kms: Implement Azure key vault as KMS provider

This commit adds the Azure Key Vault as a supported
KMS provider.

Signed-off-by: Praveen M <m.praveen@ibm.com>
This commit is contained in:
Praveen M 2024-02-16 15:35:08 +05:30 committed by mergify[bot]
parent d93c75517e
commit 8901b456fd
5 changed files with 273 additions and 0 deletions

View File

@ -0,0 +1,10 @@
---
# This is an example Kubernetes secret that can be created in the Kubernetes
# namespace where Ceph-CSI is deployed. The contents of this secret will be
# used to connect to the Azure Key Vault.
apiVersion: v1
kind: Secret
metadata:
name: ceph-csi-azure-credentials
data:
CLIENT_CERT: ""

View File

@ -83,5 +83,13 @@ data:
"READ_TIMEOUT": 10,
"WRITE_TIMEOUT": 10
}
azure-test: |-
{
"KMS_PROVIDER": "azure-kv",
"AZURE_CERT_SECRET_NAME": "ceph-csi-azure-credentials",
"AZURE_VAULT_URL": "https://vault-name.vault.azure.net/",
"AZURE_CLIENT_ID": "__CLIENT_ID__",
"AZURE_TENANT_ID": "__TENANT_ID__"
}
metadata:
name: csi-kms-connection-details

View File

@ -108,6 +108,13 @@ data:
"TLS_SERVER_NAME": "kmip.ciphertrustmanager.local",
"READ_TIMEOUT": 10,
"WRITE_TIMEOUT": 10
},
"azure-test": {
"KMS_PROVIDER": "azure-kv",
"AZURE_CERT_SECRET_NAME": "ceph-csi-azure-credentials",
"AZURE_VAULT_URL": "https://vault-name.vault.azure.net/",
"AZURE_CLIENT_ID": "__CLIENT_ID__",
"AZURE_TENANT_ID": "__TENANT_ID__"
}
}
metadata:

219
internal/kms/azure_vault.go Normal file
View File

@ -0,0 +1,219 @@
/*
Copyright 2024 The Ceph-CSI Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package kms
import (
"context"
"encoding/base64"
"errors"
"fmt"
"github.com/ceph/ceph-csi/internal/util/k8s"
"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
"github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
const (
kmsTypeAzure = "azure-kv"
// azureDefaultSecretsName is the default name of the Kubernetes secret
// that contains the credentials to access the Azure key vault. The name
// the secret can be configured by setting the `AZURE_CERT_SECRET_NAME` option.
//
// #nosec:G101, value not credentials, just references token.
azureDefaultSecretsName = "ceph-csi-azure-credentials"
// azureSecretNameKey contains the name of the Kubernetes secret that has
// the credentials to access the Azure key vault.
//
// #nosec:G101, no hardcoded secret, this is a configuration key.
azureSecretNameKey = "AZURE_CERT_SECRET_NAME"
azureVaultURL = "AZURE_VAULT_URL"
azureClientID = "AZURE_CLIENT_ID"
azureTenantID = "AZURE_TENANT_ID"
// The following options are part of the Kubernetes secrets.
//
// #nosec:G101, no hardcoded secrets, only configuration keys.
azureClientCertificate = "CLIENT_CERT"
)
var _ = RegisterProvider(Provider{
UniqueID: kmsTypeAzure,
Initializer: initAzureKeyVaultKMS,
})
type azureKMS struct {
// basic
namespace string
secretName string
integratedDEK
// standard
vaultURL string
clientID string
tenantID string
clientCertificate string
}
func initAzureKeyVaultKMS(args ProviderInitArgs) (EncryptionKMS, error) {
kms := &azureKMS{
namespace: args.Namespace,
}
// required options for further configuration (getting secrets)
err := setConfigString(&kms.secretName, args.Config, azureSecretNameKey)
if errors.Is(err, errConfigOptionInvalid) {
return nil, err
} else if errors.Is(err, errConfigOptionMissing) {
kms.secretName = azureDefaultSecretsName
}
err = setConfigString(&kms.vaultURL, args.Config, azureVaultURL)
if err != nil {
return nil, err
}
err = setConfigString(&kms.clientID, args.Config, azureClientID)
if err != nil {
return nil, err
}
err = setConfigString(&kms.tenantID, args.Config, azureTenantID)
if err != nil {
return nil, err
}
// read the kubernetes secret with credentials
secrets, err := kms.getSecrets()
if err != nil {
return nil, fmt.Errorf("failed to get secrets for %T, %w", kms, err)
}
var encodedClientCertificate string
err = setConfigString(&encodedClientCertificate, secrets, azureClientCertificate)
if err != nil {
return nil, err
}
clientCertificate, err := base64.StdEncoding.DecodeString(encodedClientCertificate)
if err != nil {
return nil, fmt.Errorf("failed to decode client certificate: %w", err)
}
kms.clientCertificate = string(clientCertificate)
return kms, nil
}
func (kms *azureKMS) Destroy() {
// Nothing to do.
}
func (kms *azureKMS) getService() (*azsecrets.Client, error) {
certs, key, err := azidentity.ParseCertificates([]byte(kms.clientCertificate), []byte{})
if err != nil {
return nil, fmt.Errorf("failed to parse Azure client certificate: %w", err)
}
creds, err := azidentity.NewClientCertificateCredential(kms.tenantID, kms.clientID, certs, key, nil)
if err != nil {
return nil, fmt.Errorf("failed to create Azure credentials: %w", err)
}
azClient, err := azsecrets.NewClient(kms.vaultURL, creds, nil)
if err != nil {
return nil, fmt.Errorf("failed to create Azure client: %w", err)
}
return azClient, nil
}
func (kms *azureKMS) getSecrets() (map[string]interface{}, error) {
c, err := k8s.NewK8sClient()
if err != nil {
return nil, fmt.Errorf("failed to connect to kubernetes to "+
"get secret %s/%s: %w", kms.namespace, kms.secretName, err)
}
secret, err := c.CoreV1().Secrets(kms.namespace).Get(context.TODO(),
kms.secretName, metav1.GetOptions{})
if err != nil {
return nil, fmt.Errorf("failed to get secret %s/%s: %w", kms.namespace, kms.secretName, err)
}
config := make(map[string]interface{})
for k, v := range secret.Data {
switch k {
case azureClientCertificate:
config[k] = string(v)
default:
return nil, fmt.Errorf("unsupported option for KMS provider %q: %s", kmsTypeAzure, k)
}
}
return config, nil
}
// FetchDEK returns passphrase from Azure key vault.
func (kms *azureKMS) FetchDEK(ctx context.Context, key string) (string, error) {
svc, err := kms.getService()
if err != nil {
return "", fmt.Errorf("failed to get KMS service: %w", err)
}
getSecretResponse, err := svc.GetSecret(ctx, key, "", nil)
if err != nil {
return "", fmt.Errorf("failed to get secret: %w", err)
}
return *getSecretResponse.Value, nil
}
// StoreDEK saves new passphrase to Azure key vault.
func (kms *azureKMS) StoreDEK(ctx context.Context, key, value string) error {
svc, err := kms.getService()
if err != nil {
return fmt.Errorf("failed to get KMS service: %w", err)
}
setSecretParams := azsecrets.SetSecretParameters{
Value: &value,
}
_, err = svc.SetSecret(ctx, key, setSecretParams, nil)
if err != nil {
return fmt.Errorf("failed to set seceret %w", err)
}
return nil
}
// RemoveDEK deletes passphrase from Azure key vault.
func (kms *azureKMS) RemoveDEK(ctx context.Context, key string) error {
svc, err := kms.getService()
if err != nil {
return fmt.Errorf("failed to get KMS service: %w", err)
}
_, err = svc.DeleteSecret(ctx, key, nil)
if err != nil {
return fmt.Errorf("failed to delete seceret %w", err)
}
return nil
}

View File

@ -0,0 +1,29 @@
/*
Copyright 2024 The Ceph-CSI Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package kms
import (
"testing"
"github.com/stretchr/testify/assert"
)
func TestAzureKMSRegistered(t *testing.T) {
t.Parallel()
_, ok := kmsManager.providers[kmsTypeAzure]
assert.True(t, ok)
}