Releases: minio/kes
Release 2023-08-19T17-27-47Z
Release Notes
This release just contains bug fixes and no new features.
KES is now built using Go 1.21.0. Also, the container images are built using the latest UBI 8.8 micro
base image.
What's Changed
- go: update to Go 1.21.0 by @aead in #387
- mod: update dependencies by @aead in #389
- vault: improve usage of
time.Timerby @aead in #388 - fix: set GOPROXY for self hosted runner by @shtripat in #390
- fix: remove unwanted ENV vars by @shtripat in #391
Full Changelog: 2023-07-26T11-13-07Z...2023-08-19T17-27-47Z
Contributors
Assets 34
Release 2023-07-26T11-13-07Z
Release Notes
KES releases now use Go 1.20.6 and container images are based on UBI 8.8.
New Features
The KES edge server now supports Entrust KeyControl (v10.1 or newer) as key store backend. Refer to the documented edge config file for configuration options.
The KES edge server now uses a new read-optimized caching implementation that improves lock contention.
The details can be found here: 0b32a5d
Bug Fixes
KES accepts either a path or the raw JWT for its Hashicorp Vault K8S JWT config field. Hence, it has to check if the value refers to a file or not. Commit f4e3ef6 disallows the OS path separator character in the Hashicorp Vault K8S JWT and prevents situations where KES fails to read the JWT with and error like filename is too long.
What's Changed
- update CI and release config to Go 1.20.4 by @aead in #360
- keystore: improve caching mechanism by @aead in #358
- remove package
kmsandkeservby @aead in #359 - edge: handle Vault K8S auht JWTs more strictly by @aead in #365
- Added unit tests for various key stores by @shtripat in #363
- Enabled for other backend stores by @shtripat in #364
- edge: move tests from edge_test to edge package by @aead in #367
- Refactored
kestestintegration tests by @shtripat in #368 - fix: kes update command, update it to use proper version tags by @harshavardhana in #374
- fix obsolete vault kubernetes jwt file read by @lu1as in #371
- build(deps): bump google.golang.org/grpc from 1.50.1 to 1.53.0 by @dependabot in #377
- Fix wrong assignment by @reivaj05 in #375
- kestest: randomize key names by @shtripat in #370
- edge: use random secret key names and delete at end of each test by @shtripat in #369
- update kes UBI image to 8.8 by @harshavardhana in #378
- Added github actions for edge test for cloud KMS systems by @shtripat in #379
- ci: update to Go 1.20.6 by @aead in #381
- ci: use correct runner label for edge tests by @shtripat in #380
- ci: delete all the keys post test by @shtripat in #382
- keystore: add support for Entrust KeyControl by @aead in #384
New Contributors
- @shtripat made their first contribution in #363
- @lu1as made their first contribution in #371
- @reivaj05 made their first contribution in #375
Full Changelog: 2023-05-02T22-48-10Z...2023-07-26T11-13-07Z
Contributors
Assets 34
Release 2023-05-02T22-48-10Z
Release Notes
New Features
Readiness API
The KES edge server provides a new readiness API /v1/ready. This allows users to determine whether the system is ready to handle
requests. Authentication for the /v1/ready API can also be disabled to support systems that do not support mTLS probes. Disabling authentication has some subtle impacts on how mTLS connections are handled. Refer to the commit message d15990d for more
details.
Bug Fixes
With commit 1e46c48, KES loads the Azure KeyVault tenant-id correctly.
What's Changed
- add readiness API by @aead in #354
- improve
kes identity newcommand by @aead in #355 - fix: Load Azure KeyVault tenant-id correctly from the config file by @vadmeste in #357
New Contributors
Full Changelog: 2023-04-18T19-36-09Z...2023-05-02T22-48-10Z
Contributors
Assets 34
Release 2023-04-18T19-36-09Z
Release Notes
This release just contains bug fixes and no new features.
It fixes various bugs uncovered by the staticcheck linter added to the golangci-lint system.
In particular, two recursion bugs and the usage of deprecated types, functions and methods.
What's Changed
- edge: fix recursion bug in iterator by @aead in #350
- ci: add staticcheck linter by @aead in #351
- add git tag check to release process by @aead in #349
Full Changelog: 2023-04-17T23-01-06Z...2023-04-18T19-36-09Z
Contributors
Assets 34
Release 2023-04-17T23-01-06Z
Release Notes
This release just contains bug fixes and no new features.
It fixes a bug affecting the GCP SecretManager keystore backend. In particular, the status check used to fail
when no GCP SecretManager endpoint has been specified in the KES config. This no longer happens and the
GCP default endpoint is used for the status check.
What's Changed
Full Changelog: 2023-04-03T16-41-28Z...2023-04-17T23-01-06Z
Contributors
Assets 34
Release 2023-04-03T16-41-28Z
Release Notes
Container Images
The KES container/docker images now use the UBI micro as base image instead of UBI minimal.
Now, KES images are about half the size compared to previous images based on UBI minimal and
contain no unused dependencies anymore.
API customization
A KES edge server now supports API configuration. For example:
api:
/v1/metrics:
skip_auth: false
timeout: 15s
Now, the API timeout can be customized for all v1 APIs. In addition, the API authentication can be turned off for the following
three APIs:
/v1/status/v1/metrics/v1/api
However, API authentication should only be disabled when provisioning e.g. a monitoring service with an API key or client certificate is not possible for some specific reasons. In general, disabling authentication for any API is not recommended. The timeout and
authentication configuration for each API is exposed as part of the /v1/api API.
New packages kes/edge and kes/kv
There are two new packages - kes/edge and kes/kv. The former one provides functionality for reading KES edge server
configuration. The later exposes a generic abstraction over KES edge server backends for storing crypto. keys.
What's Changed
- build(deps): bump golang.org/x/net from 0.4.0 to 0.7.0 by @dependabot in #333
- move from UBI-minimal to UBI-micro containers by @aead in #337
- move handler logic into
internal/apiby @aead in #335 - expose keystore status in the
/v1/statusAPI by @aead in #339 - allow server API customization by @aead in #338
- add new packages
edgeandkvby @aead in #342 - use HTTP instead of TCP KeyStore status check by @aead in #345
Full Changelog: 2023-02-15T14-54-37Z...2023-04-03T16-41-28Z
Contributors
Assets 34
Release 2023-02-15T14-54-37Z
Release Notes
Versioning
The KES server and CLI now follow a rolling release versioning scheme instead of semantic versioning. The KES version is now derived from the git commit timestamp. It has the following form: YYY-MM-DDThh-mm-ssZ.
The KES Go SDK has been moved to its own repository (minio/kes-go) and continuous to follow semantic versioning.
API Keys
KES now supports API keys for authentication. API keys are short secret keys that map to a TLS private/public key pair, and therefore, can be used for mTLS authentication. Hence, each API key also has an identity.
API key: kes:v1:AD9E7FSYWrMD+VjhI6q545cYT9YOyFxZb7UnjEepYDRc
Identity: 3ecfcdf38fcbe141ae26a1030f81e96b753365a46760ae6b578698a97c59fd22
Clients can use API keys instead of TLS certificates (private key / certificate file) which should simplify credential handling in a majority of cases. The KES CLI supports API keys by setting the KES_API_KEY env. variable. For example:
export KES_SERVER=https://play.min.io:7373/
export KES_API_KEY=kes:v1:AD9E7FSYWrMD+VjhI6q545cYT9YOyFxZb7UnjEepYDRc
SIGHUP Reloads
A KES edge server now supports hot configuration reloads by listening for the SIGHUP signal on unix systems. When receiving a SIGHUP signal, the KES server reloads its configuration file (e.g. loads TLS configuration, sets up policies, connects to the specified key store, etc.) in the background. When it has reloaded the new configuration successfully, it swaps the previous and the new one.
Therefore, reloading the server configuration happens atomically and instantaneously. Clients will not experience any service interruption.
KES Keystore
Now, a edge KES server can use a stateful KES server as persistent key store. This can be configured in the keystore section.
# Configuration for storing keys on a KES server.
kes:
endpoint:
- "" # The endpoint (or list of endpoints) to the KES server(s)
enclave: "" # An optional enclave name. If empty, the default enclave will be used
tls: # The KES mTLS authentication credentials - i.e. client certificate.
cert: "" # Path to the TLS client certificate for mTLS authentication
key: "" # Path to the TLS client private key for mTLS authentication
ca: "" # Path to one or multiple PEM root CA certificates
Security
The KES binary is now build with Go 1.20.1. This fixes two CVEs in the net/http and crypto/tls standard library package that affect KES:
- CVE-2022-41723
A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of
service from a small number of small requests. - CVE-2022-41724
Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when
attempting to construct responses.
What's Changed
- reload server configuration on SIGHUP by @aead in #327
- add support for API keys by @aead in #328
- update CI and release build to Go 1.20 by @aead in #329
- keystore: add support for KES<->KES setup by @aead in #326
- remove top-level SDK code by @aead in #331
- build(deps): bump github.com/aws/aws-sdk-go from 1.33.0 to 1.34.0 by @dependabot in #330
- update to Go 1.20.1 by @aead in #332
Full Changelog: v0.22.3...2023-02-15T14-54-37Z
Contributors
Assets 34
Release version 0.22.3
Release version 0.22.2
Release version 0.22.1
Changelog
- 6b666c9 all: use human-readable size limits and mem.LimitReader
- 58ac91e cmd: replace mem unit formating
- 4e7b9e5 enclave: fix bug in enclave name query parameter construction
- 63d321b gcp: avoid passing invalid private keys to SDK
- 064cc96 gcp: fix bug when listing keys
- 15ad858 gcp: use gcp secretsmanager module instead of generic gcp go SDK
- 18e9548 http: use human-readable memory limits