security: Encrypt region boundary keys, Part 2 - server changes

[yiwu-arbug]

Signed-off-by: Yi Wu [email protected]

What problem does this PR solve?

This is part 2 for adding TDE support to PD. pingcap/tidb#18262 This PR adds changes on the server layer.

What is changed and how it works?

This PR adds the following:

• Define config struct for encryption (see config.toml changes)
• Update storage.go and region_storage.go to encrypt region boundary keys
• And empty KeyManager implementation. Its implementation will be done in the next PR. With the empty implementation, the encryption is an no-op.
• server.go changes to create KeyManager and notify the KeyManager when the current node become PD leader. The KeyManager is supposed to update encryption metadata (e.g. key rotation, handle dynamic config change) only when the node is the PD leader.

Check List

Tests

• CI.
• Some manual end-to-end test with a WIP KeyManager implementation.

Side effects

• Shouldn't have any side effects, as the encrypt is an no-op before KeyManager is implemented.

Related changes

• Part 1 of the project: security: Encrypt region boundary keys, Part 1 - helper functions #2931

Release note

• No release note

[yiwu-arbug]

looks like tests caught some issue in the change. still fixing.

[yiwu-arbug]

/run-all-tests

[yiwu-arbug]

@HunDunDM @Yisaer ready for review. thanks.

[yiwu-arbug]

@HunDunDM @Yisaer kindly ping

[yiwu-arbug]

sorry for delay. updated.

[HunDunDM]

rest LGTM

[yiwu-arbug]

Updated

[HunDunDM]

LGTM

[yiwu-arbug]

@Yisaer ping

[Yisaer]

Rest LGTM.

[ti-srebot]

@yiwu-arbug,Thanks for your review. The bot only counts LGTMs from Reviewers and higher roles, but you're still welcome to leave your comments.See the corresponding SIG page for more information. Related SIG: scheduling(slack).

[Yisaer]

LGTM

[Yisaer]

/merge

[ti-srebot]

/run-all-tests