Allow choice of Keyring to be configured in YAML

This uses a Dagger-provided map of Keyring implementations, with two currently available,
"KMS" and "Dummy". The active keyring is configured in the YAML file, so we no longer
require MOE directives to choose which one to use for internal/external builds.

-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=216898058
This commit is contained in:
mcilwain 2018-10-12 11:55:23 -07:00 committed by Ben McIlwain
parent 3bb525349f
commit bec7a91cfc
18 changed files with 124 additions and 30 deletions

View file

@ -1021,6 +1021,12 @@ public final class RegistryConfig {
return config.registryPolicy.greetingServerId;
}
@Provides
@Config("activeKeyring")
public static String provideKeyring(RegistryConfigSettings config) {
return config.keyring.activeKeyring;
}
/**
* The name to use for the Cloud KMS KeyRing containing encryption keys for Nomulus secrets.
*
@ -1030,13 +1036,13 @@ public final class RegistryConfig {
@Provides
@Config("cloudKmsKeyRing")
public static String provideCloudKmsKeyRing(RegistryConfigSettings config) {
return config.kms.keyringName;
return config.keyring.kms.keyringName;
}
@Provides
@Config("cloudKmsProjectId")
public static String provideCloudKmsProjectId(RegistryConfigSettings config) {
return config.kms.projectId;
return config.keyring.kms.projectId;
}
@Provides

View file

@ -34,7 +34,7 @@ public class RegistryConfigSettings {
public Monitoring monitoring;
public Misc misc;
public Beam beam;
public Kms kms;
public Keyring keyring;
public RegistryTool registryTool;
/** Configuration options that apply to the entire App Engine project. */
@ -99,12 +99,6 @@ public class RegistryConfigSettings {
public int baseOfyRetryMillis;
}
/** Configuration for Cloud KMS. */
public static class Kms {
public String keyringName;
public String projectId;
}
/** Configuration for Apache Beam (Cloud Dataflow). */
public static class Beam {
public String defaultJobZone;
@ -170,6 +164,18 @@ public class RegistryConfigSettings {
public int asyncDeleteDelaySeconds;
}
/** Configuration for keyrings (used to store secrets outside of source). */
public static class Keyring {
public String activeKeyring;
public Kms kms;
}
/** Configuration for Cloud KMS. */
public static class Kms {
public String keyringName;
public String projectId;
}
/** Configuration options for the registry tool. */
public static class RegistryTool {
public String clientSecretFilename;

View file

@ -322,14 +322,19 @@ beam:
# The default zone to run Apache Beam (Cloud Dataflow) jobs in.
defaultJobZone: us-east1-c
kms:
# GCP project containing the KMS keyring. Should only be used for KMS in
# order to keep a simple locked down IAM configuration.
projectId: registry-kms-project-id
keyring:
# The name of the active keyring, either "KMS" or "Dummy".
activeKeyring: Dummy
# The name to use for the Cloud KMS KeyRing which will store encryption keys
# for Nomulus secrets.
keyringName: nomulus
# Configuration options specific to Google Cloud KMS.
kms:
# GCP project containing the KMS keyring. Should only be used for KMS in
# order to keep a simple locked down IAM configuration.
projectId: registry-kms-project-id
# The name to use for the Cloud KMS KeyRing which will store encryption keys
# for Nomulus secrets.
keyringName: nomulus
# Configuration options relevant to the "nomulus" registry tool.
registryTool:

View file

@ -61,5 +61,7 @@ cloudDns:
rootUrl: null
servicePath: null
kms:
projectId: placeholder
keyring:
activeKeyring: KMS
kms:
projectId: placeholder