Skip to content

Revert moving KMS into CDH #928

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
fitzthum merged 1 commit into from
Mar 7, 2025
Merged

Revert moving KMS into CDH #928

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions .github/workflows/cdh_basic.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,13 +69,13 @@ jobs:

- name: Run cargo test
run: |
sudo -E PATH=$PATH -s cargo test --features kbs,aliyun,sev,bin -p confidential-data-hub
sudo -E PATH=$PATH -s cargo test --features kbs,aliyun,sev,bin -p kms -p confidential-data-hub

- name: Run cargo fmt check
run: |
sudo -E PATH=$PATH -s cargo fmt -p confidential-data-hub -- --check
sudo -E PATH=$PATH -s cargo fmt -p kms -p confidential-data-hub -- --check

- name: Run rust lint check
run: |
# We are getting error in generated code due to derive_partial_eq_without_eq check, so ignore it for now
sudo -E PATH=$PATH -s cargo clippy -p confidential-data-hub -- -D warnings -A clippy::derive-partial-eq-without-eq
sudo -E PATH=$PATH -s cargo clippy -p kms -p confidential-data-hub -- -D warnings -A clippy::derive-partial-eq-without-eq
117 changes: 80 additions & 37 deletions Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ members = [
"attestation-agent/deps/sev",
"attestation-agent/coco_keyprovider",
"confidential-data-hub/hub",
"confidential-data-hub/kms",
"image-rs",
"ocicrypt-rs",
]
Expand Down
8 changes: 4 additions & 4 deletions confidential-data-hub/docs/kms-providers/alibaba.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,17 +56,17 @@ Else if `client_type` is set to 'sts_token', provider_settings shall be as follo
### Credential files

To connect to a KMS instance with `client_type` set to 'client_key', a client key is needed. A client key is actually
[an json with encrypted inside](../../hub/src/kms/plugins/aliyun/client/client_key_client/example_credential/clientKey_KAAP.f4c8____.json)
[an json with encrypted inside](../../kms/src/plugins/aliyun/client/client_key_client/example_credential/clientKey_KAAP.f4c8____.json)
private key. The name of the client key is always derived from the client key id. Suppose the
client key ID is `xxx`, then the client key file has name `clientKey_xxx.json`. The key to encrypt
the private key is derived from a password that is also saved in [a file](../../hub/src/kms/plugins/aliyun/client/client_key_client/example_credential/password_KAAP.f4c8____.json).
the private key is derived from a password that is also saved in [a file](../../kms/src/plugins/aliyun/client/client_key_client/example_credential/password_KAAP.f4c8____.json).
Suppose the client key ID is `xxx`, then the password file has name `password_xxx.json`.
Besides, [a cert of the KMS server](../../hub/src/kms/plugins/aliyun/client/client_key_client/example_credential/PrivateKmsCA_kst-shh64702cf2jvc_____.pem)
Besides, [a cert of the KMS server](../../kms/src/plugins/aliyun/client/client_key_client/example_credential/PrivateKmsCA_kst-shh64702cf2jvc_____.pem)
is also needed. Suppose the kms instance id is `xxx`, then the cert of the KMS server has name `PrivateKmsCA_xxx.pem`.

For more details please see the [developer document for aliyun](https://www.alibabacloud.com/help/en/key-management-service/latest/api-overview).

To connect to a KMS instance with `client_type` set to 'ecs_ram_role', a [ecsRamRole.json](../../hub/src/kms/plugins/aliyun/client/ecs_ram_role_client/example_credential/ecsRamRole.json) file is needed.
To connect to a KMS instance with `client_type` set to 'ecs_ram_role', a [ecsRamRole.json](../../kms/src/plugins/aliyun/client/ecs_ram_role_client/example_credential/ecsRamRole.json) file is needed.
In the json file, `ecs_ram_role_name` and `region_id` is set in order to get access to Dedicated KMS.
Among them,`ecs_ram_role_name` refer to RAM role for ECS instances in a VPC network, where CDH runs. Can be set on Aliyun Console.
And `region_id` refers to region id of Dedicated KMS, to which more details can be refered [here](https://www.alibabacloud.com/help/en/kms/product-overview/supported-regions).
Expand Down
2 changes: 1 addition & 1 deletion confidential-data-hub/docs/kms-providers/ehsm-kms.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ The `annotations` should be set empty.
### Credential files

To connect to a KMS instance, a credential file is needed. A credential file is actually
[an json file with app_id and api_key](../../hub/src/kms/plugins/ehsm/example_credential/credential.4eb1____.json).
[an json file with app_id and api_key](../../kms/src/plugins/ehsm/example_credential/credential.4eb1____.json).
The name of the credential file is always derived from the app id. Suppose the
App ID is `xxx`, then the credential file has name `credential.xxx.json`.

Expand Down
Loading
Loading