Release 2024-04-12T13-50-00Z

Release Notes

Release 2024-04-12T13-50-00Z is a bugfix that fixes bugs cache garbage collection.
Before, the KES server did not expiry cache entries correctly when offline caching was enabled. In particular, it did not honor the
offline expiry in all cases.

What's Changed

• fix: typos, upgrade linter and CI go-version by @harshavardhana in #456
• vault: improve Vault API interaction by @aead in #458
• Remove 'rm' from list by @ramondeklein in #457
• set cache default values as documented by @aead in #460

New Contributors

• @ramondeklein made their first contribution in #457

Full Changelog: 2024-03-28T12-56-37Z...2024-04-12T13-50-00Z

Release 2024-03-28T12-56-37Z

Release Notes

Release 2024-03-13T17-52-13Z is a bugfix release that fixes bugs in the Gemalto/Thales and Fortanix backend.

What's Changed

• Update client.go (#454)
• keystore: use pre-configured client for {Gemalto,Fortanix} status check (#455)

Full Changelog: 2024-04-12T13-50-00Z...2024-03-28T12-56-37Z

Release 2024-03-13T17-52-13Z

Release Notes

Release 2024-03-13T17-52-13Z is a bugfix release that fixes two issues:

• PR #451 fixes a resource leak in the AWS, GCP, Fortanix and Gemalto backend that can cause OOM issues.
• PR #453 fixes an authentication issue that can cause connection failures since the server "just" requested, but not demanded a client certificate. Hence, clients might not send one causing authentication to fail. Now, the KES server requires a client certificate.

---

What's Changed

• keystore: fix conn leak in {AWS,GCP,Fortanx,Gemalto} backend by @aead in #451
• require a TLS client certificate by default by @aead in #453

Full Changelog: 2024-03-01T18-06-46Z...2024-03-13T17-52-13Z

Release 2024-03-01T18-06-46Z

Changelog

• 8ecd396 azure: Close http response body (#450)

Release 2024-02-29T08-12-28Z

Release Notes

Release 2024-02-29T08-12-28Z adds a new HMAC server API, introduces a new and more efficient ciphertext format and contains bug fixes for prometheus metrics.

Added

• The KES server provides the /v1/key/hmac/<key-name> API can be used to compute a deterministic checksum over a message. It may
  be used to check if a message has been modified. The HMAC API is only available for newly created keys. Existing keys do not support
  this API.
• The KES repository contains a Grafana dashboard example that can be used to visualize server metrics.

Changed

• The KES server uses a new ciphertext format when encrypting messages or generating data encryption keys. This format is more efficient since ciphertexts are now ~40% smaller. This reduces network traffic and storage space when requesting and storing many data key ciphertexts. The server is backwards compatible and still accepts previous ciphertext formats. However, it's no longer possible to
  downgrade to a version before this release after upgrade to this or any future versions. The reason is that existing KES server versions
  don't recognize the new ciphertext format and fail to decrypt it. Hence, this change is backwards but not forward compatible.

What's Changed

• add HMAC API and use KMS secret key crypto by @aead in #433
• add HMAC API test by @aead in #434
• fix: set client CAs for mTLS auth by @lu1as in #437
• ci: fix linter warnings by @aead in #440
• Edit sample YAML config for easier importing to web docs by @feorlen in #442
• fix: return updating http metrics by @DimkaGorhover in #444
• seperating zsh and bash autocomplete by @zveinn in #441
• Added KES grafana dashboard by @shtripat in #447
• update SDK dependency by @aead in #448
• Fix go.sum for release by @donatello in #449

New Contributors

• @feorlen made their first contribution in #442
• @DimkaGorhover made their first contribution in #444
• @zveinn made their first contribution in #441

Full Changelog: 2024-01-11T13-09-29Z...2024-02-29T08-12-28Z

Release 2024-01-11T13-09-29Z

Release Notes

Release 2024-01-11T13-09-29Z contains changes for the Hashicorp Vault backend.

Added

• Now, a KES server configuration accepts authentication specific Hashicorp Vault namespaces. This may be useful when KES should
  authenticate within the root namespace but use secret engines within sub namespaces.

  approle:    # AppRole credentials. See: https://www.vaultproject.io/docs/auth/approle.html
     namespace: "" # Optional Vault namespace used just for authentication. A single "/" is an alias for the Vault root namespace.
     engine: ""    # The path of the AppRole engine - e.g. authenticate. If empty, defaults to: approle. (Vault default)
     id: ""        # Your AppRole Role ID
     secret: ""    # Your AppRole Secret ID
  

  Note that KES can also not send any namespace header for authentication methods, even if a namespace for its secret engines has been configured, by setting namespace: "/".

Changed

• The Hashicorp Vault backend now uses a new authentication token renewal implementation. The previous one got removed by 13cee22.
  Since then, the KES server uses its authentication credentials to obtain a new token instead of renewing its current one. Now, the KES
  server refreshes its authentication token before it expires and only re-authenticates using its credentials when the token renewal fails.
  Details can be found in 877a8ae.

What's Changed

• upgrade deps and fix ci by @harshavardhana in #426
• vault: implement authentication token renewal by @aead in #428
• Add workflow to add issues to tracker by @dvaldivia in #429
• vault: support authentication in different namespaces by @aead in #431
• remove unused code by @aead in #432

New Contributors

• @dvaldivia made their first contribution in #429

Full Changelog: 2023-11-10T10-44-28Z...2024-01-11T13-09-29Z

Release 2023-11-10T10-44-28Z

Release Notes

Fixed

• A bug in the Hashicorp Vault backend implementation that can cause a crash when providing no AppRole auth configuration.

What's Changed

• fix: Avoid crash when approle is not used by @vadmeste in #421

Full Changelog: 2023-11-09T17-35-47Z...2023-11-10T10-44-28Z

Release 2023-11-09T17-35-47Z

Release Notes

Added

• KES provides a development server that requires no config file or keystore. A dev server stores in-memory and does not persist them across restarts. It can be started with a single command:

  $ kes server --dev
  Version     2023-11-09T17-35-47Z    commit=53b74e38697bc68fd88dff7a3cf431db692db9ef
  Runtime     go1.21.4 darwin/arm64   compiler=gc
  License     AGPLv3                  https://www.gnu.org/licenses/agpl-3.0.html
  Copyright   MinIO, Inc.  2015-2023  https://min.io
  
  KMS         In Memory
  API         · https://127.0.0.1:7373
              · https://192.168.188.79:7373
  
  Docs        https://min.io/docs/kes
  
  API Key     kes:v1:ADsGCjJoWziQ82wPUG6oHbqhhlbkajaRGP+3+JSfx5Wq
  Admin       7bbffa635fc160ef8048a344a53aab54e472e5c654c6339a9cec9223301808c7
  Logs        error=stderr level=INFO
              audit=stdout level=INFO
  
  => Server is up and running...
  

• New API for parsing KES config files with the kes/kesconf package. This replaces the kes/edge package.

Changed

• Building docker images using goreleaser requires qemu on the host.
• If offline caching is enabled, the KES server status API does not try to connect to the backend keystore.
  This prevents liveness/readiness probes failures when the backend keystore is offline.

Fixed

• Audit log events are now flushed immediately to clients subscribed to the audit log stream.
• An pattern matching bug in the request path pattern matching that caused authentication errors.
• If the no server address is specified on the command line, the server honor the address provided
  in the config file. If the config file address is also empty, the server defaults to 0.0.0.0:7373.

What's Changed

• drop platform requirment on build stage by @aead in #410
• honor offline caching in /v1/status API by @aead in #412
• update kes-go to v0.2.1 by @aead in #415
• kesconf: expose public API by @aead in #414
• Parse address from config if not provided with '--addr' by @rluetzner in #419
• kes: flush audit log events to clients by @aead in #417
• cmd: server should use default addr if none is specified by @aead in #420

New Contributors

• @rluetzner made their first contribution in #419

Full Changelog: 2023-10-27T22-05-35Z...2023-11-09T17-35-47Z

Release 2023-10-27T22-05-35Z

Release Notes

Changed

• KES no longer provides pre-compiled binaries, packages or container images for the ppc64 and s390x platforms. It also does not provide a pre-compiled binary for MacOS (darwin) on amd64.
• The Hashicorp Vault backend uses a simplified authentication renewal process that does not use Vault token renewal.

Fixed

• #408 fixes a resource leak when the KES server reloaded its TLS configuration. Depending on the KMS backend this could have leaked e.g. go routines that perform background tasks.

---

What's Changed

• simplify and optimize release process by @aead in #407
• Add info for maintainers by @donatello in #406
• cmd: fix resource leak when reloading TLS config by @aead in #408
• vault: simplify token renewal process by @aead in #409
• Add linux amd64 image for quay by @donatello in #411

Full Changelog: 2023-10-24T20-26-51Z...2023-10-27T22-05-35Z

Release 2023-10-24T20-26-51Z

Release Notes

Added

• Support for encrypting keys stored on the Hashicorp K/V secret engine with transit engine.
  Vault always encrypts its K/V entries with encryption keys managed internally by Vault. Now, users can specify a transit key,
  that KES uses to encrypt K/V values before sending them to Vault. This gives users control over which key is used to encrypt
  the keys generated and stored by KES (on Vault). Ref: server-config.yaml#L243

Changed

• The Go version has been updated to Go 1.21.3.
• KES internals have been refactored. Among other things KES now uses structured logging. Refer #403 to for details.

---

What's Changed

• update Go from 1.21.1 to 1.21.3 and go mod dep by @aead in #402
• vault: add support for transit-encrypted K/V by @aead in #404
• refactor KES API and internals by @aead in #403
• cmd: fix regression on server address handling by @aead in #405

Full Changelog: 2023-10-03T00-48-37Z...2023-10-24T20-26-51Z