweicloud
branch
from
a11e9e6 to
f76e054
Compare
Author
|
@jefferai Could you take a look at this pr? Thanks!!! |
zengchen1024
changed the title
Author
|
@jefferai Could you take a look at this pr? Thanks!!! |
|
@jefferai Can you please have a look at this when you got time, thanks! |
|
Hello , we would like to use this one as Vault users. Is there any progress ? |
Author
|
@antonin-a I think it just needs rebase |
|
Hi there, do you have any news regarding this feature? Actually we really do need this, thanks a lot for your kind help. |
Author
|
@osaluden I will try |
Contributor
|
Hi folks! I wanted to give a quick update. We haven't forgotten about this PR, and we're discussing internally within the engineering team about the support this PR needs and other work that may need to occur with it. I'll be sure to check in again on it, and please feel free to reach out in the future if you haven't heard from me in a while. Thanks for your patience! |
Contributor
|
Hello! Due to our lack of ability to test this change, we would prefer not to be the maintainers for this. However, you can please feel free to fork the project and implement it for yourself as needed. Thanks for understanding! |
Member
|
Just a note -- the upstream go-kms-wrapper lib is undergoing large changes to allow wrappers to be built as plugins. Once that happens, if Vault is updated to support these plugins, you'll be able to provide them as plugin binaries without having to fork Vault. So there's a way forward, depending on Vault's overall roadmap. |
Contributor
|
Thanks, @jefferai! Appreciate the info. :) |
|
Thank you for your feedback, dealing with the plugin way is indeed a good choice :) |
|
Hi, diff --git a/go.mod b/go.mod
index 91b6f9b96b..6cdc218848 100644
--- a/go.mod
+++ b/go.mod
@@ -72,6 +72,7 @@ require (
github.com/hashicorp/go-kms-wrapping/wrappers/awskms/v2 v2.0.1
github.com/hashicorp/go-kms-wrapping/wrappers/azurekeyvault/v2 v2.0.1
github.com/hashicorp/go-kms-wrapping/wrappers/gcpckms/v2 v2.0.1
+ github.com/hashicorp/go-kms-wrapping/wrappers/huaweicloudkms/v2 v2.0.0
github.com/hashicorp/go-kms-wrapping/wrappers/ocikms/v2 v2.0.0
github.com/hashicorp/go-kms-wrapping/wrappers/transit/v2 v2.0.1
github.com/hashicorp/go-memdb v1.3.3
@@ -324,6 +325,7 @@ require (
github.com/hashicorp/vic v1.5.1-0.20190403131502-bbfe86ec9443 // indirect
github.com/hashicorp/yamux v0.0.0-20211028200310-0bc27b27de87 // indirect
github.com/huandu/xstrings v1.3.2 // indirect
+ github.com/huaweicloud/golangsdk v0.0.0-20210831081626-d823fe11ceba // indirect
github.com/imdario/mergo v0.3.13 // indirect
github.com/jackc/chunkreader/v2 v2.0.1 // indirect
github.com/jackc/pgconn v1.11.0 // indirect
diff --git a/go.sum b/go.sum
index 0b119fd3ea..53f160fdf8 100644
--- a/go.sum
+++ b/go.sum
@@ -984,6 +984,8 @@ github.com/hashicorp/go-kms-wrapping/wrappers/azurekeyvault/v2 v2.0.1 h1:6joKpqC
github.com/hashicorp/go-kms-wrapping/wrappers/azurekeyvault/v2 v2.0.1/go.mod h1:sDmsWR/W2LqwU217o32RzdHMb/FywGLF72PVIhpZ3hE=
github.com/hashicorp/go-kms-wrapping/wrappers/gcpckms/v2 v2.0.1 h1:+paf/3ompzaXe07BdxkV1vTnqvhwtmZPE4yQnMPTThI=
github.com/hashicorp/go-kms-wrapping/wrappers/gcpckms/v2 v2.0.1/go.mod h1:YRtkersQ2N3iHlPDG5B3xBQtBsNZ3bjmlCwnrl26jVE=
+github.com/hashicorp/go-kms-wrapping/wrappers/huaweicloudkms/v2 v2.0.0 h1:VUJDNM4Y6glGLm/LmaYuQSctuCCenQP1QjuEpFZNbk8=
+github.com/hashicorp/go-kms-wrapping/wrappers/huaweicloudkms/v2 v2.0.0/go.mod h1:8BmhljC25aLYilAe9Md1Sr6ocu/ViY1bgUO1DrQzhP0=
github.com/hashicorp/go-kms-wrapping/wrappers/ocikms/v2 v2.0.0 h1:FnWV2E0NLj+yYdhToUQjU81ayCMgURiL2WbJ0V7u/XY=
github.com/hashicorp/go-kms-wrapping/wrappers/ocikms/v2 v2.0.0/go.mod h1:17twrc0lM8IpfGqIv69WQvwgDiu3nRwWlk5YfCSQduY=
github.com/hashicorp/go-kms-wrapping/wrappers/transit/v2 v2.0.1 h1:72zlIBTJd2pvYmINqotpvcI4ZXLxhRq2cVPTuqv0xqY=
@@ -1156,6 +1158,8 @@ github.com/hashicorp/yamux v0.0.0-20211028200310-0bc27b27de87/go.mod h1:CtWFDAQg
github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
github.com/huandu/xstrings v1.3.2 h1:L18LIDzqlW6xN2rEkpdV8+oL/IXWJ1APd+vsdYy4Wdw=
github.com/huandu/xstrings v1.3.2/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
+github.com/huaweicloud/golangsdk v0.0.0-20210831081626-d823fe11ceba h1:KFikP/B8lypq9FTWlxm366g0hVsnLBIV6EwAS4SQcKw=
+github.com/huaweicloud/golangsdk v0.0.0-20210831081626-d823fe11ceba/go.mod h1:fcOI5u+0f62JtJd7zkCch/Z57BNC6bhqb32TKuiF4r0=
github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
diff --git a/internalshared/configutil/kms.go b/internalshared/configutil/kms.go
index 78da77662b..51e9937270 100644
--- a/internalshared/configutil/kms.go
+++ b/internalshared/configutil/kms.go
@@ -15,6 +15,7 @@ import (
"github.com/hashicorp/go-kms-wrapping/wrappers/awskms/v2"
"github.com/hashicorp/go-kms-wrapping/wrappers/azurekeyvault/v2"
"github.com/hashicorp/go-kms-wrapping/wrappers/gcpckms/v2"
+ "github.com/hashicorp/go-kms-wrapping/wrappers/huaweicloudkms/v2"
"github.com/hashicorp/go-kms-wrapping/wrappers/ocikms/v2"
"github.com/hashicorp/go-kms-wrapping/wrappers/transit/v2"
"github.com/hashicorp/go-multierror"
@@ -193,6 +194,9 @@ func configureWrapper(configKMS *KMS, infoKeys *[]string, info *map[string]strin
case wrapping.WrapperTypePkcs11:
return nil, fmt.Errorf("KMS type 'pkcs11' requires the Vault Enterprise HSM binary")
+ case wrapping.WrapperTypeHuaweiCloudKms:
+ wrapper, kmsInfo, err = GetHuaweiCloudKMSFunc(configKMS, opts...)
+
default:
return nil, fmt.Errorf("Unknown KMS type %q", configKMS.Type)
}
@@ -342,6 +346,29 @@ var GetTransitKMSFunc = func(kms *KMS, opts ...wrapping.Option) (wrapping.Wrappe
return wrapper, info, nil
}
+var GetHuaweiCloudKMSFunc = func(kms *KMS, opts ...wrapping.Option) (wrapping.Wrapper, map[string]string, error) {
+ wrapper := huaweicloudkms.NewWrapper()
+ wrapperInfo, err := wrapper.SetConfig(context.Background(), wrapping.WithConfigMap(kms.Config))
+ if err != nil {
+ // If the error is any other than logical.KeyNotFoundError, return the error
+ if !errwrap.ContainsType(err, new(logical.KeyNotFoundError)) {
+ return nil, nil, err
+ }
+ }
+ info := make(map[string]string)
+ if wrapperInfo != nil {
+ info["HuaweiCloud KMS Region"] = wrapperInfo.Metadata["region"]
+ info["HuaweiCloud KMS Project"] = wrapperInfo.Metadata["project"]
+ info["HuaweiCloud KMS Access Key"] = wrapperInfo.Metadata["access_key"]
+ info["HuaweiCloud KMS Secret Key"] = wrapperInfo.Metadata["secret_key"]
+ info["HuaweiCloud KMS KeyID"] = wrapperInfo.Metadata["kms_key_id"]
+ if endpoint, ok := wrapperInfo.Metadata["identity_endpoint"]; ok {
+ info["HuaweiCloud KMS Identity Endpoint"] = endpoint
+ }
+ }
+ return wrapper, info, nil
+}
+
func createSecureRandomReader(conf *SharedConfig, wrapper wrapping.Wrapper) (io.Reader, error) {
return rand.Reader, nil
}And associated doc: diff --git a/website/content/docs/configuration/seal/huaweicloudkms.mdx b/website/content/docs/configuration/seal/huaweicloudkms.mdx
new file mode 100644
index 0000000..42ce637
--- /dev/null
+++ b/website/content/docs/configuration/seal/huaweicloudkms.mdx
@@ -0,0 +1,95 @@
+---
+layout: docs
+page_title: HuaweiCloud KMS - Seals - Configuration
+description: |-
+ The HuaweiCloud KMS seal configures Vault to use HuaweiCloud KMS as the seal wrapping
+ mechanism.
+---
+
+# `huaweicloudkms` Seal
+
+-> **Note:** The Seal Wrap functionality is enabled by default. For this reason, the KMS service must be available throughout Vault's runtime and not just during the unseal process. Refer to the [Seal Wrap](/docs/enterprise/sealwrap) documenation for more information.
+
+The HuaweiCloud KMS seal configures Vault to use HuaweiCloud KMS as the seal wrapping mechanism.
+The HuaweiCloud KMS seal is activated by one of the following:
+
+- The presence of a `seal "huaweicloudkms"` block in Vault's configuration file
+- The presence of the environment variable `VAULT_SEAL_TYPE` set to `huaweicloudkms`. If
+ enabling via environment variable, all other required values specific to HuaweiCloud
+ KMS (i.e. `VAULT_HUAWEICLOUDKMS_SEAL_KEY_ID`) must be also supplied, as well as all
+ other HuaweiCloud-related environment variables that lends to successful
+ authentication (i.e. `HUAWEICLOUD_ACCESS_KEY`, etc.).
+
+## `huaweicloudkms` Example
+
+This example shows configuring HuaweiCloud KMS seal through the Vault configuration file
+by providing all the required values:
+
+```hcl
+seal "huaweicloudkms" {
+ region = "eu-west-0"
+ project = "eu-west-0"
+ access_key = "0wNEpMNlzy7szvbi"
+ secret_key = "PumkTg9jdmau1cXxYacgE736PJj4cA"
+ kms_key_id = "18c35a6f-4e0a-4a1b-a9fa-7dfab1d4fa73"
+ identity_endpoint = "https://iam.eu-west-0.prod-cloud-ocb.orange-business.com/v3"
+}
+```
+
+## `huaweicloudkms` Parameters
+
+These parameters apply to the `seal` stanza in the Vault configuration file:
+
+- `region` `(string: <required> "cn-north-1")`: The HuaweiCloud region where the encryption key
+lives. May also be specified by the `HUAWEICLOUD_REGION`
+environment variable.
+
+- `project` `(string: <required> "cn-north-1")`: The HuaweiCloud project where the encryption key
+lives. May also be specified by the `HUAWEICLOUD_PROJECT`
+environment variable.
+
+- `access_key` `(string: <required>)`: The HuaweiCloud access key ID to use. May also be
+specified by the `HUAWEICLOUD_ACCESS_KEY` environment variable.
+
+- `secret_key` `(string: <required>)`: The HuaweiCloud secret access key to use. May
+also be specified by the `HUAWEICLOUD_SECRET_KEY` environment variable.
+
+- `kms_key_id` `(string: <required>)`: The HuaweiCloud KMS key ID to use for encryption
+and decryption. May also be specified by the `VAULT_HUAWEICLOUDKMS_SEAL_KEY_ID`
+environment variable.
+
+- `identity_endpoint` `(string: "")`: The KMS API endpoint to be used to make HuaweiCloud KMS
+ requests. May also be specified by the `HUAWEICLOUD_IDENTITY_ENDPOINT` environment
+ variable. This is useful, for example, when connecting to KMS over a [VPC
+ Endpoint](https://docs.aws.amazon.com/kms/latest/developerguide/kms-vpc-endpoint.html).
+ If not set, Vault will use the default API endpoint for your region.
+
+Refer to the [Seal Migration](/docs/concepts/seal#seal-migration) documentation for more information about the seal migration process.
+
+## Authentication
+
+Authentication-related values must be provided, either as environment
+variables or as configuration parameters.
+
+~> **Note:** Although the configuration file allows you to pass in
+`HUAWEICLOUD_ACCESS_KEY` and `HUAWEICLOUD_SECRET_KEY` as part of the seal's parameters, it
+is _strongly_ recommended to set these values via environment variables.
+
+```text
+HuaweiCloud authentication values:
+* `HUAWEICLOUD_REGION`
+* `HUAWEICLOUD_PROJECT`
+* `HUAWEICLOUD_ACCESS_KEY`
+* `HUAWEICLOUD_SECRET_KEY`
+```
+
+## `huaweicloudkms` Environment Variables
+
+Alternatively, the HuaweiCloud KMS seal can be activated by providing the following
+environment variables:
+
+```text
+Vault Seal specific values:
+* `VAULT_SEAL_TYPE`
+* `VAULT_HUAWEICLOUDKMS_SEAL_KEY_ID`
+```Cheers |
|
hello, what is the status here? Is there a way to accept the pull request or the path from @atefhaloui ? |
|
Hi, |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
12 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.