Release 2024-01-11T13-09-29Z

Release Notes

Release 2024-01-11T13-09-29Z contains changes for the Hashicorp Vault backend.

Added

• Now, a KES server configuration accepts authentication specific Hashicorp Vault namespaces. This may be useful when KES should
  authenticate within the root namespace but use secret engines within sub namespaces.

  approle:    # AppRole credentials. See: https://www.vaultproject.io/docs/auth/approle.html
     namespace: "" # Optional Vault namespace used just for authentication. A single "/" is an alias for the Vault root namespace.
     engine: ""    # The path of the AppRole engine - e.g. authenticate. If empty, defaults to: approle. (Vault default)
     id: ""        # Your AppRole Role ID
     secret: ""    # Your AppRole Secret ID
  

  Note that KES can also not send any namespace header for authentication methods, even if a namespace for its secret engines has been configured, by setting namespace: "/".

Changed

• The Hashicorp Vault backend now uses a new authentication token renewal implementation. The previous one got removed by 13cee22.
  Since then, the KES server uses its authentication credentials to obtain a new token instead of renewing its current one. Now, the KES
  server refreshes its authentication token before it expires and only re-authenticates using its credentials when the token renewal fails.
  Details can be found in 877a8ae.

What's Changed

• upgrade deps and fix ci by @harshavardhana in #426
• vault: implement authentication token renewal by @aead in #428
• Add workflow to add issues to tracker by @dvaldivia in #429
• vault: support authentication in different namespaces by @aead in #431
• remove unused code by @aead in #432

New Contributors

• @dvaldivia made their first contribution in #429

Full Changelog: 2023-11-10T10-44-28Z...2024-01-11T13-09-29Z

Release 2023-11-10T10-44-28Z

Release Notes

Fixed

• A bug in the Hashicorp Vault backend implementation that can cause a crash when providing no AppRole auth configuration.

What's Changed

• fix: Avoid crash when approle is not used by @vadmeste in #421

Full Changelog: 2023-11-09T17-35-47Z...2023-11-10T10-44-28Z

Release 2023-11-09T17-35-47Z

Release Notes

Added

• KES provides a development server that requires no config file or keystore. A dev server stores in-memory and does not persist them across restarts. It can be started with a single command:

  $ kes server --dev
  Version     2023-11-09T17-35-47Z    commit=53b74e38697bc68fd88dff7a3cf431db692db9ef
  Runtime     go1.21.4 darwin/arm64   compiler=gc
  License     AGPLv3                  https://www.gnu.org/licenses/agpl-3.0.html
  Copyright   MinIO, Inc.  2015-2023  https://min.io
  
  KMS         In Memory
  API         · https://127.0.0.1:7373
              · https://192.168.188.79:7373
  
  Docs        https://min.io/docs/kes
  
  API Key     kes:v1:ADsGCjJoWziQ82wPUG6oHbqhhlbkajaRGP+3+JSfx5Wq
  Admin       7bbffa635fc160ef8048a344a53aab54e472e5c654c6339a9cec9223301808c7
  Logs        error=stderr level=INFO
              audit=stdout level=INFO
  
  => Server is up and running...
  

• New API for parsing KES config files with the kes/kesconf package. This replaces the kes/edge package.

Changed

• Building docker images using goreleaser requires qemu on the host.
• If offline caching is enabled, the KES server status API does not try to connect to the backend keystore.
  This prevents liveness/readiness probes failures when the backend keystore is offline.

Fixed

• Audit log events are now flushed immediately to clients subscribed to the audit log stream.
• An pattern matching bug in the request path pattern matching that caused authentication errors.
• If the no server address is specified on the command line, the server honor the address provided
  in the config file. If the config file address is also empty, the server defaults to 0.0.0.0:7373.

What's Changed

• drop platform requirment on build stage by @aead in #410
• honor offline caching in /v1/status API by @aead in #412
• update kes-go to v0.2.1 by @aead in #415
• kesconf: expose public API by @aead in #414
• Parse address from config if not provided with '--addr' by @rluetzner in #419
• kes: flush audit log events to clients by @aead in #417
• cmd: server should use default addr if none is specified by @aead in #420

New Contributors

• @rluetzner made their first contribution in #419

Full Changelog: 2023-10-27T22-05-35Z...2023-11-09T17-35-47Z

Release 2023-10-27T22-05-35Z

Release Notes

Changed

• KES no longer provides pre-compiled binaries, packages or container images for the ppc64 and s390x platforms. It also does not provide a pre-compiled binary for MacOS (darwin) on amd64.
• The Hashicorp Vault backend uses a simplified authentication renewal process that does not use Vault token renewal.

Fixed

• #408 fixes a resource leak when the KES server reloaded its TLS configuration. Depending on the KMS backend this could have leaked e.g. go routines that perform background tasks.

---

What's Changed

• simplify and optimize release process by @aead in #407
• Add info for maintainers by @donatello in #406
• cmd: fix resource leak when reloading TLS config by @aead in #408
• vault: simplify token renewal process by @aead in #409
• Add linux amd64 image for quay by @donatello in #411

Full Changelog: 2023-10-24T20-26-51Z...2023-10-27T22-05-35Z

Release 2023-10-24T20-26-51Z

Release Notes

Added

• Support for encrypting keys stored on the Hashicorp K/V secret engine with transit engine.
  Vault always encrypts its K/V entries with encryption keys managed internally by Vault. Now, users can specify a transit key,
  that KES uses to encrypt K/V values before sending them to Vault. This gives users control over which key is used to encrypt
  the keys generated and stored by KES (on Vault). Ref: server-config.yaml#L243

Changed

• The Go version has been updated to Go 1.21.3.
• KES internals have been refactored. Among other things KES now uses structured logging. Refer #403 to for details.

---

What's Changed

• update Go from 1.21.1 to 1.21.3 and go mod dep by @aead in #402
• vault: add support for transit-encrypted K/V by @aead in #404
• refactor KES API and internals by @aead in #403
• cmd: fix regression on server address handling by @aead in #405

Full Changelog: 2023-10-03T00-48-37Z...2023-10-24T20-26-51Z

Release 2023-10-03T00-48-37Z

Release Notes

This release just contains bug fixes and no new features.

Fixed

• A regression in the KES CLI caused the kes server command to not start and just print the usage the server even when used correctly.

---

What's Changed

• update kes-go dependency to v0.2.0 by @aead in #399

Full Changelog: 2023-09-28T19-40-28Z...2023-10-03T00-48-37Z

Release 2023-09-28T19-40-28Z

Release Notes

This release just contains bug fixes and no new features.

Fixed

• A resource leak when reloading configuration (#395). When a KES server reloaded its configuration it also establishes a new
  connection to the key store. However, it didn't used to cancel any background tasks of the previous key store connection.
  For certain backends (Hashicorp Vault, Gemalto KeySecure and Entrust KeyControl) this causes a goroutine leak resulting in
  a slow continuous memory increase. This issue only affects deployments that us unix SIGHUP to trigger reloads.

---

What's Changed

• close keystore when reloading config by @aead in #395
• remove unused code for single-node stateful server by @aead in #396

Full Changelog: 2023-08-19T17-27-47Z...2023-09-28T19-40-28Z

Release 2023-08-19T17-27-47Z

Release Notes

This release just contains bug fixes and no new features.

KES is now built using Go 1.21.0. Also, the container images are built using the latest UBI 8.8 micro
base image.

---

What's Changed

• go: update to Go 1.21.0 by @aead in #387
• mod: update dependencies by @aead in #389
• vault: improve usage of time.Timer by @aead in #388
• fix: set GOPROXY for self hosted runner by @shtripat in #390
• fix: remove unwanted ENV vars by @shtripat in #391

Full Changelog: 2023-07-26T11-13-07Z...2023-08-19T17-27-47Z

Release 2023-07-26T11-13-07Z

Release Notes

KES releases now use Go 1.20.6 and container images are based on UBI 8.8.

New Features

The KES edge server now supports Entrust KeyControl (v10.1 or newer) as key store backend. Refer to the documented edge config file for configuration options.

The KES edge server now uses a new read-optimized caching implementation that improves lock contention.
The details can be found here: 0b32a5d

Bug Fixes

KES accepts either a path or the raw JWT for its Hashicorp Vault K8S JWT config field. Hence, it has to check if the value refers to a file or not. Commit f4e3ef6 disallows the OS path separator character in the Hashicorp Vault K8S JWT and prevents situations where KES fails to read the JWT with and error like filename is too long.

---

What's Changed

• update CI and release config to Go 1.20.4 by @aead in #360
• keystore: improve caching mechanism by @aead in #358
• remove package kms and keserv by @aead in #359
• edge: handle Vault K8S auht JWTs more strictly by @aead in #365
• Added unit tests for various key stores by @shtripat in #363
• Enabled for other backend stores by @shtripat in #364
• edge: move tests from edge_test to edge package by @aead in #367
• Refactored kestest integration tests by @shtripat in #368
• fix: kes update command, update it to use proper version tags by @harshavardhana in #374
• fix obsolete vault kubernetes jwt file read by @lu1as in #371
• build(deps): bump google.golang.org/grpc from 1.50.1 to 1.53.0 by @dependabot in #377
• Fix wrong assignment by @reivaj05 in #375
• kestest: randomize key names by @shtripat in #370
• edge: use random secret key names and delete at end of each test by @shtripat in #369
• update kes UBI image to 8.8 by @harshavardhana in #378
• Added github actions for edge test for cloud KMS systems by @shtripat in #379
• ci: update to Go 1.20.6 by @aead in #381
• ci: use correct runner label for edge tests by @shtripat in #380
• ci: delete all the keys post test by @shtripat in #382
• keystore: add support for Entrust KeyControl by @aead in #384

New Contributors

• @shtripat made their first contribution in #363
• @lu1as made their first contribution in #371
• @reivaj05 made their first contribution in #375

Full Changelog: 2023-05-02T22-48-10Z...2023-07-26T11-13-07Z

Release 2023-05-02T22-48-10Z

Release Notes

New Features

Readiness API

The KES edge server provides a new readiness API /v1/ready. This allows users to determine whether the system is ready to handle
requests. Authentication for the /v1/ready API can also be disabled to support systems that do not support mTLS probes. Disabling authentication has some subtle impacts on how mTLS connections are handled. Refer to the commit message d15990d for more
details.

Bug Fixes

With commit 1e46c48, KES loads the Azure KeyVault tenant-id correctly.

---

What's Changed

• add readiness API by @aead in #354
• improve kes identity new command by @aead in #355
• fix: Load Azure KeyVault tenant-id correctly from the config file by @vadmeste in #357

New Contributors

• @vadmeste made their first contribution in #357

Full Changelog: 2023-04-18T19-36-09Z...2023-05-02T22-48-10Z