Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

security: tikv encryption kms config #2151

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
261 changes: 261 additions & 0 deletions docs/api-references/docs.md
Original file line number Diff line number Diff line change
Expand Up @@ -4250,6 +4250,117 @@ uint32
</tr>
</tbody>
</table>
<h3 id="pingcap.com/v1alpha1.MasterKeyFileConfig">MasterKeyFileConfig
</h3>
<p>
(<em>Appears on:</em>
<a href="#pingcap.com/v1alpha1.TiKVMasterKeyConfig">TiKVMasterKeyConfig</a>)
</p>
<p>
</p>
<table>
<thead>
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<code>method</code></br>
<em>
string
</em>
</td>
<td>
<p>Encrypyion method, use master key encryption data key
Possible values: plaintext, aes128-ctr, aes192-ctr, aes256-ctr
Optional: Default to plaintext
optional</p>
</td>
</tr>
</tbody>
</table>
<h3 id="pingcap.com/v1alpha1.MasterKeyKMSConfig">MasterKeyKMSConfig
</h3>
<p>
(<em>Appears on:</em>
<a href="#pingcap.com/v1alpha1.TiKVMasterKeyConfig">TiKVMasterKeyConfig</a>)
</p>
<p>
</p>
<table>
<thead>
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<code>key-id</code></br>
<em>
string
</em>
</td>
<td>
<p>AWS CMK key-id it can be find in AWS Console or use aws cli
This field is required</p>
</td>
</tr>
<tr>
<td>
<code>access-key</code></br>
<em>
string
</em>
</td>
<td>
<p>AccessKey of AWS user, leave empty if using other authrization method
optional</p>
</td>
</tr>
<tr>
<td>
<code>secret-access-key</code></br>
<em>
string
</em>
</td>
<td>
<p>SecretKey of AWS user, leave empty if using other authrization method
optional</p>
</td>
</tr>
<tr>
<td>
<code>region</code></br>
<em>
string
</em>
</td>
<td>
<p>Region of this KMS key
Optional: Default to us-east-1
optional</p>
</td>
</tr>
<tr>
<td>
<code>endpoint</code></br>
<em>
string
</em>
</td>
<td>
<p>Used for KMS compatible KMS, such as Ceph, minio, If use AWS, leave empty
optional</p>
</td>
</tr>
</tbody>
</table>
<h3 id="pingcap.com/v1alpha1.MemberPhase">MemberPhase
(<code>string</code> alias)</p></h3>
<p>
Expand Down Expand Up @@ -10358,6 +10469,19 @@ TiKVSecurityConfig
<em>(Optional)</em>
</td>
</tr>
<tr>
<td>
<code>encryption</code></br>
<em>
<a href="#pingcap.com/v1alpha1.TiKVEncryptionConfig">
TiKVEncryptionConfig
</a>
</em>
</td>
<td>
<em>(Optional)</em>
</td>
</tr>
</tbody>
</table>
<h3 id="pingcap.com/v1alpha1.TiKVCoprocessorConfig">TiKVCoprocessorConfig
Expand Down Expand Up @@ -10929,6 +11053,78 @@ TiKVTitanDBConfig
</tr>
</tbody>
</table>
<h3 id="pingcap.com/v1alpha1.TiKVEncryptionConfig">TiKVEncryptionConfig
</h3>
<p>
(<em>Appears on:</em>
<a href="#pingcap.com/v1alpha1.TiKVConfig">TiKVConfig</a>)
</p>
<p>
</p>
<table>
<thead>
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<code>method</code></br>
<em>
string
</em>
</td>
<td>
<p>Encrypyion method, use data key encryption raw rocksdb data
Possible values: plaintext, aes128-ctr, aes192-ctr, aes256-ctr
Optional: Default to plaintext
optional</p>
</td>
</tr>
<tr>
<td>
<code>data-key-rotation-period</code></br>
<em>
string
</em>
</td>
<td>
<p>The frequency of datakey rotation, It managered by tikv
Optional: default to 7d
optional</p>
</td>
</tr>
<tr>
<td>
<code>master-key</code></br>
<em>
<a href="#pingcap.com/v1alpha1.TiKVMasterKeyConfig">
TiKVMasterKeyConfig
</a>
</em>
</td>
<td>
<p>Master key config</p>
</td>
</tr>
<tr>
<td>
<code>previous-master-key</code></br>
<em>
<a href="#pingcap.com/v1alpha1.TiKVMasterKeyConfig">
TiKVMasterKeyConfig
</a>
</em>
</td>
<td>
<p>Previous master key config
It used in master key rotation, the data key should decryption by previous master key and then encrypytion by new master key</p>
</td>
</tr>
</tbody>
</table>
<h3 id="pingcap.com/v1alpha1.TiKVFailureStore">TiKVFailureStore
</h3>
<p>
Expand Down Expand Up @@ -11140,6 +11336,71 @@ string
</tr>
</tbody>
</table>
<h3 id="pingcap.com/v1alpha1.TiKVMasterKeyConfig">TiKVMasterKeyConfig
</h3>
<p>
(<em>Appears on:</em>
<a href="#pingcap.com/v1alpha1.TiKVEncryptionConfig">TiKVEncryptionConfig</a>)
</p>
<p>
</p>
<table>
<thead>
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<code>type</code></br>
<em>
string
</em>
</td>
<td>
<p>Use KMS encryption or use file encryption, possible values: kms, file
If set to kms, kms MasterKeyKMSConfig should be filled, if set to file MasterKeyFileConfig should be filled
optional</p>
</td>
</tr>
<tr>
<td>
<code>MasterKeyFileConfig</code></br>
<em>
<a href="#pingcap.com/v1alpha1.MasterKeyFileConfig">
MasterKeyFileConfig
</a>
</em>
</td>
<td>
<p>
(Members of <code>MasterKeyFileConfig</code> are embedded into this type.)
</p>
<p>Master key file config
If the type set to file, this config should be filled</p>
</td>
</tr>
<tr>
<td>
<code>MasterKeyKMSConfig</code></br>
<em>
<a href="#pingcap.com/v1alpha1.MasterKeyKMSConfig">
MasterKeyKMSConfig
</a>
</em>
</td>
<td>
<p>
(Members of <code>MasterKeyKMSConfig</code> are embedded into this type.)
</p>
<p>Master key KMS config
If the type set to kms, this config should be filled</p>
</td>
</tr>
</tbody>
</table>
<h3 id="pingcap.com/v1alpha1.TiKVPDConfig">TiKVPDConfig
</h3>
<p>
Expand Down
97 changes: 97 additions & 0 deletions manifests/crd.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6117,6 +6117,103 @@ spec:
to false optional'
type: boolean
type: object
encryption:
properties:
data-key-rotation-period:
description: 'The frequency of datakey rotation, It managered
by tikv Optional: default to 7d optional'
type: string
master-key:
properties:
access-key:
description: AccessKey of AWS user, leave empty if using
other authrization method optional
type: string
endpoint:
description: Used for KMS compatible KMS, such as Ceph,
minio, If use AWS, leave empty optional
type: string
key-id:
description: AWS CMK key-id it can be find in AWS Console
or use aws cli This field is required
type: string
method:
description: 'Encrypyion method, use master key encryption
data key Possible values: plaintext, aes128-ctr, aes192-ctr,
aes256-ctr Optional: Default to plaintext optional'
type: string
path:
description: |-
Text file containing the key in hex form, end with '
'
type: string
region:
description: 'Region of this KMS key Optional: Default
to us-east-1 optional'
type: string
secret-access-key:
description: SecretKey of AWS user, leave empty if using
other authrization method optional
type: string
type:
description: 'Use KMS encryption or use file encryption,
possible values: kms, file If set to kms, kms MasterKeyKMSConfig
should be filled, if set to file MasterKeyFileConfig
should be filled optional'
type: string
required:
- path
- key-id
type: object
method:
description: 'Encrypyion method, use data key encryption
raw rocksdb data Possible values: plaintext, aes128-ctr,
aes192-ctr, aes256-ctr Optional: Default to plaintext
optional'
type: string
previous-master-key:
properties:
access-key:
description: AccessKey of AWS user, leave empty if using
other authrization method optional
type: string
endpoint:
description: Used for KMS compatible KMS, such as Ceph,
minio, If use AWS, leave empty optional
type: string
key-id:
description: AWS CMK key-id it can be find in AWS Console
or use aws cli This field is required
type: string
method:
description: 'Encrypyion method, use master key encryption
data key Possible values: plaintext, aes128-ctr, aes192-ctr,
aes256-ctr Optional: Default to plaintext optional'
type: string
path:
description: |-
Text file containing the key in hex form, end with '
'
type: string
region:
description: 'Region of this KMS key Optional: Default
to us-east-1 optional'
type: string
secret-access-key:
description: SecretKey of AWS user, leave empty if using
other authrization method optional
type: string
type:
description: 'Use KMS encryption or use file encryption,
possible values: kms, file If set to kms, kms MasterKeyKMSConfig
should be filled, if set to file MasterKeyFileConfig
should be filled optional'
type: string
required:
- path
- key-id
type: object
type: object
gc:
properties:
"\tbatch-keys":
Expand Down
Loading