A plugin for kubernetes encryption that allows the use of vault as a KMS provider
See usage documentation here
- Create grpc server from the kubernetes proto file
- Generate rust code from k8s proto
- Provide implementations for generated traits
- Get server in a running state
- Create vault client for performing KMS actions
- Create all methods required for KMS service
- Test encryption with vault
- Test decryption with vault
- Test status checks (key info retrieval) with vault
- Set up socket communication
- Connect to kubernetes kms provider via socket
- Secure Socket connection
- Test socket communication
- Create docker container for plugin
- Set up ci for deployment
- Set up Authentication
- ServiceAccount
- Local
- Client
- Jwt
- Tls certs
- Token
- ServiceAccount
- Cache vault token
- Update vault token on mounted jwt file changes
- Create a docs page on github pages
- Allow Tls for http communication
- Document manual integration steps
- Create Helm Chart for easy deployment
- Set up helm char repository via GitHub pages
- Set up logging
- Remove logs for imported libraries
Official documentation on kubernetes authentication can be found
You can enable the use of local kubernetes authentication in vault using the following commands. docs
vault auth enable kubernetes
vault write auth/kubernetes/config kubernetes_host=https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_SERVICE_PORTUnit tests should be colocated with the code they test, you can run unit tests using the following command
cargo test --bins --libIntegration tests will be located in the tests directory at the root of the project, they require some set up locally.
First you will need to run the vault service using docker compose by running the following command in the root directory:
docker compose up vault -dSecond you will need to enable transit in vault
docker compose exec vault vault secrets enable transitAfter the transit has been enabled you can start the kms provider
docker compose up vault-kms-provider -dThen finally you can run the integration tests with the following command
cargo test --test *End to end tests are implemented using helm's testing library, you can find the tests themselves in the helm/templates/tests directory. There are also some files used for testing located in the helm/test_files directory.
In order to run the tests you will need to deploy a vault server and the helm chart for this repository, you can do this using their respective helm charts
helm install vault-kms-provider ./helm -n vault \
--set "image.tag=$IMAGE_TAG" \
--set "role.rules[0].apiGroups={}" \
--set "role.rules[0].resources={secrets}" \
--set "role.rules[0].verbs={get,create}"The parameters we set here are giving the tests the ability to create and modify secrets (so that we can check that they are encrypted/decrypted as expected). The image tag is self-explanatory, but keep in mind that if you are testing new changes, you will need to push them to a repository and specify the image you wish to pull and test in the IMAGE_TAG declaration.
The tests expect there to be an etcd backend for them to access in order to confirm the stored data (secrets) is encrypted. There are too many potential k8s tools to cover how to make this work, but you may look to this repositories circleci config for examples on how to set one up if your brand of k8s does not use etcd. Either way, you will need to be sure the tests have access to an etcd backend to retrieve the data stored by k8s.
Once the vault KMS provider has been set up, you can run the tests with the following command:
helm test vault-kms-provider