-
Notifications
You must be signed in to change notification settings - Fork 5.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kms: add support for MinKMS and remove some unused/broken code #19368
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
KMS enabled tests seem to crash |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
are the rest from the mineos branch?
Please rebase this PR with latest master @aead @allanrogerr |
11fe7b9
to
80879fb
Compare
@aead once this is merged. Can we simply force merge this to downstream mineos? Since there are conflicts in cherry picking want to make sure that is perfectly fine. |
I think so, yes @harshavardhana |
@aead PTAL regular tests seem to be failing - NOTE these tests run with MINIO_KMS_SECRET_KEY |
62f1bf6
to
c3f10a2
Compare
This commit adds support for MinKMS. Now, there are three KMS implementations in `internal/kms`: Builtin, MinIO KES and MinIO KMS. Adding another KMS integration required some cleanup. In particular: - Various KMS APIs that haven't been and are not used have been removed. A lot of the code was broken anyway. - Metrics are now monitored by the `kms.KMS` itself. For basic metrics this is simpler than collecting metrics for external servers. In particular, each KES server returns its own metrics and no cluster-level view. - The builtin KMS now uses the same en/decryption implemented by MinKMS and KES. It still supports decryption of the previous ciphertext format. It's backwards compatible. - Data encryption keys now include a master key version since MinKMS supports multiple versions (~4 billion in total and 10000 concurrent) per key name. Signed-off-by: Andreas Auernhammer <github@aead.dev>
@allanrogerr or @shtripat can you guys take up task of adding
Currently we have tests for the MINIO_KMS_SECRET_KEY adding kes would help. Thank you let me know. |
@allanrogerr @shtripat Consider |
Test PR: #19695 |
Description
This commit adds support for MinKMS. Now, there are three KMS implementations in
internal/kms
: Builtin, MinIO KES and MinIO KMS.Adding another KMS integration required some cleanup. In particular:
kms.KMS
itself. For basic metrics this is simpler than collecting metrics for external servers. In particular, each KES server returns its own metrics and no cluster-level view.Motivation and Context
KMS
How to test this PR?
Types of changes
Checklist:
commit-id
orPR #
here)