security: tikv encryption kms config

docs/api-references/docs.md

@@ -4250,6 +4250,117 @@ uint32
 </tr>
 </tbody>
 </table>
+<h3 id="pingcap.com/v1alpha1.MasterKeyFileConfig">MasterKeyFileConfig
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#pingcap.com/v1alpha1.TiKVMasterKeyConfig">TiKVMasterKeyConfig</a>)
+</p>
+<p>
+</p>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>method</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Encrypyion method, use master key encryption data key
+Possible values: plaintext, aes128-ctr, aes192-ctr, aes256-ctr
+Optional: Default to plaintext
+optional</p>
+</td>
+</tr>
+</tbody>
+</table>
+<h3 id="pingcap.com/v1alpha1.MasterKeyKMSConfig">MasterKeyKMSConfig
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#pingcap.com/v1alpha1.TiKVMasterKeyConfig">TiKVMasterKeyConfig</a>)
+</p>
+<p>
+</p>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>key-id</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+<p>AWS CMK key-id it can be find in AWS Console or use aws cli
+This field is required</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>access-key</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+<p>AccessKey of AWS user, leave empty if using other authrization method
+optional</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>secret-access-key</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+<p>SecretKey of AWS user, leave empty if using other authrization method
+optional</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>region</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Region of this KMS key
+Optional: Default to us-east-1
+optional</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>endpoint</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Used for KMS compatible KMS, such as Ceph, minio, If use AWS, leave empty
+optional</p>
+</td>
+</tr>
+</tbody>
+</table>
 <h3 id="pingcap.com/v1alpha1.MemberPhase">MemberPhase
 (<code>string</code> alias)</p></h3>
 <p>
@@ -10358,6 +10469,19 @@ TiKVSecurityConfig
 <em>(Optional)</em>
 </td>
 </tr>
+<tr>
+<td>
+<code>encryption</code></br>
+<em>
+<a href="#pingcap.com/v1alpha1.TiKVEncryptionConfig">
+TiKVEncryptionConfig
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+</td>
+</tr>
 </tbody>
 </table>
 <h3 id="pingcap.com/v1alpha1.TiKVCoprocessorConfig">TiKVCoprocessorConfig
@@ -10929,6 +11053,78 @@ TiKVTitanDBConfig
 </tr>
 </tbody>
 </table>
+<h3 id="pingcap.com/v1alpha1.TiKVEncryptionConfig">TiKVEncryptionConfig
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#pingcap.com/v1alpha1.TiKVConfig">TiKVConfig</a>)
+</p>
+<p>
+</p>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>method</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Encrypyion method, use data key encryption raw rocksdb data
+Possible values: plaintext, aes128-ctr, aes192-ctr, aes256-ctr
+Optional: Default to plaintext
+optional</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>data-key-rotation-period</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+<p>The frequency of datakey rotation, It managered by tikv
+Optional: default to 7d
+optional</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>master-key</code></br>
+<em>
+<a href="#pingcap.com/v1alpha1.TiKVMasterKeyConfig">
+TiKVMasterKeyConfig
+</a>
+</em>
+</td>
+<td>
+<p>Master key config</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>previous-master-key</code></br>
+<em>
+<a href="#pingcap.com/v1alpha1.TiKVMasterKeyConfig">
+TiKVMasterKeyConfig
+</a>
+</em>
+</td>
+<td>
+<p>Previous master key config
+It used in master key rotation, the data key should decryption by previous master key and then encrypytion by new master key</p>
+</td>
+</tr>
+</tbody>
+</table>
 <h3 id="pingcap.com/v1alpha1.TiKVFailureStore">TiKVFailureStore
 </h3>
 <p>
@@ -11140,6 +11336,71 @@ string
 </tr>
 </tbody>
 </table>
+<h3 id="pingcap.com/v1alpha1.TiKVMasterKeyConfig">TiKVMasterKeyConfig
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#pingcap.com/v1alpha1.TiKVEncryptionConfig">TiKVEncryptionConfig</a>)
+</p>
+<p>
+</p>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>type</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Use KMS encryption or use file encryption, possible values: kms, file
+If set to kms, kms MasterKeyKMSConfig should be filled, if set to file MasterKeyFileConfig should be filled
+optional</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>MasterKeyFileConfig</code></br>
+<em>
+<a href="#pingcap.com/v1alpha1.MasterKeyFileConfig">
+MasterKeyFileConfig
+</a>
+</em>
+</td>
+<td>
+<p>
+(Members of <code>MasterKeyFileConfig</code> are embedded into this type.)
+</p>
+<p>Master key file config
+If the type set to file, this config should be filled</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>MasterKeyKMSConfig</code></br>
+<em>
+<a href="#pingcap.com/v1alpha1.MasterKeyKMSConfig">
+MasterKeyKMSConfig
+</a>
+</em>
+</td>
+<td>
+<p>
+(Members of <code>MasterKeyKMSConfig</code> are embedded into this type.)
+</p>
+<p>Master key KMS config
+If the type set to kms, this config should be filled</p>
+</td>
+</tr>
+</tbody>
+</table>
 <h3 id="pingcap.com/v1alpha1.TiKVPDConfig">TiKVPDConfig
 </h3>
 <p>

manifests/crd.yaml

@@ -6117,6 +6117,103 @@ spec:
  to false optional'
  type: boolean
  type: object
+ encryption:
+ properties:
+ data-key-rotation-period:
+ description: 'The frequency of datakey rotation, It managered
+ by tikv Optional: default to 7d optional'
+ type: string
+ master-key:
+ properties:
+ access-key:
+ description: AccessKey of AWS user, leave empty if using
+ other authrization method optional
+ type: string
+ endpoint:
+ description: Used for KMS compatible KMS, such as Ceph,
+ minio, If use AWS, leave empty optional
+ type: string
+ key-id:
+ description: AWS CMK key-id it can be find in AWS Console
+ or use aws cli This field is required
+ type: string
+ method:
+ description: 'Encrypyion method, use master key encryption
+ data key Possible values: plaintext, aes128-ctr, aes192-ctr,
+ aes256-ctr Optional: Default to plaintext optional'
+ type: string
+ path:
+ description: |-
+ Text file containing the key in hex form, end with '
+ '
+ type: string
+ region:
+ description: 'Region of this KMS key Optional: Default
+ to us-east-1 optional'
+ type: string
+ secret-access-key:
+ description: SecretKey of AWS user, leave empty if using
+ other authrization method optional
+ type: string
+ type:
+ description: 'Use KMS encryption or use file encryption,
+ possible values: kms, file If set to kms, kms MasterKeyKMSConfig
+ should be filled, if set to file MasterKeyFileConfig
+ should be filled optional'
+ type: string
+ required:
+ - path
+ - key-id
+ type: object
+ method:
+ description: 'Encrypyion method, use data key encryption
+ raw rocksdb data Possible values: plaintext, aes128-ctr,
+ aes192-ctr, aes256-ctr Optional: Default to plaintext
+ optional'
+ type: string
+ previous-master-key:
+ properties:
+ access-key:
+ description: AccessKey of AWS user, leave empty if using
+ other authrization method optional
+ type: string
+ endpoint:
+ description: Used for KMS compatible KMS, such as Ceph,
+ minio, If use AWS, leave empty optional
+ type: string
+ key-id:
+ description: AWS CMK key-id it can be find in AWS Console
+ or use aws cli This field is required
+ type: string
+ method:
+ description: 'Encrypyion method, use master key encryption
+ data key Possible values: plaintext, aes128-ctr, aes192-ctr,
+ aes256-ctr Optional: Default to plaintext optional'
+ type: string
+ path:
+ description: |-
+ Text file containing the key in hex form, end with '
+ '
+ type: string
+ region:
+ description: 'Region of this KMS key Optional: Default
+ to us-east-1 optional'
+ type: string
+ secret-access-key:
+ description: SecretKey of AWS user, leave empty if using
+ other authrization method optional
+ type: string
+ type:
+ description: 'Use KMS encryption or use file encryption,
+ possible values: kms, file If set to kms, kms MasterKeyKMSConfig
+ should be filled, if set to file MasterKeyFileConfig
+ should be filled optional'
+ type: string
+ required:
+ - path
+ - key-id
+ type: object
+ type: object
  gc:
  properties:
  "\tbatch-keys":