Release 2023-10-03T00-48-37Z

Release Notes

This release just contains bug fixes and no new features.

Fixed

• A regression in the KES CLI caused the kes server command to not start and just print the usage the server even when used correctly.

---

What's Changed

• update kes-go dependency to v0.2.0 by @aead in #399

Full Changelog: 2023-09-28T19-40-28Z...2023-10-03T00-48-37Z

Release 2023-09-28T19-40-28Z

Release Notes

This release just contains bug fixes and no new features.

Fixed

• A resource leak when reloading configuration (#395). When a KES server reloaded its configuration it also establishes a new
  connection to the key store. However, it didn't used to cancel any background tasks of the previous key store connection.
  For certain backends (Hashicorp Vault, Gemalto KeySecure and Entrust KeyControl) this causes a goroutine leak resulting in
  a slow continuous memory increase. This issue only affects deployments that us unix SIGHUP to trigger reloads.

---

What's Changed

• close keystore when reloading config by @aead in #395
• remove unused code for single-node stateful server by @aead in #396

Full Changelog: 2023-08-19T17-27-47Z...2023-09-28T19-40-28Z

Release 2023-08-19T17-27-47Z

Release Notes

This release just contains bug fixes and no new features.

KES is now built using Go 1.21.0. Also, the container images are built using the latest UBI 8.8 micro
base image.

---

What's Changed

• go: update to Go 1.21.0 by @aead in #387
• mod: update dependencies by @aead in #389
• vault: improve usage of time.Timer by @aead in #388
• fix: set GOPROXY for self hosted runner by @shtripat in #390
• fix: remove unwanted ENV vars by @shtripat in #391

Full Changelog: 2023-07-26T11-13-07Z...2023-08-19T17-27-47Z

Release 2023-07-26T11-13-07Z

Release Notes

KES releases now use Go 1.20.6 and container images are based on UBI 8.8.

New Features

The KES edge server now supports Entrust KeyControl (v10.1 or newer) as key store backend. Refer to the documented edge config file for configuration options.

The KES edge server now uses a new read-optimized caching implementation that improves lock contention.
The details can be found here: 0b32a5d

Bug Fixes

KES accepts either a path or the raw JWT for its Hashicorp Vault K8S JWT config field. Hence, it has to check if the value refers to a file or not. Commit f4e3ef6 disallows the OS path separator character in the Hashicorp Vault K8S JWT and prevents situations where KES fails to read the JWT with and error like filename is too long.

---

What's Changed

• update CI and release config to Go 1.20.4 by @aead in #360
• keystore: improve caching mechanism by @aead in #358
• remove package kms and keserv by @aead in #359
• edge: handle Vault K8S auht JWTs more strictly by @aead in #365
• Added unit tests for various key stores by @shtripat in #363
• Enabled for other backend stores by @shtripat in #364
• edge: move tests from edge_test to edge package by @aead in #367
• Refactored kestest integration tests by @shtripat in #368
• fix: kes update command, update it to use proper version tags by @harshavardhana in #374
• fix obsolete vault kubernetes jwt file read by @lu1as in #371
• build(deps): bump google.golang.org/grpc from 1.50.1 to 1.53.0 by @dependabot in #377
• Fix wrong assignment by @reivaj05 in #375
• kestest: randomize key names by @shtripat in #370
• edge: use random secret key names and delete at end of each test by @shtripat in #369
• update kes UBI image to 8.8 by @harshavardhana in #378
• Added github actions for edge test for cloud KMS systems by @shtripat in #379
• ci: update to Go 1.20.6 by @aead in #381
• ci: use correct runner label for edge tests by @shtripat in #380
• ci: delete all the keys post test by @shtripat in #382
• keystore: add support for Entrust KeyControl by @aead in #384

New Contributors

• @shtripat made their first contribution in #363
• @lu1as made their first contribution in #371
• @reivaj05 made their first contribution in #375

Full Changelog: 2023-05-02T22-48-10Z...2023-07-26T11-13-07Z

Release 2023-05-02T22-48-10Z

Release Notes

New Features

Readiness API

The KES edge server provides a new readiness API /v1/ready. This allows users to determine whether the system is ready to handle
requests. Authentication for the /v1/ready API can also be disabled to support systems that do not support mTLS probes. Disabling authentication has some subtle impacts on how mTLS connections are handled. Refer to the commit message d15990d for more
details.

Bug Fixes

With commit 1e46c48, KES loads the Azure KeyVault tenant-id correctly.

---

What's Changed

• add readiness API by @aead in #354
• improve kes identity new command by @aead in #355
• fix: Load Azure KeyVault tenant-id correctly from the config file by @vadmeste in #357

New Contributors

• @vadmeste made their first contribution in #357

Full Changelog: 2023-04-18T19-36-09Z...2023-05-02T22-48-10Z

Release 2023-04-18T19-36-09Z

Release Notes

This release just contains bug fixes and no new features.

It fixes various bugs uncovered by the staticcheck linter added to the golangci-lint system.
In particular, two recursion bugs and the usage of deprecated types, functions and methods.

---

What's Changed

• edge: fix recursion bug in iterator by @aead in #350
• ci: add staticcheck linter by @aead in #351
• add git tag check to release process by @aead in #349

Full Changelog: 2023-04-17T23-01-06Z...2023-04-18T19-36-09Z

Release 2023-04-17T23-01-06Z

Release Notes

This release just contains bug fixes and no new features.

It fixes a bug affecting the GCP SecretManager keystore backend. In particular, the status check used to fail
when no GCP SecretManager endpoint has been specified in the KES config. This no longer happens and the
GCP default endpoint is used for the status check.

---

What's Changed

• gcp: use default GCP endpoint for status checks by @aead in #347

Full Changelog: 2023-04-03T16-41-28Z...2023-04-17T23-01-06Z

Release 2023-04-03T16-41-28Z

Release Notes

Container Images

The KES container/docker images now use the UBI micro as base image instead of UBI minimal.
Now, KES images are about half the size compared to previous images based on UBI minimal and
contain no unused dependencies anymore.

API customization

A KES edge server now supports API configuration. For example:

api:
  /v1/metrics:
    skip_auth: false
    timeout:   15s

Now, the API timeout can be customized for all v1 APIs. In addition, the API authentication can be turned off for the following
three APIs:

• /v1/status
• /v1/metrics
• /v1/api

However, API authentication should only be disabled when provisioning e.g. a monitoring service with an API key or client certificate is not possible for some specific reasons. In general, disabling authentication for any API is not recommended. The timeout and
authentication configuration for each API is exposed as part of the /v1/api API.

New packages kes/edge and kes/kv

There are two new packages - kes/edge and kes/kv. The former one provides functionality for reading KES edge server
configuration. The later exposes a generic abstraction over KES edge server backends for storing crypto. keys.

---

What's Changed

• build(deps): bump golang.org/x/net from 0.4.0 to 0.7.0 by @dependabot in #333
• move from UBI-minimal to UBI-micro containers by @aead in #337
• move handler logic into internal/api by @aead in #335
• expose keystore status in the /v1/status API by @aead in #339
• allow server API customization by @aead in #338
• add new packages edge and kv by @aead in #342
• use HTTP instead of TCP KeyStore status check by @aead in #345

Full Changelog: 2023-02-15T14-54-37Z...2023-04-03T16-41-28Z

Release 2023-02-15T14-54-37Z

Release Notes

Versioning

The KES server and CLI now follow a rolling release versioning scheme instead of semantic versioning. The KES version is now derived from the git commit timestamp. It has the following form: YYY-MM-DDThh-mm-ssZ.

The KES Go SDK has been moved to its own repository (minio/kes-go) and continuous to follow semantic versioning.

API Keys

KES now supports API keys for authentication. API keys are short secret keys that map to a TLS private/public key pair, and therefore, can be used for mTLS authentication. Hence, each API key also has an identity.

API key:    kes:v1:AD9E7FSYWrMD+VjhI6q545cYT9YOyFxZb7UnjEepYDRc
Identity:   3ecfcdf38fcbe141ae26a1030f81e96b753365a46760ae6b578698a97c59fd22

Clients can use API keys instead of TLS certificates (private key / certificate file) which should simplify credential handling in a majority of cases. The KES CLI supports API keys by setting the KES_API_KEY env. variable. For example:

export KES_SERVER=https://play.min.io:7373/
export KES_API_KEY=kes:v1:AD9E7FSYWrMD+VjhI6q545cYT9YOyFxZb7UnjEepYDRc

SIGHUP Reloads

A KES edge server now supports hot configuration reloads by listening for the SIGHUP signal on unix systems. When receiving a SIGHUP signal, the KES server reloads its configuration file (e.g. loads TLS configuration, sets up policies, connects to the specified key store, etc.) in the background. When it has reloaded the new configuration successfully, it swaps the previous and the new one.

Therefore, reloading the server configuration happens atomically and instantaneously. Clients will not experience any service interruption.

KES Keystore

Now, a edge KES server can use a stateful KES server as persistent key store. This can be configured in the keystore section.

  # Configuration for storing keys on a KES server.
  kes:
    endpoint: 
    - ""           # The endpoint (or list of endpoints) to the KES server(s)
    enclave: ""    # An optional enclave name. If empty, the default enclave will be used
    tls:           # The KES mTLS authentication credentials - i.e. client certificate.
      cert: ""     # Path to the TLS client certificate for mTLS authentication
      key: ""      # Path to the TLS client private key for mTLS authentication
      ca: ""       # Path to one or multiple PEM root CA certificates

Security

The KES binary is now build with Go 1.20.1. This fixes two CVEs in the net/http and crypto/tls standard library package that affect KES:

• CVE-2022-41723
  A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of
  service from a small number of small requests.
• CVE-2022-41724
  Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when
  attempting to construct responses.

---

What's Changed

• reload server configuration on SIGHUP by @aead in #327
• add support for API keys by @aead in #328
• update CI and release build to Go 1.20 by @aead in #329
• keystore: add support for KES<->KES setup by @aead in #326
• remove top-level SDK code by @aead in #331
• build(deps): bump github.com/aws/aws-sdk-go from 1.33.0 to 1.34.0 by @dependabot in #330
• update to Go 1.20.1 by @aead in #332

Full Changelog: v0.22.3...2023-02-15T14-54-37Z

Release version 0.22.3

Changelog

• 4f150ae cli: add version field to init config files
• 0f7bac8 cmd: print KMS and endpoint on startup
• 57f3264 keserv: add version field to server config