Skip to content

Commit

Permalink
kms: support key rotation for vault
Browse files Browse the repository at this point in the history
Signed-off-by: Praveen M <[email protected]>
  • Loading branch information
iPraveenParihar committed Nov 11, 2024
1 parent 1fc5447 commit d2a7617
Show file tree
Hide file tree
Showing 3 changed files with 22 additions and 9 deletions.
7 changes: 7 additions & 0 deletions pkg/system/phase2_creating.go
Original file line number Diff line number Diff line change
Expand Up @@ -1030,6 +1030,13 @@ func (r *Reconciler) keyRotate() error {
return err
}

err = k.Get()
if err != nil {
r.Logger.Errorf("keyRotate, KMS Get error %v", err)
r.setKMSConditionStatus(nbv1.ConditionKMSErrorRead)
return err
}

// Generate new random root key and set it in the KMS
// Key - rotate begins
err = k.Set(util.RandomBase64(32))
Expand Down
10 changes: 6 additions & 4 deletions pkg/util/kms/kms_vault.go
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,9 @@ const (

// Vault is a vault driver
type Vault struct {
UID string // NooBaa system UID
UID string // NooBaa system UID
name string // NooBaa system name
ns string // NooBaa system namespace
}

// NewVault is vault driver constructor
Expand All @@ -33,7 +35,7 @@ func NewVault(
namespace string,
uid string,
) Driver {
return &Vault{uid}
return &Vault{uid, name, namespace}
}

//
Expand Down Expand Up @@ -179,8 +181,8 @@ func writeCrtsToFile(secretName string, namespace string, secretValue []byte, en

// Version returns the current driver KMS version
// either single string or map, i.e. rotating key
func (*Vault) Version(kms *KMS) Version {
return &VersionSingleSecret{kms, nil}
func (k *Vault) Version(kms *KMS) Version {
return &VersionRotatingSecret{VersionBase{kms, nil}, k.name, k.ns}
}

// Register Vault driver with KMS layer
Expand Down
14 changes: 9 additions & 5 deletions pkg/util/kms/kms_version.go
Original file line number Diff line number Diff line change
Expand Up @@ -102,7 +102,7 @@ func (v *VersionRotatingSecret) Reconcile(r SecretReconciler) error {

// Get implements SecretStorage interface for the secret map, i.e. rotating master root key
func (v *VersionRotatingSecret) Get() error {
s, _, err := v.k.GetSecret(v.backendSecretName(), v.k.driver.GetContext())
s, _, err := v.k.GetSecret(v.BackendSecretName(), v.k.driver.GetContext())
if err != nil {
// handle k8s get from non-existent secret
if strings.Contains(err.Error(), "not found") {
Expand All @@ -120,8 +120,8 @@ func (v *VersionRotatingSecret) Get() error {
return nil
}

// backendSecretName returns the rotating secret backend secret name
func (v *VersionRotatingSecret) backendSecretName() string {
// BackendSecretName returns the rotating secret backend secret name
func (v *VersionRotatingSecret) BackendSecretName() string {
return v.name + "-root-master-key-backend"
}

Expand All @@ -137,7 +137,7 @@ func (v *VersionRotatingSecret) Set(val string) error {
s[ActiveRootKey] = key
s[key] = val
v.data = s
_, err := v.k.PutSecret(v.backendSecretName(), toInterfaceMap(s), v.k.driver.SetContext())
_, err := v.k.PutSecret(v.BackendSecretName(), toInterfaceMap(s), v.k.driver.SetContext())
return err
}

Expand All @@ -154,11 +154,15 @@ func (v *VersionRotatingSecret) deleteSingleStringSecret() bool {
func (v *VersionRotatingSecret) Delete() error {
// Delete rotating secret backend
backendSecret := &corev1.Secret{}
backendSecret.Name = v.backendSecretName()
backendSecret.Name = v.BackendSecretName()
backendSecret.Namespace = v.ns
if !util.KubeDelete(backendSecret) {
return fmt.Errorf("KMS Delete error for the rotating master root secret backend")
}

err := v.k.DeleteSecret(v.BackendSecretName(), v.k.driver.DeleteContext())
if err != nil {
return err
}

return nil
Expand Down

0 comments on commit d2a7617

Please sign in to comment.