Add rocksdb.encryption-key-generator CLI option (#348)

Co-authored-by: Adam Janikowski <[email protected]>

Author: nikita-vanyasin

CHANGELOG.md

@@ -5,6 +5,7 @@
 - Improve detection of arangod binary when running local installation (use --server.use-local-bin)
 - Upgrade base Alpine image and Go dependencies to fix CVEs
 - Remove `netgo` build tag for Windows to disable new Go resolver behaviour: https://github.com/golang/go/issues/57757
+- Add `rocksdb.encryption-key-generator` CLI option
 
 ## [0.15.6](https://github.com/arangodb-helper/arangodb/tree/0.15.6) (2023-01-20)
 - Fix restarting cluster with arangosync enabled

main.go

@@ -175,6 +175,7 @@ func init() {
 	f.StringVar(&opts.server.storageEngine, "server.storage-engine", "", "Type of storage engine to use (mmfiles|rocksdb) (3.2 and up)")
 
 	f.StringVar(&opts.rocksDB.encryptionKeyFile, "rocksdb.encryption-keyfile", "", "Key file used for RocksDB encryption. (Enterprise Edition 3.2 and up)")
+	f.StringVar(&opts.rocksDB.encryptionKeyGenerator, "rocksdb.encryption-key-generator", "", "Path to program. The output of this program will be used as key for RocksDB encryption. (Enterprise Edition)")
 
 	f.StringVar(&opts.docker.endpoint, "docker.endpoint", "unix:///var/run/docker.sock", "Endpoint used to reach the docker daemon")
 	f.StringVar(&opts.docker.arangodImage, "docker.image", getEnvVar("DOCKER_IMAGE", ""), "name of the Docker image to use to launch arangod instances (leave empty to avoid using docker)")
@@ -576,6 +577,7 @@ func mustPrepareService(generateAutoKeyFile bool) (*service.Service, service.Boo
 	opts.ssl.keyFile = mustExpand(opts.ssl.keyFile)
 	opts.ssl.caFile = mustExpand(opts.ssl.caFile)
 	opts.rocksDB.encryptionKeyFile = mustExpand(opts.rocksDB.encryptionKeyFile)
+	opts.rocksDB.encryptionKeyGenerator = mustExpand(opts.rocksDB.encryptionKeyGenerator)
 
 	// Check database executable
 	if !runningInDocker {
@@ -680,23 +682,24 @@ func mustPrepareService(generateAutoKeyFile bool) (*service.Service, service.Boo
 
 	// Create service
 	bsCfg := service.BootstrapConfig{
-		ID:                       opts.starter.id,
-		Mode:                     service.ServiceMode(opts.starter.mode),
-		DataDir:                  opts.starter.dataDir,
-		AgencySize:               opts.cluster.agencySize,
-		StartLocalSlaves:         opts.starter.startLocalSlaves,
-		StartAgent:               mustGetOptionalBoolRef("cluster.start-agent", opts.cluster.startAgent),
-		StartDBserver:            mustGetOptionalBoolRef("cluster.start-dbserver", opts.cluster.startDBServer),
-		StartCoordinator:         mustGetOptionalBoolRef("cluster.start-coordinator", opts.cluster.startCoordinator),
-		StartResilientSingle:     mustGetOptionalBoolRef("cluster.start-single", opts.cluster.startActiveFailover),
-		StartSyncMaster:          mustGetOptionalBoolRef("sync.start-master", opts.sync.startSyncMaster),
-		StartSyncWorker:          mustGetOptionalBoolRef("sync.start-worker", opts.sync.startSyncWorker),
-		ServerStorageEngine:      opts.server.storageEngine,
-		JwtSecret:                jwtSecret,
-		SslKeyFile:               opts.ssl.keyFile,
-		SslCAFile:                opts.ssl.caFile,
-		RocksDBEncryptionKeyFile: opts.rocksDB.encryptionKeyFile,
-		DisableIPv6:              opts.starter.disableIPv6,
+		ID:                            opts.starter.id,
+		Mode:                          service.ServiceMode(opts.starter.mode),
+		DataDir:                       opts.starter.dataDir,
+		AgencySize:                    opts.cluster.agencySize,
+		StartLocalSlaves:              opts.starter.startLocalSlaves,
+		StartAgent:                    mustGetOptionalBoolRef("cluster.start-agent", opts.cluster.startAgent),
+		StartDBserver:                 mustGetOptionalBoolRef("cluster.start-dbserver", opts.cluster.startDBServer),
+		StartCoordinator:              mustGetOptionalBoolRef("cluster.start-coordinator", opts.cluster.startCoordinator),
+		StartResilientSingle:          mustGetOptionalBoolRef("cluster.start-single", opts.cluster.startActiveFailover),
+		StartSyncMaster:               mustGetOptionalBoolRef("sync.start-master", opts.sync.startSyncMaster),
+		StartSyncWorker:               mustGetOptionalBoolRef("sync.start-worker", opts.sync.startSyncWorker),
+		ServerStorageEngine:           opts.server.storageEngine,
+		JwtSecret:                     jwtSecret,
+		SslKeyFile:                    opts.ssl.keyFile,
+		SslCAFile:                     opts.ssl.caFile,
+		RocksDBEncryptionKeyFile:      opts.rocksDB.encryptionKeyFile,
+		RocksDBEncryptionKeyGenerator: opts.rocksDB.encryptionKeyGenerator,
+		DisableIPv6:                   opts.starter.disableIPv6,
 	}
 	bsCfg.Initialize()
 	serviceConfig := service.Config{

options.go

@@ -82,7 +82,8 @@ type starterOptions struct {
 		caFile           string
 	}
 	rocksDB struct {
-		encryptionKeyFile string
+		encryptionKeyFile      string
+		encryptionKeyGenerator string
 	}
 	docker struct {
 		endpoint        string

service/arangod_config_builder.go

@@ -132,6 +132,15 @@ func createArangodConf(log zerolog.Logger, bsCfg BootstrapConfig, myHostDir, myC
 		}
 		config = append(config, rocksdbSection)
 	}
+	if bsCfg.RocksDBEncryptionKeyGenerator != "" {
+		rocksdbSection := &configSection{
+			Name: "rocksdb",
+			Settings: map[string]string{
+				"encryption-key-generator": bsCfg.RocksDBEncryptionKeyGenerator,
+			},
+		}
+		config = append(config, rocksdbSection)
+	}
 
 	out, err := os.Create(hostConfFileName)
 	if err != nil {

service/bootstrap_config.go

@@ -32,25 +32,26 @@ import (
 // BootstrapConfig holds all configuration for a service that will
 // not change through the lifetime of a cluster.
 type BootstrapConfig struct {
-	ID                        string      // Unique identifier of this peer
-	Mode                      ServiceMode // Service mode cluster|single
-	DataDir                   string
-	AgencySize                int    // Number of agents in the agency
-	StartLocalSlaves          bool   // If set, start sufficient slave (Service's) locally.
-	StartAgent                *bool  // If not nil, sets if starter starts a agent, otherwise default handling applies
-	StartDBserver             *bool  // If not nil, sets if starter starts a dbserver, otherwise default handling applies
-	StartCoordinator          *bool  // If not nil, sets if starter starts a coordinator, otherwise default handling applies
-	StartResilientSingle      *bool  // If not nil, sets if starter starts a resilient single, otherwise default handling applies
-	StartSyncMaster           *bool  // If not nil, sets if the starter starts a sync master, otherwise default handling applies
-	StartSyncWorker           *bool  // If not nil, sets if the starter starts a sync worker, otherwise default handling applies
-	ServerStorageEngine       string // mmfiles | rocksdb
-	JwtSecret                 string // JWT secret used for arangod communication
-	ArangosyncMonitoringToken string // Bearer token used for arangosync authentication
-	SslKeyFile                string // Path containing an x509 certificate + private key to be used by the servers.
-	SslCAFile                 string // Path containing an x509 CA certificate used to authenticate clients.
-	RocksDBEncryptionKeyFile  string // Path containing encryption key for RocksDB encryption.
-	DisableIPv6               bool   // If set, no IPv6 notation will be used
-	RecoveryAgentID           string `json:"-"` // ID of the agent. Only set during recovery
+	ID                            string      // Unique identifier of this peer
+	Mode                          ServiceMode // Service mode cluster|single
+	DataDir                       string
+	AgencySize                    int    // Number of agents in the agency
+	StartLocalSlaves              bool   // If set, start sufficient slave (Service's) locally.
+	StartAgent                    *bool  // If not nil, sets if starter starts a agent, otherwise default handling applies
+	StartDBserver                 *bool  // If not nil, sets if starter starts a dbserver, otherwise default handling applies
+	StartCoordinator              *bool  // If not nil, sets if starter starts a coordinator, otherwise default handling applies
+	StartResilientSingle          *bool  // If not nil, sets if starter starts a resilient single, otherwise default handling applies
+	StartSyncMaster               *bool  // If not nil, sets if the starter starts a sync master, otherwise default handling applies
+	StartSyncWorker               *bool  // If not nil, sets if the starter starts a sync worker, otherwise default handling applies
+	ServerStorageEngine           string // mmfiles | rocksdb
+	JwtSecret                     string // JWT secret used for arangod communication
+	ArangosyncMonitoringToken     string // Bearer token used for arangosync authentication
+	SslKeyFile                    string // Path containing an x509 certificate + private key to be used by the servers.
+	SslCAFile                     string // Path containing an x509 CA certificate used to authenticate clients.
+	RocksDBEncryptionKeyFile      string // Path containing encryption key for RocksDB encryption.
+	RocksDBEncryptionKeyGenerator string // Path to program. The output of this program will be used as key for RocksDB encryption.
+	DisableIPv6                   bool   // If set, no IPv6 notation will be used
+	RecoveryAgentID               string `json:"-"` // ID of the agent. Only set during recovery
 }
 
 func (bsCfg BootstrapConfig) JWTFolderDir() string {

service/options/forbidden.go

@@ -35,7 +35,7 @@ func (f forbidden) IsForbidden(key string) bool {
 }
 
 var (
-	// forbiddenOptions holds a list of options that are not allowed to be overriden.
+	// forbiddenOptions holds a list of options that are not allowed to be overridden.
 	forbiddenOptions = forbidden{
 		// Arangod
 		"agency.activate",