Commit Graph

4 Commits

Author SHA1 Message Date
Daniel Weiße
5eb73706f5
internal: refactor storage credentials (#1071)
* Move storage clients to separate packages

* Allow setting of client credentials for AWS S3

* Use managed identity client secret or default credentials for Azure Blob Storage

* Use credentials file to authorize GCS client

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-03-02 15:08:31 +01:00
Daniel Weiße
3a7b829107
internal: use go-kms-wrapping for KMS backends (#1012)
* Replace external KMS backend logic for AWS, Azure, and GCP with go-kms-wrapping

* Move kms client setup config into its own package for easier parsing

* Update kms integration flag naming

* Error if nil storage is passed to external KMS

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-02-08 12:03:54 +01:00
Otto Bittner
9a1f52e94e Refactor init/recovery to use kms URI
So far the masterSecret was sent to the initial bootstrapper
on init/recovery. With this commit this information is encoded
in the kmsURI that is sent during init.
For recover, the communication with the recoveryserver is
changed. Before a streaming gRPC call was used to
exchanges UUID for measurementSecret and state disk key.
Now a standard gRPC is made that includes the same kmsURI &
storageURI that are sent during init.
2023-01-19 13:14:55 +01:00
Otto Bittner
0e71322e2e keyservice: move kms code to internal/kms
Recovery (disk-mapper) and init (bootstrapper)
will have to work with multiple external KMSes
in the future.
2023-01-19 13:14:55 +01:00