+(Appears on: +TiKVMasterKeyConfig) +
++
+| Field | +Description | +
|---|---|
+method
+
+string
+
+ |
+
+ Encrypyion method, use master key encryption data key +Possible values: plaintext, aes128-ctr, aes192-ctr, aes256-ctr +Optional: Default to plaintext +optional + |
+
+(Appears on: +TiKVMasterKeyConfig) +
++
+| Field | +Description | +
|---|---|
+key-id
+
+string
+
+ |
+
+ AWS CMK key-id it can be find in AWS Console or use aws cli +This field is required + |
+
+access-key
+
+string
+
+ |
+
+ AccessKey of AWS user, leave empty if using other authrization method +optional + |
+
+secret-access-key
+
+string
+
+ |
+
+ SecretKey of AWS user, leave empty if using other authrization method +optional + |
+
+region
+
+string
+
+ |
+
+ Region of this KMS key +Optional: Default to us-east-1 +optional + |
+
+endpoint
+
+string
+
+ |
+
+ Used for KMS compatible KMS, such as Ceph, minio, If use AWS, leave empty +optional + |
+
string alias)@@ -9871,6 +9982,19 @@ TiKVSecurityConfig (Optional) +
encryption
+
+
+TiKVEncryptionConfig
+
+
++(Appears on: +TiKVConfig) +
++
+| Field | +Description | +
|---|---|
+method
+
+string
+
+ |
+
+ Encrypyion method, use data key encryption raw rocksdb data +Possible values: plaintext, aes128-ctr, aes192-ctr, aes256-ctr +Optional: Default to plaintext +optional + |
+
+data-key-rotation-period
+
+string
+
+ |
+
+ The frequency of datakey rotation, It managered by tikv +Optional: default to 7d +optional + |
+
+master-key
+
+
+TiKVMasterKeyConfig
+
+
+ |
+
+ Master key config + |
+
+previous-master-key
+
+
+TiKVMasterKeyConfig
+
+
+ |
+
+ Previous master key config +It used in master key rotation, the data key should decryption by previous master key and then encrypytion by new master key + |
+
@@ -10649,6 +10845,71 @@ string +
+(Appears on: +TiKVEncryptionConfig) +
++
+| Field | +Description | +
|---|---|
+type
+
+string
+
+ |
+
+ Use KMS encryption or use file encryption, possible values: kms, file +If set to kms, kms MasterKeyKMSConfig should be filled, if set to file MasterKeyFileConfig should be filled +optional + |
+
+MasterKeyFileConfig
+
+
+MasterKeyFileConfig
+
+
+ |
+
+
+(Members of Master key file config +If the type set to file, this config should be filled + |
+
+MasterKeyKMSConfig
+
+
+MasterKeyKMSConfig
+
+
+ |
+
+
+(Members of Master key KMS config +If the type set to kms, this config should be filled + |
+
diff --git a/manifests/crd.yaml b/manifests/crd.yaml index b1eb04dbc8..0e7aa77eca 100644 --- a/manifests/crd.yaml +++ b/manifests/crd.yaml @@ -6140,6 +6140,7 @@ spec: to false optional' type: boolean type: object + encryption: {} gc: properties: "\tbatch-keys": diff --git a/pkg/apis/pingcap/v1alpha1/openapi_generated.go b/pkg/apis/pingcap/v1alpha1/openapi_generated.go index a571bf8c3d..7d2561fb05 100644 --- a/pkg/apis/pingcap/v1alpha1/openapi_generated.go +++ b/pkg/apis/pingcap/v1alpha1/openapi_generated.go @@ -4952,11 +4952,16 @@ func schema_pkg_apis_pingcap_v1alpha1_TiKVConfig(ref common.ReferenceCallback) c Ref: ref("github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1.TiKVSecurityConfig"), }, }, + "encryption": { + SchemaProps: spec.SchemaProps{ + Ref: ref("github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1.TiKVEncryptionConfig"), + }, + }, }, }, }, Dependencies: []string{ - "github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1.TiKVCoprocessorConfig", "github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1.TiKVDbConfig", "github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1.TiKVGCConfig", "github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1.TiKVImportConfig", "github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1.TiKVPDConfig", "github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1.TiKVRaftDBConfig", "github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1.TiKVRaftstoreConfig", "github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1.TiKVReadPoolConfig", "github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1.TiKVSecurityConfig", "github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1.TiKVServerConfig", "github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1.TiKVStorageConfig"}, + "github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1.TiKVCoprocessorConfig", "github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1.TiKVDbConfig", "github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1.TiKVEncryptionConfig", "github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1.TiKVGCConfig", "github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1.TiKVImportConfig", "github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1.TiKVPDConfig", "github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1.TiKVRaftDBConfig", "github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1.TiKVRaftstoreConfig", "github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1.TiKVReadPoolConfig", "github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1.TiKVSecurityConfig", "github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1.TiKVServerConfig", "github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1.TiKVStorageConfig"}, } } diff --git a/pkg/apis/pingcap/v1alpha1/tikv_config.go b/pkg/apis/pingcap/v1alpha1/tikv_config.go index ec03c2fb15..82be0a4565 100644 --- a/pkg/apis/pingcap/v1alpha1/tikv_config.go +++ b/pkg/apis/pingcap/v1alpha1/tikv_config.go @@ -51,6 +51,8 @@ type TiKVConfig struct { PD *TiKVPDConfig `json:"pd,omitempty" toml:"pd,omitempty"` // +optional Security *TiKVSecurityConfig `json:"security,omitempty" toml:"security,omitempty"` + // +optional + Encryption *TiKVEncryptionConfig `json:"encryption,omitempty" toml:"encryption,omitempty"` } // +k8s:openapi-gen=true @@ -742,3 +744,72 @@ type TiKVCoprocessorConfig struct { // optional RegionSplitKeys *int64 `json:"region-split-keys,omitempty" toml:"region-split-keys,omitempty"` } + +type TiKVEncryptionConfig struct { + // Encrypyion method, use data key encryption raw rocksdb data + // Possible values: plaintext, aes128-ctr, aes192-ctr, aes256-ctr + // Optional: Default to plaintext + // optional + Method string `json:"method,omitempty" toml:"method,omitempty"` + + // The frequency of datakey rotation, It managered by tikv + // Optional: default to 7d + // optional + DataKeyRotationPeriod string `json:"data-key-rotation-period,omitempty" toml:"data-key-rotation-period,omitempty"` + + // Master key config + MasterKey *TiKVMasterKeyConfig `json:"master-key,omitempty" toml:"master-key,omitempty"` + + // Previous master key config + // It used in master key rotation, the data key should decryption by previous master key and then encrypytion by new master key + PreviousMasterKey *TiKVMasterKeyConfig `json:"previous-master-key,omitempty" toml:"previoud-master-key,omitempty"` +} + +type TiKVMasterKeyConfig struct { + // Use KMS encryption or use file encryption, possible values: kms, file + // If set to kms, kms MasterKeyKMSConfig should be filled, if set to file MasterKeyFileConfig should be filled + // optional + Type string `json:"type,omitempty" toml:"type,omitempty"` + + // Master key file config + // If the type set to file, this config should be filled + MasterKeyFileConfig `json:",inline"` + + // Master key KMS config + // If the type set to kms, this config should be filled + MasterKeyKMSConfig `json:",inline"` +} + +type MasterKeyFileConfig struct { + // Encrypyion method, use master key encryption data key + // Possible values: plaintext, aes128-ctr, aes192-ctr, aes256-ctr + // Optional: Default to plaintext + // optional + Method string `json:"method,omitempty" toml:"method,omitempty"` + + // Text file containing the key in hex form, end with '\n' + Path string `json:"path" toml:"path"` +} + +type MasterKeyKMSConfig struct { + // AWS CMK key-id it can be find in AWS Console or use aws cli + // This field is required + KeyID string `json:"key-id" toml:"key-id"` + + // AccessKey of AWS user, leave empty if using other authrization method + // optional + AccessKey string `json:"access-key,omitempty" toml:"access-key,omitempty"` + + // SecretKey of AWS user, leave empty if using other authrization method + // optional + SecretKey string `json:"secret-access-key,omitempty" toml:"access-key,omitempty"` + + // Region of this KMS key + // Optional: Default to us-east-1 + // optional + Region string `json:"region,omitempty" toml:"region,omitempty"` + + // Used for KMS compatible KMS, such as Ceph, minio, If use AWS, leave empty + // optional + Endpoint string `json:"endpoint,omitempty" toml:"endpoint,omitempty"` +} diff --git a/pkg/apis/pingcap/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/pingcap/v1alpha1/zz_generated.deepcopy.go index 44da493b4a..f0d0944c49 100644 --- a/pkg/apis/pingcap/v1alpha1/zz_generated.deepcopy.go +++ b/pkg/apis/pingcap/v1alpha1/zz_generated.deepcopy.go @@ -1355,6 +1355,38 @@ func (in *LogTailerSpec) DeepCopy() *LogTailerSpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *MasterKeyFileConfig) DeepCopyInto(out *MasterKeyFileConfig) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MasterKeyFileConfig. +func (in *MasterKeyFileConfig) DeepCopy() *MasterKeyFileConfig { + if in == nil { + return nil + } + out := new(MasterKeyFileConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *MasterKeyKMSConfig) DeepCopyInto(out *MasterKeyKMSConfig) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MasterKeyKMSConfig. +func (in *MasterKeyKMSConfig) DeepCopy() *MasterKeyKMSConfig { + if in == nil { + return nil + } + out := new(MasterKeyKMSConfig) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *MetricsStatus) DeepCopyInto(out *MetricsStatus) { *out = *in @@ -3888,6 +3920,11 @@ func (in *TiKVConfig) DeepCopyInto(out *TiKVConfig) { *out = new(TiKVSecurityConfig) (*in).DeepCopyInto(*out) } + if in.Encryption != nil { + in, out := &in.Encryption, &out.Encryption + *out = new(TiKVEncryptionConfig) + (*in).DeepCopyInto(*out) + } return } @@ -4084,6 +4121,32 @@ func (in *TiKVDbConfig) DeepCopy() *TiKVDbConfig { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *TiKVEncryptionConfig) DeepCopyInto(out *TiKVEncryptionConfig) { + *out = *in + if in.MasterKey != nil { + in, out := &in.MasterKey, &out.MasterKey + *out = new(TiKVMasterKeyConfig) + **out = **in + } + if in.PreviousMasterKey != nil { + in, out := &in.PreviousMasterKey, &out.PreviousMasterKey + *out = new(TiKVMasterKeyConfig) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TiKVEncryptionConfig. +func (in *TiKVEncryptionConfig) DeepCopy() *TiKVEncryptionConfig { + if in == nil { + return nil + } + out := new(TiKVEncryptionConfig) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TiKVFailureStore) DeepCopyInto(out *TiKVFailureStore) { *out = *in @@ -4163,6 +4226,24 @@ func (in *TiKVImportConfig) DeepCopy() *TiKVImportConfig { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *TiKVMasterKeyConfig) DeepCopyInto(out *TiKVMasterKeyConfig) { + *out = *in + out.MasterKeyFileConfig = in.MasterKeyFileConfig + out.MasterKeyKMSConfig = in.MasterKeyKMSConfig + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TiKVMasterKeyConfig. +func (in *TiKVMasterKeyConfig) DeepCopy() *TiKVMasterKeyConfig { + if in == nil { + return nil + } + out := new(TiKVMasterKeyConfig) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TiKVPDConfig) DeepCopyInto(out *TiKVPDConfig) { *out = *in