Changes on top of the original contribution (spiffe#3955):

- Change the implementation to create a new key when we need to generate a new one instead of adding a new version to an existing key. Once the key is created, the old one is deleted. Since key versions can't be deleted in Key Vault, this allows us to delete rotated keys. - Avoid disposing keys that belong to the current server. - Rename the plugin to azure_key_vault. - Fix tests. Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
amartinezfayo · Aug 23, 2023 · f6a79e4 · f6a79e4
1 parent ac8c30e
commit f6a79e4
Show file tree

Hide file tree

Showing 8 changed files with 152 additions and 132 deletions.
diff --git a/conf/server/server_full.conf b/conf/server/server_full.conf
@@ -295,9 +295,9 @@ plugins {
     #    }
     # }
 
-    # KeyManager "azure_kms": A key manager for signing SVIDs which generates
-    # and stores keys in Microsoft Azure KMS (Azure Key Vault).
-    # KeyManager "azure_kms" {
+    # KeyManager "azure_key_vault": A key manager for signing SVIDs which generates
+    # and stores keys in Microsoft Azure Key Vault.
+    # KeyManager "azure_key_vault" {
     #    plugin_data = {
     #         # key_metadata_file: A file path location where information about
     #         # generated keys will be persisted.

diff --git a/doc/plugin_server_keymanager_azure_kms.md → ...ugin_server_keymanager_azure_key_vault.md b/doc/plugin_server_keymanager_azure_kms.md → ...ugin_server_keymanager_azure_key_vault.md
@@ -1,6 +1,6 @@
-# Server plugin: KeyManager "azure_kms"
+# Server plugin: KeyManager "azure_key_vault"
 
-The `azure_kms` key manager plugin leverages the Microsoft Azure Key Vault
+The `azure_key_vault` key manager plugin leverages the Microsoft Azure Key Vault
 Service to create, maintain, and rotate key pairs, signing SVIDs as needed. No
 Microsoft Azure principal can view or export the raw cryptographic key material
 represented by a key. Instead, Key Vault accesses the key material on behalf of

diff --git a/pkg/server/catalog/keymanager.go b/pkg/server/catalog/keymanager.go
@@ -5,7 +5,7 @@ import (
 
 	"github.com/spiffe/spire/pkg/server/plugin/keymanager"
 	"github.com/spiffe/spire/pkg/server/plugin/keymanager/awskms"
-	"github.com/spiffe/spire/pkg/server/plugin/keymanager/azurekms"
+	"github.com/spiffe/spire/pkg/server/plugin/keymanager/azurekeyvault"
 	"github.com/spiffe/spire/pkg/server/plugin/keymanager/disk"
 	"github.com/spiffe/spire/pkg/server/plugin/keymanager/gcpkms"
 	"github.com/spiffe/spire/pkg/server/plugin/keymanager/memory"
@@ -32,7 +32,7 @@ func (repo *keyManagerRepository) BuiltIns() []catalog.BuiltIn {
 		awskms.BuiltIn(),
 		disk.BuiltIn(),
 		gcpkms.BuiltIn(),
-		azurekms.BuiltIn(),
+		azurekeyvault.BuiltIn(),
 		memory.BuiltIn(),
 	}
 }