Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CDH | KMS plugins | Promote the way of reading KMS credentials #413

Open
Xynnn007 opened this issue Dec 15, 2023 · 1 comment
Open

CDH | KMS plugins | Promote the way of reading KMS credentials #413

Xynnn007 opened this issue Dec 15, 2023 · 1 comment

Comments

@Xynnn007
Copy link
Member

We are now using KMS plugins like aliyun to unseal secrets. However, to connect to a KMS server, we often needs the credentials. We now have a workaround for CDH to assume that the credentials are located at the filesystem under /run, s.t.

This would have some shortages:

  1. side effects to read the filesystem without let lib users know
  2. Users must put the credentials under the specific path to let plugin code work

Here are some options to resolve this

  1. Still use filesystem to read credentials. But use a env to specify where the credentials are stored. If the env is not set, the plugin instance will fail to initialize
  2. Directly use env to store the credential.

I must ignore some better ways. Please feel free to share your ideas
@Xynnn007 Xynnn007 changed the title CDH | KMS plugins | Abondon reading KMS credentials from filesystem CDH | KMS plugins | Promote the way of reading KMS credentials Dec 15, 2023
@Xynnn007
Copy link
Member Author

After we have a practical init-data mechanism, we can use a configuration file to config the ProviderSettings.

@Xynnn007 Xynnn007 mentioned this issue Jan 2, 2024
Draft
Xynnn007 added a commit to Xynnn007/guest-components that referenced this issue Jan 19, 2024
@Xynnn007
CDH/KMS/eHSM: read credentials from env
82c20c0 
Related to confidential-containers#413. Before this commit, we will read credentials from local
filesystem for eHSM KMS plugin. This would make unexpected side effects.
We now read them from the env, which will not spread side effects.

There are two envs that will be used:
- EHSM_API_KEY: API key of the eHSM instance
- EHSM_APP_ID: Application Id to the eHSM instance
- EHSM_ENDPOINT: HTTP/HTTPS address to the eHSM service

Signed-off-by: Xynnn007 <[email protected]>
Xynnn007 added a commit to Xynnn007/guest-components that referenced this issue Jan 19, 2024
@Xynnn007
CDH/KMS/Aliyun: read credentials from env
3bd4841 
Related to confidential-containers#413. Before this commit, we will read credentials from local
filesystem for aliyun KMS plugin. This would make unexpected side
effects. We now read them from the env, which will not spread side
effects.

There are some envs that will be used.

If the `client_type` is `client_key`:
- `ALIYUN_CLIENT_KEY`: Aliyun KMS client key
- `ALIYUN_PASSWORD`: The password of Aliyun KMS client key
- `ALIYUN_KMS_INSTANCE_CERT`: The public key cert to KMS instance

if the `client_type` is `ecs_ram_role`
- `ALIYUN_ECS_RAM_ROLE`: The ECS RAM Role name on Aliyun
- `ALIYUN_REGION_ID`: ECS Instance region id

Signed-off-by: Xynnn007 <[email protected]>
Xynnn007 added a commit to Xynnn007/guest-components that referenced this issue Jan 19, 2024
@Xynnn007
CDH/KMS/kbs: read parameters from env
298c10c 
Related to confidential-containers#413. KBS client will also read parameters from env,
including:

- KBC_NAME: The KBC name, i.e. `cc_kbc`, `offline_fs_kbc` or
`online_sev_kbc`
- KBS_URL: The url of KBS
- KBS_PUBLICKEY_CERT: The public key cert of KBS

Signed-off-by: Xynnn007 <[email protected]>
Xynnn007 added a commit to Xynnn007/guest-components that referenced this issue Jan 20, 2024
@Xynnn007
CDH/KMS/eHSM: read credentials from env
01c9452 
Related to confidential-containers#413. Before this commit, we will read credentials from local
filesystem for eHSM KMS plugin. This would make unexpected side effects.
We now read them from the env, which will not spread side effects.

There are two envs that will be used:
- EHSM_API_KEY: API key of the eHSM instance
- EHSM_APP_ID: Application Id to the eHSM instance
- EHSM_ENDPOINT: HTTP/HTTPS address to the eHSM service

Signed-off-by: Xynnn007 <[email protected]>
Xynnn007 added a commit to Xynnn007/guest-components that referenced this issue Jan 20, 2024
@Xynnn007
CDH/KMS/Aliyun: read credentials from env
d6414a1 
Related to confidential-containers#413. Before this commit, we will read credentials from local
filesystem for aliyun KMS plugin. This would make unexpected side
effects. We now read them from the env, which will not spread side
effects.

There are some envs that will be used.

If the `client_type` is `client_key`:
- `ALIYUN_CLIENT_KEY`: Aliyun KMS client key
- `ALIYUN_PASSWORD`: The password of Aliyun KMS client key
- `ALIYUN_KMS_INSTANCE_CERT`: The public key cert to KMS instance

if the `client_type` is `ecs_ram_role`
- `ALIYUN_ECS_RAM_ROLE`: The ECS RAM Role name on Aliyun
- `ALIYUN_REGION_ID`: ECS Instance region id

Signed-off-by: Xynnn007 <[email protected]>
Xynnn007 added a commit to Xynnn007/guest-components that referenced this issue Jan 20, 2024
@Xynnn007
CDH/KMS/kbs: read parameters from env
4407301 
Related to confidential-containers#413. KBS client will also read parameters from env,
including:

- KBC_NAME: The KBC name, i.e. `cc_kbc`, `offline_fs_kbc` or
`online_sev_kbc`
- KBS_URL: The url of KBS
- KBS_PUBLICKEY_CERT: The public key cert of KBS

Signed-off-by: Xynnn007 <[email protected]>
Xynnn007 added a commit to Xynnn007/guest-components that referenced this issue Jan 20, 2024
@Xynnn007
CDH/KMS/Aliyun: read credentials from env
cdd31c1 
Related to confidential-containers#413. Before this commit, we will read credentials from local
filesystem for aliyun KMS plugin. This would make unexpected side
effects. We now read them from the env, which will not spread side
effects.

There are some envs that will be used.

If the `client_type` is `client_key`:
- `ALIYUN_CLIENT_KEY`: Aliyun KMS client key
- `ALIYUN_PASSWORD`: The password of Aliyun KMS client key
- `ALIYUN_KMS_INSTANCE_CERT`: The public key cert to KMS instance

if the `client_type` is `ecs_ram_role`
- `ALIYUN_ECS_RAM_ROLE`: The ECS RAM Role name on Aliyun
- `ALIYUN_REGION_ID`: ECS Instance region id

Signed-off-by: Xynnn007 <[email protected]>
Xynnn007 added a commit to Xynnn007/guest-components that referenced this issue Jan 20, 2024
@Xynnn007
CDH/KMS/kbs: read parameters from env
4683df9 
Related to confidential-containers#413. KBS client will also read parameters from env,
including:

- KBC_NAME: The KBC name, i.e. `cc_kbc`, `offline_fs_kbc` or
`online_sev_kbc`
- KBS_URL: The url of KBS
- KBS_PUBLICKEY_CERT: The public key cert of KBS

Signed-off-by: Xynnn007 <[email protected]>
Xynnn007 added a commit to Xynnn007/guest-components that referenced this issue Jan 22, 2024
@Xynnn007
CDH/KMS/Aliyun: read credentials from env
9370499 
Related to confidential-containers#413. Before this commit, we will read credentials from local
filesystem for aliyun KMS plugin. This would make unexpected side
effects. We now read them from the env, which will not spread side
effects.

There are some envs that will be used.

If the `client_type` is `client_key`:
- `ALIYUN_CLIENT_KEY`: Aliyun KMS client key
- `ALIYUN_PASSWORD`: The password of Aliyun KMS client key
- `ALIYUN_KMS_INSTANCE_CERT`: The public key cert to KMS instance

if the `client_type` is `ecs_ram_role`
- `ALIYUN_ECS_RAM_ROLE`: The ECS RAM Role name on Aliyun
- `ALIYUN_REGION_ID`: ECS Instance region id

Signed-off-by: Xynnn007 <[email protected]>
Xynnn007 added a commit to Xynnn007/guest-components that referenced this issue Jan 22, 2024
@Xynnn007
CDH/KMS/kbs: read parameters from env
e66cd62 
Related to confidential-containers#413. KBS client will also read parameters from env,
including:

- KBC_NAME: The KBC name, i.e. `cc_kbc`, `offline_fs_kbc` or
`online_sev_kbc`
- KBS_URL: The url of KBS
- KBS_PUBLICKEY_CERT: The public key cert of KBS

Signed-off-by: Xynnn007 <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Xynnn007