security: tikv encryption kms config (#2151)

pingcap · Apr 13, 2020 · 6db31db · 6db31db
1 parent da68386
commit 6db31db
Show file tree

Hide file tree

Showing 5 changed files with 708 additions and 1 deletion.
diff --git a/docs/api-references/docs.md b/docs/api-references/docs.md
@@ -4250,6 +4250,117 @@ uint32
 </tr>
 </tbody>
 </table>
+<h3 id="pingcap.com/v1alpha1.MasterKeyFileConfig">MasterKeyFileConfig
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#pingcap.com/v1alpha1.TiKVMasterKeyConfig">TiKVMasterKeyConfig</a>)
+</p>
+<p>
+</p>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>method</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Encrypyion method, use master key encryption data key
+Possible values: plaintext, aes128-ctr, aes192-ctr, aes256-ctr
+Optional: Default to plaintext
+optional</p>
+</td>
+</tr>
+</tbody>
+</table>
+<h3 id="pingcap.com/v1alpha1.MasterKeyKMSConfig">MasterKeyKMSConfig
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#pingcap.com/v1alpha1.TiKVMasterKeyConfig">TiKVMasterKeyConfig</a>)
+</p>
+<p>
+</p>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>key-id</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+<p>AWS CMK key-id it can be find in AWS Console or use aws cli
+This field is required</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>access-key</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+<p>AccessKey of AWS user, leave empty if using other authrization method
+optional</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>secret-access-key</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+<p>SecretKey of AWS user, leave empty if using other authrization method
+optional</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>region</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Region of this KMS key
+Optional: Default to us-east-1
+optional</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>endpoint</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Used for KMS compatible KMS, such as Ceph, minio, If use AWS, leave empty
+optional</p>
+</td>
+</tr>
+</tbody>
+</table>
 <h3 id="pingcap.com/v1alpha1.MemberPhase">MemberPhase
 (<code>string</code> alias)</p></h3>
 <p>
@@ -10358,6 +10469,19 @@ TiKVSecurityConfig
 <em>(Optional)</em>
 </td>
 </tr>
+<tr>
+<td>
+<code>encryption</code></br>
+<em>
+<a href="#pingcap.com/v1alpha1.TiKVEncryptionConfig">
+TiKVEncryptionConfig
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+</td>
+</tr>
 </tbody>
 </table>
 <h3 id="pingcap.com/v1alpha1.TiKVCoprocessorConfig">TiKVCoprocessorConfig
@@ -10929,6 +11053,78 @@ TiKVTitanDBConfig
 </tr>
 </tbody>
 </table>
+<h3 id="pingcap.com/v1alpha1.TiKVEncryptionConfig">TiKVEncryptionConfig
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#pingcap.com/v1alpha1.TiKVConfig">TiKVConfig</a>)
+</p>
+<p>
+</p>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>method</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Encrypyion method, use data key encryption raw rocksdb data
+Possible values: plaintext, aes128-ctr, aes192-ctr, aes256-ctr
+Optional: Default to plaintext
+optional</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>data-key-rotation-period</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+<p>The frequency of datakey rotation, It managered by tikv
+Optional: default to 7d
+optional</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>master-key</code></br>
+<em>
+<a href="#pingcap.com/v1alpha1.TiKVMasterKeyConfig">
+TiKVMasterKeyConfig
+</a>
+</em>
+</td>
+<td>
+<p>Master key config</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>previous-master-key</code></br>
+<em>
+<a href="#pingcap.com/v1alpha1.TiKVMasterKeyConfig">
+TiKVMasterKeyConfig
+</a>
+</em>
+</td>
+<td>
+<p>Previous master key config
+It used in master key rotation, the data key should decryption by previous master key and  then encrypytion by new master key</p>
+</td>
+</tr>
+</tbody>
+</table>
 <h3 id="pingcap.com/v1alpha1.TiKVFailureStore">TiKVFailureStore
 </h3>
 <p>
@@ -11140,6 +11336,71 @@ string
 </tr>
 </tbody>
 </table>
+<h3 id="pingcap.com/v1alpha1.TiKVMasterKeyConfig">TiKVMasterKeyConfig
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#pingcap.com/v1alpha1.TiKVEncryptionConfig">TiKVEncryptionConfig</a>)
+</p>
+<p>
+</p>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>type</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Use KMS encryption or use file encryption, possible values: kms, file
+If set to kms, kms MasterKeyKMSConfig should be filled, if set to file MasterKeyFileConfig should be filled
+optional</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>MasterKeyFileConfig</code></br>
+<em>
+<a href="#pingcap.com/v1alpha1.MasterKeyFileConfig">
+MasterKeyFileConfig
+</a>
+</em>
+</td>
+<td>
+<p>
+(Members of <code>MasterKeyFileConfig</code> are embedded into this type.)
+</p>
+<p>Master key file config
+If the type set to file, this config should be filled</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>MasterKeyKMSConfig</code></br>
+<em>
+<a href="#pingcap.com/v1alpha1.MasterKeyKMSConfig">
+MasterKeyKMSConfig
+</a>
+</em>
+</td>
+<td>
+<p>
+(Members of <code>MasterKeyKMSConfig</code> are embedded into this type.)
+</p>
+<p>Master key KMS config
+If the type set to kms, this config should be filled</p>
+</td>
+</tr>
+</tbody>
+</table>
 <h3 id="pingcap.com/v1alpha1.TiKVPDConfig">TiKVPDConfig
 </h3>
 <p>

diff --git a/manifests/crd.yaml b/manifests/crd.yaml
@@ -6117,6 +6117,103 @@ spec:
                             to false optional'
                           type: boolean
                       type: object
+                    encryption:
+                      properties:
+                        data-key-rotation-period:
+                          description: 'The frequency of datakey rotation, It managered
+                            by tikv Optional: default to 7d optional'
+                          type: string
+                        master-key:
+                          properties:
+                            access-key:
+                              description: AccessKey of AWS user, leave empty if using
+                                other authrization method optional
+                              type: string
+                            endpoint:
+                              description: Used for KMS compatible KMS, such as Ceph,
+                                minio, If use AWS, leave empty optional
+                              type: string
+                            key-id:
+                              description: AWS CMK key-id it can be find in AWS Console
+                                or use aws cli This field is required
+                              type: string
+                            method:
+                              description: 'Encrypyion method, use master key encryption
+                                data key Possible values: plaintext, aes128-ctr, aes192-ctr,
+                                aes256-ctr Optional: Default to plaintext optional'
+                              type: string
+                            path:
+                              description: |-
+                                Text file containing the key in hex form, end with '
+                                '
+                              type: string
+                            region:
+                              description: 'Region of this KMS key Optional: Default
+                                to us-east-1 optional'
+                              type: string
+                            secret-access-key:
+                              description: SecretKey of AWS user, leave empty if using
+                                other authrization method optional
+                              type: string
+                            type:
+                              description: 'Use KMS encryption or use file encryption,
+                                possible values: kms, file If set to kms, kms MasterKeyKMSConfig
+                                should be filled, if set to file MasterKeyFileConfig
+                                should be filled optional'
+                              type: string
+                          required:
+                          - path
+                          - key-id
+                          type: object
+                        method:
+                          description: 'Encrypyion method, use data key encryption
+                            raw rocksdb data Possible values: plaintext, aes128-ctr,
+                            aes192-ctr, aes256-ctr Optional: Default to plaintext
+                            optional'
+                          type: string
+                        previous-master-key:
+                          properties:
+                            access-key:
+                              description: AccessKey of AWS user, leave empty if using
+                                other authrization method optional
+                              type: string
+                            endpoint:
+                              description: Used for KMS compatible KMS, such as Ceph,
+                                minio, If use AWS, leave empty optional
+                              type: string
+                            key-id:
+                              description: AWS CMK key-id it can be find in AWS Console
+                                or use aws cli This field is required
+                              type: string
+                            method:
+                              description: 'Encrypyion method, use master key encryption
+                                data key Possible values: plaintext, aes128-ctr, aes192-ctr,
+                                aes256-ctr Optional: Default to plaintext optional'
+                              type: string
+                            path:
+                              description: |-
+                                Text file containing the key in hex form, end with '
+                                '
+                              type: string
+                            region:
+                              description: 'Region of this KMS key Optional: Default
+                                to us-east-1 optional'
+                              type: string
+                            secret-access-key:
+                              description: SecretKey of AWS user, leave empty if using
+                                other authrization method optional
+                              type: string
+                            type:
+                              description: 'Use KMS encryption or use file encryption,
+                                possible values: kms, file If set to kms, kms MasterKeyKMSConfig
+                                should be filled, if set to file MasterKeyFileConfig
+                                should be filled optional'
+                              type: string
+                          required:
+                          - path
+                          - key-id
+                          type: object
+                      type: object
                     gc:
                       properties:
                         "\tbatch-keys":