Sasha/cos2

[klizhentas]

This PR is a combination of two commits:

S3 compatible storage support

• The first is a slightly modified commit from @balpert89 that extends URI scheme, that now supports the following URI parameters for audit_session_uri.

After writing a bunch of code that introduces new syntax, I had to roll it all back, because it was hard to make it backwards compatible with our existing structure. So ultimately I decided to go with the URI query format proposed by Benjamin

IBM COS

audit_sessions_uri: 's3://readonly/records?endpoint=s3.us-east.cloud-object-storage.appdomain.cloud&region=ibm'

region=ibm is a must have region for IBM COS
endpoint=s3.us-east.cloud-object-storage.appdomain.cloud is a region specific endpoint listed in the IBM cloud UI.

The credentials are used from ~/.aws/credentials and should be created with HMAC option:

cos_hmac_keys:                                          
     access_key_id:       examplekey13513561356         
     secret_access_key:   exampleval151236162462462         

https://cloud.ibm.com/docs/services/cloud-object-storage/hmac?topic=cloud-object-storage-uhc-hmac-credentials-main

@benarent would be good to have a video guide on how to use all it

Insecure and no server side encryption

This example turns of HTTPS and server side encryption for S3 compatible storages:

audit_sessions_uri: 's3://readonly/records?endpoint=example.com&insecure=true&disablesse=true'

Etcd password support

Second commit adds password support and it makes client cert auth optional.

Here is an example:

storage:
    type: etcd
    peers: ['https://example.com:30983']
    username: 'username'
    password_file: '/mnt/secrets/etcd-pass'
    tls_ca_file: '/mnt/secrets/etcd-ca.pem'

Please note that we force good security by asking password to be a file.

[klizhentas]

@russjones we need to merge it into 4.2 first and then forward-port to master, so our customers who requested both features can give it a try, please ping them in the channel @benarent when this will be done (I will be on vacation until Jan 5th, so this should be done without me)

[klizhentas]

retest this please

[benarent]

👍 This looks good. The creation of HMAC does look confusing, so I'm sure a video will help. Did we also try this with T-Mobile OPEN TELEKOM Cloud, or just with IBMs cloud?

[gravitational-jenkins]

I would only worry about IBM cloud for now

…

On Mon, Dec 30, 2019 at 11:39 AM Ben Arent ***@***.***> wrote: 👍 This looks good. The creation of HMAC does look confusing, so I'm sure a video will help. Did we also try this with T-Mobile OPEN TELEKOM Cloud, or just with IBMs cloud? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#3234?email_source=notifications&email_token=AD5GI6WV2OW5NOMHMNP2HGTQ3JE77A5CNFSM4KAR4NC2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEH3BGPI#issuecomment-569774909>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AD5GI6WWB52VNDWXXZF5CQ3Q3JE77ANCNFSM4KAR4NCQ> . -- You received this message because you are subscribed to the Google Groups "Tech Operations" group. To unsubscribe from this group and stop receiving emails from it, send an email to ***@***.***