Automated cherry pick of #2151: security: tikv encryption kms config (#…

…2198) * security: tikv encryption kms config * fix doc * fix tiny * fix tiny * fix tiny Co-authored-by: shuijing198799 <yinliang@pingcap.com>
pingcap · Apr 16, 2020 · 2b641cb · 2b641cb
1 parent 6f42736
commit 2b641cb
Show file tree

Hide file tree

Showing 5 changed files with 420 additions and 1 deletion.
diff --git a/docs/api-references/docs.md b/docs/api-references/docs.md
@@ -3927,6 +3927,117 @@ Kubernetes core/v1.ResourceRequirements
 </tr>
 </tbody>
 </table>
+<h3 id="pingcap.com/v1alpha1.MasterKeyFileConfig">MasterKeyFileConfig
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#pingcap.com/v1alpha1.TiKVMasterKeyConfig">TiKVMasterKeyConfig</a>)
+</p>
+<p>
+</p>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>method</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Encrypyion method, use master key encryption data key
+Possible values: plaintext, aes128-ctr, aes192-ctr, aes256-ctr
+Optional: Default to plaintext
+optional</p>
+</td>
+</tr>
+</tbody>
+</table>
+<h3 id="pingcap.com/v1alpha1.MasterKeyKMSConfig">MasterKeyKMSConfig
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#pingcap.com/v1alpha1.TiKVMasterKeyConfig">TiKVMasterKeyConfig</a>)
+</p>
+<p>
+</p>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>key-id</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+<p>AWS CMK key-id it can be find in AWS Console or use aws cli
+This field is required</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>access-key</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+<p>AccessKey of AWS user, leave empty if using other authrization method
+optional</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>secret-access-key</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+<p>SecretKey of AWS user, leave empty if using other authrization method
+optional</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>region</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Region of this KMS key
+Optional: Default to us-east-1
+optional</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>endpoint</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Used for KMS compatible KMS, such as Ceph, minio, If use AWS, leave empty
+optional</p>
+</td>
+</tr>
+</tbody>
+</table>
 <h3 id="pingcap.com/v1alpha1.MemberPhase">MemberPhase
 (<code>string</code> alias)</p></h3>
 <p>
@@ -9871,6 +9982,19 @@ TiKVSecurityConfig
 <em>(Optional)</em>
 </td>
 </tr>
+<tr>
+<td>
+<code>encryption</code></br>
+<em>
+<a href="#pingcap.com/v1alpha1.TiKVEncryptionConfig">
+TiKVEncryptionConfig
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+</td>
+</tr>
 </tbody>
 </table>
 <h3 id="pingcap.com/v1alpha1.TiKVCoprocessorConfig">TiKVCoprocessorConfig
@@ -10440,6 +10564,78 @@ TiKVTitanDBConfig
 </tr>
 </tbody>
 </table>
+<h3 id="pingcap.com/v1alpha1.TiKVEncryptionConfig">TiKVEncryptionConfig
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#pingcap.com/v1alpha1.TiKVConfig">TiKVConfig</a>)
+</p>
+<p>
+</p>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>method</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Encrypyion method, use data key encryption raw rocksdb data
+Possible values: plaintext, aes128-ctr, aes192-ctr, aes256-ctr
+Optional: Default to plaintext
+optional</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>data-key-rotation-period</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+<p>The frequency of datakey rotation, It managered by tikv
+Optional: default to 7d
+optional</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>master-key</code></br>
+<em>
+<a href="#pingcap.com/v1alpha1.TiKVMasterKeyConfig">
+TiKVMasterKeyConfig
+</a>
+</em>
+</td>
+<td>
+<p>Master key config</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>previous-master-key</code></br>
+<em>
+<a href="#pingcap.com/v1alpha1.TiKVMasterKeyConfig">
+TiKVMasterKeyConfig
+</a>
+</em>
+</td>
+<td>
+<p>Previous master key config
+It used in master key rotation, the data key should decryption by previous master key and  then encrypytion by new master key</p>
+</td>
+</tr>
+</tbody>
+</table>
 <h3 id="pingcap.com/v1alpha1.TiKVFailureStore">TiKVFailureStore
 </h3>
 <p>
@@ -10649,6 +10845,71 @@ string
 </tr>
 </tbody>
 </table>
+<h3 id="pingcap.com/v1alpha1.TiKVMasterKeyConfig">TiKVMasterKeyConfig
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#pingcap.com/v1alpha1.TiKVEncryptionConfig">TiKVEncryptionConfig</a>)
+</p>
+<p>
+</p>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>type</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Use KMS encryption or use file encryption, possible values: kms, file
+If set to kms, kms MasterKeyKMSConfig should be filled, if set to file MasterKeyFileConfig should be filled
+optional</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>MasterKeyFileConfig</code></br>
+<em>
+<a href="#pingcap.com/v1alpha1.MasterKeyFileConfig">
+MasterKeyFileConfig
+</a>
+</em>
+</td>
+<td>
+<p>
+(Members of <code>MasterKeyFileConfig</code> are embedded into this type.)
+</p>
+<p>Master key file config
+If the type set to file, this config should be filled</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>MasterKeyKMSConfig</code></br>
+<em>
+<a href="#pingcap.com/v1alpha1.MasterKeyKMSConfig">
+MasterKeyKMSConfig
+</a>
+</em>
+</td>
+<td>
+<p>
+(Members of <code>MasterKeyKMSConfig</code> are embedded into this type.)
+</p>
+<p>Master key KMS config
+If the type set to kms, this config should be filled</p>
+</td>
+</tr>
+</tbody>
+</table>
 <h3 id="pingcap.com/v1alpha1.TiKVPDConfig">TiKVPDConfig
 </h3>
 <p>

diff --git a/manifests/crd.yaml b/manifests/crd.yaml
@@ -6140,6 +6140,7 @@ spec:
                             to false optional'
                           type: boolean
                       type: object
+                    encryption: {}
                     gc:
                       properties:
                         "\tbatch-keys":

diff --git a/pkg/apis/pingcap/v1alpha1/openapi_generated.go b/pkg/apis/pingcap/v1alpha1/openapi_generated.go
diff --git a/pkg/apis/pingcap/v1alpha1/tikv_config.go b/pkg/apis/pingcap/v1alpha1/tikv_config.go
@@ -51,6 +51,8 @@ type TiKVConfig struct {
 	PD *TiKVPDConfig `json:"pd,omitempty" toml:"pd,omitempty"`
 	// +optional
 	Security *TiKVSecurityConfig `json:"security,omitempty" toml:"security,omitempty"`
+	// +optional
+	Encryption *TiKVEncryptionConfig `json:"encryption,omitempty" toml:"encryption,omitempty"`
 }
 
 // +k8s:openapi-gen=true
@@ -742,3 +744,72 @@ type TiKVCoprocessorConfig struct {
 	// optional
 	RegionSplitKeys *int64 `json:"region-split-keys,omitempty" toml:"region-split-keys,omitempty"`
 }
+
+type TiKVEncryptionConfig struct {
+	// Encrypyion method, use data key encryption raw rocksdb data
+	// Possible values: plaintext, aes128-ctr, aes192-ctr, aes256-ctr
+	// Optional: Default to plaintext
+	// optional
+	Method string `json:"method,omitempty" toml:"method,omitempty"`
+
+	// The frequency of datakey rotation, It managered by tikv
+	// Optional: default to 7d
+	// optional
+	DataKeyRotationPeriod string `json:"data-key-rotation-period,omitempty" toml:"data-key-rotation-period,omitempty"`
+
+	// Master key config
+	MasterKey *TiKVMasterKeyConfig `json:"master-key,omitempty" toml:"master-key,omitempty"`
+
+	// Previous master key config
+	// It used in master key rotation, the data key should decryption by previous master key and  then encrypytion by new master key
+	PreviousMasterKey *TiKVMasterKeyConfig `json:"previous-master-key,omitempty" toml:"previoud-master-key,omitempty"`
+}
+
+type TiKVMasterKeyConfig struct {
+	// Use KMS encryption or use file encryption, possible values: kms, file
+	// If set to kms, kms MasterKeyKMSConfig should be filled, if set to file MasterKeyFileConfig should be filled
+	// optional
+	Type string `json:"type,omitempty" toml:"type,omitempty"`
+
+	// Master key file config
+	// If the type set to file, this config should be filled
+	MasterKeyFileConfig `json:",inline"`
+
+	// Master key KMS config
+	// If the type set to kms, this config should be filled
+	MasterKeyKMSConfig `json:",inline"`
+}
+
+type MasterKeyFileConfig struct {
+	// Encrypyion method, use master key encryption data key
+	// Possible values: plaintext, aes128-ctr, aes192-ctr, aes256-ctr
+	// Optional: Default to plaintext
+	// optional
+	Method string `json:"method,omitempty" toml:"method,omitempty"`
+
+	// Text file containing the key in hex form, end with '\n'
+	Path string `json:"path" toml:"path"`
+}
+
+type MasterKeyKMSConfig struct {
+	// AWS CMK key-id it can be find in AWS Console or use aws cli
+	// This field is required
+	KeyID string `json:"key-id" toml:"key-id"`
+
+	// AccessKey of AWS user, leave empty if using other authrization method
+	// optional
+	AccessKey string `json:"access-key,omitempty" toml:"access-key,omitempty"`
+
+	// SecretKey of AWS user, leave empty if using other authrization method
+	// optional
+	SecretKey string `json:"secret-access-key,omitempty" toml:"access-key,omitempty"`
+
+	// Region of this KMS key
+	// Optional: Default to us-east-1
+	// optional
+	Region string `json:"region,omitempty" toml:"region,omitempty"`
+
+	// Used for KMS compatible KMS, such as Ceph, minio, If use AWS, leave empty
+	// optional
+	Endpoint string `json:"endpoint,omitempty" toml:"endpoint,omitempty"`
+}