Releases: minio/kes
Release 2024-04-12T13-50-00Z
Release Notes
Release 2024-04-12T13-50-00Z
is a bugfix that fixes bugs cache garbage collection.
Before, the KES server did not expiry cache entries correctly when offline caching was enabled. In particular, it did not honor the
offline expiry in all cases.
What's Changed
- fix: typos, upgrade linter and CI go-version by @harshavardhana in #456
- vault: improve Vault API interaction by @aead in #458
- Remove 'rm' from list by @ramondeklein in #457
- set cache default values as documented by @aead in #460
New Contributors
- @ramondeklein made their first contribution in #457
Full Changelog: 2024-03-28T12-56-37Z...2024-04-12T13-50-00Z
Release 2024-03-28T12-56-37Z
Release Notes
Release 2024-03-13T17-52-13Z
is a bugfix release that fixes bugs in the Gemalto/Thales and Fortanix backend.
What's Changed
- Update client.go (#454)
- keystore: use pre-configured client for {Gemalto,Fortanix} status check (#455)
Full Changelog: 2024-04-12T13-50-00Z...2024-03-28T12-56-37Z
Release 2024-03-13T17-52-13Z
Release Notes
Release 2024-03-13T17-52-13Z
is a bugfix release that fixes two issues:
- PR #451 fixes a resource leak in the AWS, GCP, Fortanix and Gemalto backend that can cause OOM issues.
- PR #453 fixes an authentication issue that can cause connection failures since the server "just" requested, but not demanded a client certificate. Hence, clients might not send one causing authentication to fail. Now, the KES server requires a client certificate.
What's Changed
- keystore: fix conn leak in {AWS,GCP,Fortanx,Gemalto} backend by @aead in #451
- require a TLS client certificate by default by @aead in #453
Full Changelog: 2024-03-01T18-06-46Z...2024-03-13T17-52-13Z
Release 2024-03-01T18-06-46Z
Release 2024-02-29T08-12-28Z
Release Notes
Release 2024-02-29T08-12-28Z
adds a new HMAC server API, introduces a new and more efficient ciphertext format and contains bug fixes for prometheus metrics.
Added
- The KES server provides the
/v1/key/hmac/<key-name>
API can be used to compute a deterministic checksum over a message. It may
be used to check if a message has been modified. The HMAC API is only available for newly created keys. Existing keys do not support
this API. - The KES repository contains a Grafana dashboard example that can be used to visualize server metrics.
Changed
- The KES server uses a new ciphertext format when encrypting messages or generating data encryption keys. This format is more efficient since ciphertexts are now ~40% smaller. This reduces network traffic and storage space when requesting and storing many data key ciphertexts. The server is backwards compatible and still accepts previous ciphertext formats. However, it's no longer possible to
downgrade to a version before this release after upgrade to this or any future versions. The reason is that existing KES server versions
don't recognize the new ciphertext format and fail to decrypt it. Hence, this change is backwards but not forward compatible.
What's Changed
- add HMAC API and use KMS secret key crypto by @aead in #433
- add HMAC API test by @aead in #434
- fix: set client CAs for mTLS auth by @lu1as in #437
- ci: fix linter warnings by @aead in #440
- Edit sample YAML config for easier importing to web docs by @feorlen in #442
- fix: return updating http metrics by @DimkaGorhover in #444
- seperating zsh and bash autocomplete by @zveinn in #441
- Added KES grafana dashboard by @shtripat in #447
- update SDK dependency by @aead in #448
- Fix go.sum for release by @donatello in #449
New Contributors
- @feorlen made their first contribution in #442
- @DimkaGorhover made their first contribution in #444
- @zveinn made their first contribution in #441
Full Changelog: 2024-01-11T13-09-29Z...2024-02-29T08-12-28Z
Release 2024-01-11T13-09-29Z
Release Notes
Release 2024-01-11T13-09-29Z
contains changes for the Hashicorp Vault backend.
Added
- Now, a KES server configuration accepts authentication specific Hashicorp Vault namespaces. This may be useful when KES should
authenticate within the root namespace but use secret engines within sub namespaces.Note that KES can also not send any namespace header for authentication methods, even if a namespace for its secret engines has been configured, by settingapprole: # AppRole credentials. See: https://www.vaultproject.io/docs/auth/approle.html namespace: "" # Optional Vault namespace used just for authentication. A single "/" is an alias for the Vault root namespace. engine: "" # The path of the AppRole engine - e.g. authenticate. If empty, defaults to: approle. (Vault default) id: "" # Your AppRole Role ID secret: "" # Your AppRole Secret ID
namespace: "/"
.
Changed
- The Hashicorp Vault backend now uses a new authentication token renewal implementation. The previous one got removed by 13cee22.
Since then, the KES server uses its authentication credentials to obtain a new token instead of renewing its current one. Now, the KES
server refreshes its authentication token before it expires and only re-authenticates using its credentials when the token renewal fails.
Details can be found in 877a8ae.
What's Changed
- upgrade deps and fix ci by @harshavardhana in #426
- vault: implement authentication token renewal by @aead in #428
- Add workflow to add issues to tracker by @dvaldivia in #429
- vault: support authentication in different namespaces by @aead in #431
- remove unused code by @aead in #432
New Contributors
- @dvaldivia made their first contribution in #429
Full Changelog: 2023-11-10T10-44-28Z...2024-01-11T13-09-29Z
Release 2023-11-10T10-44-28Z
Release Notes
Fixed
- A bug in the Hashicorp Vault backend implementation that can cause a crash when providing no AppRole auth configuration.
What's Changed
Full Changelog: 2023-11-09T17-35-47Z...2023-11-10T10-44-28Z
Release 2023-11-09T17-35-47Z
Release Notes
Added
- KES provides a development server that requires no config file or keystore. A dev server stores in-memory and does not persist them across restarts. It can be started with a single command:
$ kes server --dev Version 2023-11-09T17-35-47Z commit=53b74e38697bc68fd88dff7a3cf431db692db9ef Runtime go1.21.4 darwin/arm64 compiler=gc License AGPLv3 https://www.gnu.org/licenses/agpl-3.0.html Copyright MinIO, Inc. 2015-2023 https://min.io KMS In Memory API · https://127.0.0.1:7373 · https://192.168.188.79:7373 Docs https://min.io/docs/kes API Key kes:v1:ADsGCjJoWziQ82wPUG6oHbqhhlbkajaRGP+3+JSfx5Wq Admin 7bbffa635fc160ef8048a344a53aab54e472e5c654c6339a9cec9223301808c7 Logs error=stderr level=INFO audit=stdout level=INFO => Server is up and running...
- New API for parsing KES config files with the
kes/kesconf
package. This replaces thekes/edge
package.
Changed
- Building docker images using goreleaser requires
qemu
on the host. - If offline caching is enabled, the KES server status API does not try to connect to the backend keystore.
This prevents liveness/readiness probes failures when the backend keystore is offline.
Fixed
- Audit log events are now flushed immediately to clients subscribed to the audit log stream.
- An pattern matching bug in the request path pattern matching that caused authentication errors.
- If the no server address is specified on the command line, the server honor the address provided
in the config file. If the config file address is also empty, the server defaults to0.0.0.0:7373
.
What's Changed
- drop platform requirment on build stage by @aead in #410
- honor offline caching in
/v1/status
API by @aead in #412 - update kes-go to
v0.2.1
by @aead in #415 - kesconf: expose public API by @aead in #414
- Parse address from config if not provided with '--addr' by @rluetzner in #419
- kes: flush audit log events to clients by @aead in #417
- cmd: server should use default addr if none is specified by @aead in #420
New Contributors
- @rluetzner made their first contribution in #419
Full Changelog: 2023-10-27T22-05-35Z...2023-11-09T17-35-47Z
Release 2023-10-27T22-05-35Z
Release Notes
Changed
- KES no longer provides pre-compiled binaries, packages or container images for the ppc64 and s390x platforms. It also does not provide a pre-compiled binary for MacOS (darwin) on amd64.
- The Hashicorp Vault backend uses a simplified authentication renewal process that does not use Vault token renewal.
Fixed
- #408 fixes a resource leak when the KES server reloaded its TLS configuration. Depending on the KMS backend this could have leaked e.g. go routines that perform background tasks.
What's Changed
- simplify and optimize release process by @aead in #407
- Add info for maintainers by @donatello in #406
- cmd: fix resource leak when reloading TLS config by @aead in #408
- vault: simplify token renewal process by @aead in #409
- Add linux amd64 image for quay by @donatello in #411
Full Changelog: 2023-10-24T20-26-51Z...2023-10-27T22-05-35Z
Release 2023-10-24T20-26-51Z
Release Notes
Added
- Support for encrypting keys stored on the Hashicorp K/V secret engine with transit engine.
Vault always encrypts its K/V entries with encryption keys managed internally by Vault. Now, users can specify a transit key,
that KES uses to encrypt K/V values before sending them to Vault. This gives users control over which key is used to encrypt
the keys generated and stored by KES (on Vault). Ref: server-config.yaml#L243
Changed
- The Go version has been updated to Go 1.21.3.
- KES internals have been refactored. Among other things KES now uses structured logging. Refer #403 to for details.
What's Changed
- update Go from
1.21.1
to1.21.3
and go mod dep by @aead in #402 - vault: add support for transit-encrypted K/V by @aead in #404
- refactor KES API and internals by @aead in #403
- cmd: fix regression on server address handling by @aead in #405
Full Changelog: 2023-10-03T00-48-37Z...2023-10-24T20-26-51Z