-
Notifications
You must be signed in to change notification settings - Fork 90
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Confidential-Datahub API definition and Sealed Secrets #288
Conversation
51be376
to
71a7636
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A few comments. Code looks fine so far.
bdda230
to
9c12746
Compare
and the unsealing occurs only if the remote attestation process passes, | ||
which means the TEE environment is as expected. Also, Sealed Secret can | ||
leverage commercial KMS/Secret Manager(Vault) productions in the unsealing | ||
process. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Xynnn007 any reference on how sealed secret can use say hashicorp vault ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not yet. However, after merging this we will make an PR that defines the trait of a KMS and a Vault. Semantically there will be two main apis:
async fn decrypt(&mut self, ciphertext: &[u8], keyid: &str) -> Result<Vec<u8>>;
async fn get_secret(&mut self, name: &str) -> Result<Vec<u8>>;
Thus, the code of Sealed Secret will just call the trait function to get the secret directly or unseal the wrapped secret, in this way we do not need to care much about the concrete vault/kms underneath.
I glanced at api of hashicorp vault and found it matches the definition of get_secret()
so it can support Vault
type sealed secret. I'm not sure whether decrypt
like api is supported by hashicorp vault. If so, KMS
(or we say Envelope
) type Sealed Secret can be supported.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
This commit defines the basic API for confidential datahub and the basic error handling. Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
Serialize & Deserialize are for Serialization. PartialEq & Debug are for assert_eq! in unit tests Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
This PR only has definition for sealed secrets. Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
This PR:
Also, currently sev has online/offline-sev-kbc. I think these two can be refactored into CDH's resource clients. cc @fitzthum @stevenhorsman I can help with this in future PRs.