Support private cloud Aliyun KMS endpoints for KBS

Allow the KBS Aliyun resource backend to use private cloud KMS endpoints
with configurable TLS trust, while keeping the existing public cloud
defaults. Recommend AccessKey credentials through environment variables
and document the private cloud deployment and test flow.

Signed-off-by: Jiale Zhang <xinjian.zjl@alibaba-inc.com>

Author: Jiale Zhang

Cargo.lock

@@ -10,7 +10,7 @@ use base64::{engine::general_purpose::STANDARD, Engine};
 use chrono::Utc;
 use log::{error, info};
 use prost::Message;
-use reqwest::{header::HeaderMap, Certificate, ClientBuilder};
+use reqwest::{header::HeaderMap, Certificate, Client, ClientBuilder};
 use serde::{Deserialize, Serialize};
 use serde_json::Value;
 use sha2::{Digest, Sha256};
@@ -53,27 +53,65 @@ impl ClientKeyClient {
         Ok(kms_instance_ca_cert)
     }
 
+    fn build_http_client(cert_pem: Option<&str>, insecure_skip_tls_verify: bool) -> Result<Client> {
+        let mut builder = ClientBuilder::new().use_rustls_tls();
+
+        if let Some(cert_pem) = cert_pem.filter(|v| !v.is_empty()) {
+            let cert = Self::read_kms_instance_cert(cert_pem.as_bytes())?;
+            builder = builder.add_root_certificate(cert);
+        } else if !insecure_skip_tls_verify {
+            return Err(Error::AliyunKmsError(
+                "kms instance ca cert is required unless insecure_skip_tls_verify is enabled"
+                    .to_string(),
+            ));
+        }
+
+        if insecure_skip_tls_verify {
+            builder = builder.danger_accept_invalid_certs(true);
+        }
+
+        builder
+            .build()
+            .map_err(|e| Error::AliyunKmsError(format!("build http client failed: {e:?}")))
+    }
+
     pub fn new(
         client_key: &str,
         kms_instance_id: &str,
         password: &str,
         cert_pem: &str,
+    ) -> Result<Self> {
+        Self::new_with_options(
+            client_key,
+            kms_instance_id,
+            password,
+            Some(cert_pem),
+            None,
+            false,
+        )
+    }
+
+    pub fn new_with_options(
+        client_key: &str,
+        kms_instance_id: &str,
+        password: &str,
+        cert_pem: Option<&str>,
+        endpoint: Option<&str>,
+        insecure_skip_tls_verify: bool,
     ) -> Result<Self> {
         let credential = CredentialClientKey::new(client_key, password).map_err(|e| {
             Error::AliyunKmsError(format!(
                 "create client_key credential of the kms instance failed: {e:?}"
             ))
         })?;
 
-        let endpoint = format!("{kms_instance_id}.cryptoservice.kms.aliyuncs.com");
+        let endpoint = endpoint
+            .filter(|v| !v.is_empty())
+            .map(ToOwned::to_owned)
+            .unwrap_or_else(|| format!("{kms_instance_id}.cryptoservice.kms.aliyuncs.com"));
         let config = ConfigClientKey::new(kms_instance_id, &endpoint);
 
-        let cert = Self::read_kms_instance_cert(cert_pem.as_bytes())?;
-        let http_client = ClientBuilder::new()
-            .use_rustls_tls()
-            .add_root_certificate(cert)
-            .build()
-            .map_err(|e| Error::AliyunKmsError(format!("build http client failed: {e:?}")))?;
+        let http_client = Self::build_http_client(cert_pem, insecure_skip_tls_verify)?;
 
         Ok(Self {
             credential,

deps/kms/src/plugins/aliyun/client/client_key_client/mod.rs

@@ -63,6 +63,26 @@ impl AliyunKmsClient {
         Ok(Self::ClientKey { inner })
     }
 
+    pub fn new_client_key_client_with_options(
+        client_key: &str,
+        kms_instance_id: &str,
+        password: &str,
+        cert_pem: Option<&str>,
+        endpoint: Option<&str>,
+        insecure_skip_tls_verify: bool,
+    ) -> Result<Self> {
+        let inner = ClientKeyClient::new_with_options(
+            client_key,
+            kms_instance_id,
+            password,
+            cert_pem,
+            endpoint,
+            insecure_skip_tls_verify,
+        )?;
+
+        Ok(Self::ClientKey { inner })
+    }
+
     pub fn new_ecs_ram_role_client(ecs_ram_role_name: &str, region_id: &str) -> Self {
         let ecs_ram_role_client =
             EcsRamRoleClient::new(ecs_ram_role_name.to_string(), region_id.to_string());
@@ -77,12 +97,35 @@ impl AliyunKmsClient {
         access_key_secret: &str,
         region_id: &str,
     ) -> Result<Self> {
-        let endpoint = format!("kms.{region_id}.aliyuncs.com");
-        let client = StsTokenClient::from_access_key(
+        Self::new_access_key_client_with_options(
+            access_key_id,
+            access_key_secret,
+            region_id,
+            None,
+            None,
+            false,
+        )
+    }
+
+    pub fn new_access_key_client_with_options(
+        access_key_id: &str,
+        access_key_secret: &str,
+        region_id: &str,
+        endpoint: Option<&str>,
+        ca_cert_pem: Option<&str>,
+        insecure_skip_tls_verify: bool,
+    ) -> Result<Self> {
+        let endpoint = endpoint
+            .filter(|v| !v.is_empty())
+            .map(ToOwned::to_owned)
+            .unwrap_or_else(|| format!("kms.{region_id}.aliyuncs.com"));
+        let client = StsTokenClient::from_access_key_with_options(
             access_key_id.to_string(),
             access_key_secret.to_string(),
             endpoint,
             region_id.to_string(),
+            ca_cert_pem,
+            insecure_skip_tls_verify,
         )?;
         Ok(Self::AccessKey { client })
     }

deps/kms/src/plugins/aliyun/client/mod.rs

@@ -15,7 +15,7 @@ use chrono::Utc;
 use credential::StsCredential;
 use log::error;
 use rand::{distributions::Alphanumeric, Rng};
-use reqwest::{header::HeaderMap, ClientBuilder};
+use reqwest::{header::HeaderMap, Certificate, Client, ClientBuilder};
 use serde::Deserialize;
 use serde_json::Value;
 use tokio::fs;
@@ -43,11 +43,29 @@ pub struct StsSettings {
 }
 
 impl StsTokenClient {
-    pub fn from_sts_token(sts: StsCredential, endpoint: String, region_id: String) -> Result<Self> {
-        let http_client = ClientBuilder::new()
-            .use_rustls_tls()
+    fn build_http_client(
+        ca_cert_pem: Option<&str>,
+        insecure_skip_tls_verify: bool,
+    ) -> Result<Client> {
+        let mut builder = ClientBuilder::new().use_rustls_tls();
+
+        if let Some(ca_cert_pem) = ca_cert_pem.filter(|v| !v.is_empty()) {
+            let ca_cert = Certificate::from_pem(ca_cert_pem.as_bytes())
+                .map_err(|e| Error::AliyunKmsError(format!("read kms ca cert failed: {e:?}")))?;
+            builder = builder.add_root_certificate(ca_cert);
+        }
+
+        if insecure_skip_tls_verify {
+            builder = builder.danger_accept_invalid_certs(true);
+        }
+
+        builder
             .build()
-            .map_err(|e| Error::AliyunKmsError(format!("build http client failed: {e:?}")))?;
+            .map_err(|e| Error::AliyunKmsError(format!("build http client failed: {e:?}")))
+    }
+
+    pub fn from_sts_token(sts: StsCredential, endpoint: String, region_id: String) -> Result<Self> {
+        let http_client = Self::build_http_client(None, false)?;
         Ok(Self {
             ak: sts.ak,
             sk: sts.sk,
@@ -64,10 +82,25 @@ impl StsTokenClient {
         endpoint: String,
         region_id: String,
     ) -> Result<Self> {
-        let http_client = ClientBuilder::new()
-            .use_rustls_tls()
-            .build()
-            .map_err(|e| Error::AliyunKmsError(format!("build http client failed: {e:?}")))?;
+        Self::from_access_key_with_options(
+            access_key_id,
+            access_key_secret,
+            endpoint,
+            region_id,
+            None,
+            false,
+        )
+    }
+
+    pub fn from_access_key_with_options(
+        access_key_id: String,
+        access_key_secret: String,
+        endpoint: String,
+        region_id: String,
+        ca_cert_pem: Option<&str>,
+        insecure_skip_tls_verify: bool,
+    ) -> Result<Self> {
+        let http_client = Self::build_http_client(ca_cert_pem, insecure_skip_tls_verify)?;
         Ok(Self {
             ak: access_key_id,
             sk: access_key_secret,

deps/kms/src/plugins/aliyun/client/sts_token_client/mod.rs

@@ -1 +1,49 @@
 # Trustee Helm Chart
+
+## Aliyun KMS Resource Backend
+
+KBS can use Aliyun KMS generic secrets as the resource backend when the KBS image
+is built with the `aliyun` feature.
+
+Set `kbs.aliyunKms.enabled=true` and choose one authentication mode:
+
+- AAP client key: set `clientKey`, `kmsInstanceId`, `password`, and `certPem`.
+- AccessKey: set `regionId` and inject `ALIYUN_KMS_ACCESS_KEY_ID` and
+  `ALIYUN_KMS_ACCESS_KEY_SECRET` through the pod environment. The recommended
+  Helm path is to set `accessKeyExistingSecret` so the credentials come from an
+  existing Kubernetes Secret.
+
+For private cloud deployments, also set `endpoint` to the KMS intranet endpoint
+provided by the private cloud KMS owner. If the endpoint uses a private CA, set
+`certPem` to the CA certificate. `insecureSkipTlsVerify=true` is only intended
+for temporary test environments where the certificate chain cannot yet be
+trusted.
+
+Example:
+
+```yaml
+kbs:
+  aliyunKms:
+    enabled: true
+    regionId: "cn-test"
+    endpoint: "kms-intranet.cn-test.example.com"
+    certPem: |
+      -----BEGIN CERTIFICATE-----
+      ...
+      -----END CERTIFICATE-----
+    accessKeyExistingSecret: "aliyun-kms-credential"
+    accessKeyIdSecretKey: "access_key_id"
+    accessKeySecretSecretKey: "access_key_secret"
+    insecureSkipTlsVerify: false
+```
+
+Create the referenced secret before installing or upgrading the chart:
+
+```shell
+kubectl create secret generic aliyun-kms-credential \
+  --from-literal=access_key_id='LTAI...' \
+  --from-literal=access_key_secret='secret...'
+```
+
+The old `kmsIntanceId` value key is still accepted for compatibility, but new
+deployments should use `kmsInstanceId`.

helm-chart/README.md

@@ -22,9 +22,11 @@ data:
     {{- if .Values.kbs.aliyunKms.enabled }}
     type = "Aliyun"
     client_key = {{ .Values.kbs.aliyunKms.clientKey | quote }}
-    kms_instance_id = "{{ .Values.kbs.aliyunKms.kmsIntanceId }}"
+    kms_instance_id = "{{ default .Values.kbs.aliyunKms.kmsIntanceId .Values.kbs.aliyunKms.kmsInstanceId }}"
     password = "{{ .Values.kbs.aliyunKms.password }}"
     cert_pem = {{ .Values.kbs.aliyunKms.certPem | quote}}
+    endpoint = {{ .Values.kbs.aliyunKms.endpoint | quote }}
+    insecure_skip_tls_verify = {{ .Values.kbs.aliyunKms.insecureSkipTlsVerify }}
     {{- else }}
     type = "LocalFs"
     dir_path = "/opt/confidential-containers/kbs/repository"

helm-chart/trustee/templates/kbs-configmap.yaml

@@ -43,6 +43,33 @@ spec:
           env:
             - name: RUST_LOG
               value: {{ .Values.log_level }}
+            {{- if .Values.kbs.aliyunKms.enabled }}
+            {{- if .Values.kbs.aliyunKms.regionId }}
+            - name: ALIYUN_KMS_REGION_ID
+              value: {{ .Values.kbs.aliyunKms.regionId | quote }}
+            {{- end }}
+            {{- if .Values.kbs.aliyunKms.accessKeyExistingSecret }}
+            - name: ALIYUN_KMS_ACCESS_KEY_ID
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.kbs.aliyunKms.accessKeyExistingSecret | quote }}
+                  key: {{ .Values.kbs.aliyunKms.accessKeyIdSecretKey | quote }}
+            - name: ALIYUN_KMS_ACCESS_KEY_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.kbs.aliyunKms.accessKeyExistingSecret | quote }}
+                  key: {{ .Values.kbs.aliyunKms.accessKeySecretSecretKey | quote }}
+            {{- else }}
+            {{- if .Values.kbs.aliyunKms.accessKeyId }}
+            - name: ALIYUN_KMS_ACCESS_KEY_ID
+              value: {{ .Values.kbs.aliyunKms.accessKeyId | quote }}
+            {{- end }}
+            {{- if .Values.kbs.aliyunKms.accessKeySecret }}
+            - name: ALIYUN_KMS_ACCESS_KEY_SECRET
+              value: {{ .Values.kbs.aliyunKms.accessKeySecret | quote }}
+            {{- end }}
+            {{- end }}
+            {{- end }}
           ports:
             - name: http
               containerPort: {{ .Values.kbs.service.port }}

helm-chart/trustee/templates/kbs-statefulset.yaml

@@ -70,10 +70,25 @@ kbs:
 
   aliyunKms:
     enabled: false
+    # kmsIntanceId is kept for backward compatibility with older chart values.
     kmsIntanceId:
+    kmsInstanceId:
     password: 
     clientKey:
     certPem:
+    # Recommended AccessKey configuration path: inject credentials through
+    # ALIYUN_KMS_* environment variables. Prefer accessKeyExistingSecret for
+    # production deployments.
+    accessKeyId:
+    accessKeySecret:
+    accessKeyExistingSecret:
+    accessKeyIdSecretKey: access_key_id
+    accessKeySecretSecretKey: access_key_secret
+    regionId:
+    # Private cloud KMS intranet endpoint, for example kms-intranet.<region>.<domain>.
+    endpoint:
+    # Use only for test environments where the private cloud KMS certificate cannot be trusted.
+    insecureSkipTlsVerify: false
 
 as:
   pccsURL: ''

helm-chart/trustee/values.yaml

@@ -99,6 +99,7 @@ tempfile.workspace = true
 rstest.workspace = true
 reference-value-provider-service.path = "../rvps"
 serial_test = "3.0"
+toml.workspace = true
 
 [build-dependencies]
 tonic-build = { workspace = true, optional = true }

kbs/Cargo.toml

@@ -107,7 +107,7 @@ If you want a self-signed cert for test cases, please refer to [the document](do
 
 The KBS can use different backend storage. `LocalFs` will always be builtin.
 `ALIYUN` determines whether aliyun kms support will be built. The options
-are `true` or `false` (by defult). Please refer to [the document](docs/config.md#repository-configuration)
+are `true` or `false` (by default). Please refer to [the document](docs/config.md#resource-configuration)
 for more details.
 
 ## References