kms: added Azure Key Vault as a supported KMS

PendingReleaseNotes.md

@@ -4,4 +4,6 @@
 
 ## Features
 
+- kms: added Azure Key Vault as a supported KMS in [PR](https://github.com/ceph/ceph-csi/pull/4455)
+
 ## NOTE

docs/deploy-rbd.md

@@ -448,6 +448,33 @@ the AWS KMS is expected to contain:
 This Secret is expected to be created by the tenant/user in each namespace where
 Ceph-CSI is used to create encrypted rbd volumes.
 
+#### Configuring Azure key vault
+
+Ceph-CSI can be configured to use
+[Azure key vault](https://azure.microsoft.com/en-in/products/key-vault),
+for encrypting RBD volumes.
+
+There are a few settings that need to be included in the [KMS configuration
+file](../examples/kms/vault/kms-config.yaml):
+
+1. `KMS_PROVIDER`: should be set to `azure-kv`.
+1. `AZURE_CERT_SECRET_NAME`: name of the Kubernetes Secret (in the Namespace where
+   Ceph-CSI is deployed) which contains the credentials for communicating with
+   Azure. This defaults to `ceph-csi-azure-credentials`.
+1. `AZURE_VAULT_URL`: URL to access the Azure Key Vault service.
+1. `AZURE_CLIENT_ID`: Client ID of the Azure application object (service principal)
+   created in Azure Active Directory that serves as the username.
+1. `AZURE_TENANT_ID`: Tenant ID of the service principal.
+
+The [Secret with credentials](../examples/kms/vault/azure-credentials.yaml) for
+the Azure KMS is expected to contain:
+
+1. `CLIENT_CERT`: The client certificate used for authentication
+   with Azure Key Vault.
+
+This Secret is expected to be created by the user in the namespace where Ceph-CSI
+is deployed.
+
 #### Configuring KMIP KMS
 
 The Key Management Interoperability Protocol (KMIP) is an extensible

docs/design/proposals/encryption-with-azure-keyvault.md

@@ -0,0 +1,58 @@
+# Encrypted volumes with Azure Key Vault
+
+Azure Key Vault is a cloud service for securely storing and accessing secrets.
+A secret is anything that you want to tightly control access to, such as API
+keys, passwords, certificates, or cryptographic keys.
+
+## Connection to Azure Key Vault
+
+Below values are used to establish the connection to the Key Vault
+service from the CSI driver and to make use of the secrets
+`GetSecret`/`SetSecret`/`DeleteSecret` operations:
+
+```text
+* AZURE_VAULT_URL
+The URL used to access the Azure Key Vault service.
+
+* AZURE_CLIENT_ID
+The Client ID of the Azure application object (also known as the service principal).
+This ID serves as the username.
+
+* AZURE_TENANT_ID
+The Tenant ID associated with the service principal.
+
+* CLIENT_CERT
+The client certificate (which includes the private key and is not password protected)
+used for authentication with Azure Key Vault.
+```
+
+### Values provided in the connection secret
+
+Considering `AZURE_CLIENT_CERTIFICATE` is sensitive information,
+it will be provided as a Kubernetes secret to the Ceph-CSI driver. The Ceph-CSI
+KMS plugin interface for the Azure key vault will read the secret name from the
+kms configMap and fetch the certificate.
+
+### Values provided in the config map
+
+`AZURE_VAULT_URL`, `AZURE_CLIENT_ID`, `AZURE_TENANT_ID` are part of the
+KMS ConfigMap.
+
+### Storage class values or configuration
+
+The Storage class has to be enabled for encryption and `encryptionKMSID` has
+to be provided which is the matching value in the kms config map.
+
+## Volume Encrypt or Decrypt Operation
+
+Ceph-CSI generate's unique passphrase for each volume to be used to
+encrypt/decrypt. The passphrase is securely store in Azure key vault
+using the `SetSecret` operation. At time of decrypt the passphrase is
+retrieved from the key vault using the `GetSecret`operation.
+
+## Volume Delete Operation
+
+When the corresponding volume is deleted, the stored secret in the Azure Key
+Vault will be deleted.
+
+> Note: Ceph-CSI solely deletes the secret without permanent removal (purging).

examples/kms/vault/azure-credentials.yaml

@@ -0,0 +1,10 @@
+---
+# This is an example Kubernetes secret that can be created in the Kubernetes
+# namespace where Ceph-CSI is deployed. The contents of this secret will be
+# used to connect to the Azure Key Vault.
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ceph-csi-azure-credentials
+data:
+  CLIENT_CERT: ""

examples/kms/vault/csi-kms-connection-details.yaml

@@ -83,5 +83,13 @@ data:
       "READ_TIMEOUT": 10,
       "WRITE_TIMEOUT": 10
     }
+  azure-test: |-
+    {
+      "KMS_PROVIDER": "azure-kv",
+      "AZURE_CERT_SECRET_NAME": "ceph-csi-azure-credentials",
+      "AZURE_VAULT_URL": "https://vault-name.vault.azure.net/",
+      "AZURE_CLIENT_ID": "__CLIENT_ID__",
+      "AZURE_TENANT_ID": "__TENANT_ID__"
+    }
 metadata:
   name: csi-kms-connection-details

examples/kms/vault/kms-config.yaml

@@ -108,6 +108,13 @@ data:
         "TLS_SERVER_NAME": "kmip.ciphertrustmanager.local",
         "READ_TIMEOUT": 10,
         "WRITE_TIMEOUT": 10
+      },
+      "azure-test": {
+        "KMS_PROVIDER": "azure-kv",
+        "AZURE_CERT_SECRET_NAME": "ceph-csi-azure-credentials",
+        "AZURE_VAULT_URL": "https://vault-name.vault.azure.net/",
+        "AZURE_CLIENT_ID": "__CLIENT_ID__",
+        "AZURE_TENANT_ID": "__TENANT_ID__"
       }
     }
 metadata:

internal/kms/azure_vault.go

@@ -0,0 +1,219 @@
+/*
+Copyright 2024 The Ceph-CSI Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package kms
+
+import (
+	"context"
+	"encoding/base64"
+	"errors"
+	"fmt"
+
+	"github.com/ceph/ceph-csi/internal/util/k8s"
+
+	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
+	"github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+const (
+	kmsTypeAzure = "azure-kv"
+
+	// azureDefaultSecretsName is the default name of the Kubernetes secret
+	// that contains the credentials to access the Azure key vault. The name
+	// the secret can be configured by setting the `AZURE_CERT_SECRET_NAME` option.
+	//
+	// #nosec:G101, value not credentials, just references token.
+	azureDefaultSecretsName = "ceph-csi-azure-credentials"
+
+	// azureSecretNameKey contains the name of the Kubernetes secret that has
+	// the credentials to access the Azure key vault.
+	//
+	// #nosec:G101, no hardcoded secret, this is a configuration key.
+	azureSecretNameKey = "AZURE_CERT_SECRET_NAME"
+
+	azureVaultURL = "AZURE_VAULT_URL"
+	azureClientID = "AZURE_CLIENT_ID"
+	azureTenantID = "AZURE_TENANT_ID"
+
+	// The following options are part of the Kubernetes secrets.
+	//
+	// #nosec:G101, no hardcoded secrets, only configuration keys.
+	azureClientCertificate = "CLIENT_CERT"
+)
+
+var _ = RegisterProvider(Provider{
+	UniqueID:    kmsTypeAzure,
+	Initializer: initAzureKeyVaultKMS,
+})
+
+type azureKMS struct {
+	// basic
+	namespace  string
+	secretName string
+
+	integratedDEK
+
+	// standard
+	vaultURL          string
+	clientID          string
+	tenantID          string
+	clientCertificate string
+}
+
+func initAzureKeyVaultKMS(args ProviderInitArgs) (EncryptionKMS, error) {
+	kms := &azureKMS{
+		namespace: args.Namespace,
+	}
+
+	// required options for further configuration (getting secrets)
+	err := setConfigString(&kms.secretName, args.Config, azureSecretNameKey)
+	if errors.Is(err, errConfigOptionInvalid) {
+		return nil, err
+	} else if errors.Is(err, errConfigOptionMissing) {
+		kms.secretName = azureDefaultSecretsName
+	}
+
+	err = setConfigString(&kms.vaultURL, args.Config, azureVaultURL)
+	if err != nil {
+		return nil, err
+	}
+	err = setConfigString(&kms.clientID, args.Config, azureClientID)
+	if err != nil {
+		return nil, err
+	}
+	err = setConfigString(&kms.tenantID, args.Config, azureTenantID)
+	if err != nil {
+		return nil, err
+	}
+
+	// read the kubernetes secret with credentials
+	secrets, err := kms.getSecrets()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get secrets for %T, %w", kms, err)
+	}
+
+	var encodedClientCertificate string
+	err = setConfigString(&encodedClientCertificate, secrets, azureClientCertificate)
+	if err != nil {
+		return nil, err
+	}
+
+	clientCertificate, err := base64.StdEncoding.DecodeString(encodedClientCertificate)
+	if err != nil {
+		return nil, fmt.Errorf("failed to decode client certificate: %w", err)
+	}
+
+	kms.clientCertificate = string(clientCertificate)
+
+	return kms, nil
+}
+
+func (kms *azureKMS) Destroy() {
+	// Nothing to do.
+}
+
+func (kms *azureKMS) getService() (*azsecrets.Client, error) {
+	certs, key, err := azidentity.ParseCertificates([]byte(kms.clientCertificate), []byte{})
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse Azure client certificate: %w", err)
+	}
+	creds, err := azidentity.NewClientCertificateCredential(kms.tenantID, kms.clientID, certs, key, nil)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create Azure credentials: %w", err)
+	}
+
+	azClient, err := azsecrets.NewClient(kms.vaultURL, creds, nil)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create Azure client: %w", err)
+	}
+
+	return azClient, nil
+}
+
+func (kms *azureKMS) getSecrets() (map[string]interface{}, error) {
+	c, err := k8s.NewK8sClient()
+	if err != nil {
+		return nil, fmt.Errorf("failed to connect to kubernetes to "+
+			"get secret %s/%s: %w", kms.namespace, kms.secretName, err)
+	}
+
+	secret, err := c.CoreV1().Secrets(kms.namespace).Get(context.TODO(),
+		kms.secretName, metav1.GetOptions{})
+	if err != nil {
+		return nil, fmt.Errorf("failed to get secret %s/%s: %w", kms.namespace, kms.secretName, err)
+	}
+
+	config := make(map[string]interface{})
+	for k, v := range secret.Data {
+		switch k {
+		case azureClientCertificate:
+			config[k] = string(v)
+		default:
+			return nil, fmt.Errorf("unsupported option for KMS provider %q: %s", kmsTypeAzure, k)
+		}
+	}
+
+	return config, nil
+}
+
+// FetchDEK returns passphrase from Azure key vault.
+func (kms *azureKMS) FetchDEK(ctx context.Context, key string) (string, error) {
+	svc, err := kms.getService()
+	if err != nil {
+		return "", fmt.Errorf("failed to get KMS service: %w", err)
+	}
+
+	getSecretResponse, err := svc.GetSecret(ctx, key, "", nil)
+	if err != nil {
+		return "", fmt.Errorf("failed to get secret: %w", err)
+	}
+
+	return *getSecretResponse.Value, nil
+}
+
+// StoreDEK saves new passphrase to Azure key vault.
+func (kms *azureKMS) StoreDEK(ctx context.Context, key, value string) error {
+	svc, err := kms.getService()
+	if err != nil {
+		return fmt.Errorf("failed to get KMS service: %w", err)
+	}
+
+	setSecretParams := azsecrets.SetSecretParameters{
+		Value: &value,
+	}
+	_, err = svc.SetSecret(ctx, key, setSecretParams, nil)
+	if err != nil {
+		return fmt.Errorf("failed to set seceret %w", err)
+	}
+
+	return nil
+}
+
+// RemoveDEK deletes passphrase from Azure key vault.
+func (kms *azureKMS) RemoveDEK(ctx context.Context, key string) error {
+	svc, err := kms.getService()
+	if err != nil {
+		return fmt.Errorf("failed to get KMS service: %w", err)
+	}
+
+	_, err = svc.DeleteSecret(ctx, key, nil)
+	if err != nil {
+		return fmt.Errorf("failed to delete seceret %w", err)
+	}
+
+	return nil
+}

internal/kms/azure_vault_test.go

@@ -0,0 +1,29 @@
+/*
+Copyright 2024 The Ceph-CSI Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package kms
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestAzureKMSRegistered(t *testing.T) {
+	t.Parallel()
+	_, ok := kmsManager.providers[kmsTypeAzure]
+	assert.True(t, ok)
+}