-
Notifications
You must be signed in to change notification settings - Fork 19
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Vault KVv2 API support for key storage (#81)
This commit implements support for storing keys on a vault server instead of locally. The current implementation only supports the KV v2 engine, which is the default secrets engine in recent vault versions. To use vault for key storage, the following settings have to be used in the keyring configuration file: * `provider` set to `vault-v2` * `url` set to the URL of the vault server * `mountPath` is set to the mount point where the keyring should store the keys * `token` is an access token with read and write access to the above mount point * [optional] `caPath` is the path of the CA file used for SSL verification Multiple servers can use the same vault server, with the following restrictions: * Servers in the same replication group should use the same 'pg_tde.keyringKeyPrefix` to ensure that they see the same keys * Unrelated servers should use different `pg_tde.keyringKeyPrefix` values to ensure that they use different keys without conflicts The source also contains a sample keyring configuration file, `keyring-vault.json`. This configuration matches the settings of the vault development server (`vault server -dev`), only the ROOT_TOKEN has to be replaced to the token of the actual server process.
- Loading branch information
Showing
15 changed files
with
544 additions
and
23 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
{ | ||
'provider': 'vault-v2', | ||
'token': 'ROOT_TOKEN', | ||
'url': 'http://127.0.0.1:8200', | ||
'mountPath': 'secret' | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
|
||
#ifndef KEYRING_VAULT_H | ||
#define KEYRING_VAULT_H | ||
|
||
#include "postgres.h" | ||
|
||
#include <json.h> | ||
|
||
#include "keyring_api.h" | ||
|
||
int keyringVaultPreloadCache(void); | ||
|
||
int keyringVaultParseConfiguration(json_object* configRoot); | ||
|
||
int keyringVaultStoreKey(const keyInfo* ki); | ||
|
||
int keyringVaultGetKey(keyName name, keyData* outData); | ||
|
||
#endif // KEYRING_FILE_H |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.