Adding in Dep and Docker build process for easier distro

.dockerignore

@@ -0,0 +1 @@
+Dockerfile

Dockerfile

@@ -0,0 +1,16 @@
+FROM golang:1.9 as builder
+
+RUN go get -u github.com/golang/dep/cmd/dep
+
+WORKDIR /go/src/github.com/jrnt30/k8-kms-enc-provider
+
+COPY . .
+
+RUN dep ensure && \
+    CGO_ENABLED=0 go build --ldflags '-extldflags "-static"' -o k8-kms-enc-provider .
+
+FROM alpine:3.7
+RUN apk add --no-cache ca-certificates
+COPY --from=builder /go/src/github.com/jrnt30/k8-kms-enc-provider/k8-kms-enc-provider /usr/local/bin/k8-kms-enc-provider
+
+ENTRYPOINT ["/usr/local/bin/k8-kms-enc-provider"]

Gopkg.toml

@@ -0,0 +1,46 @@
+
+# Gopkg.toml example
+#
+# Refer to https://github.com/golang/dep/blob/master/docs/Gopkg.toml.md
+# for detailed Gopkg.toml documentation.
+#
+# required = ["github.com/user/thing/cmd/thing"]
+# ignored = ["github.com/user/project/pkgX", "bitbucket.org/user/project/pkgA/pkgY"]
+#
+# [[constraint]]
+#   name = "github.com/user/project"
+#   version = "1.0.0"
+#
+# [[constraint]]
+#   name = "github.com/user/project2"
+#   branch = "dev"
+#   source = "github.com/myfork/project2"
+#
+# [[override]]
+#  name = "github.com/x/y"
+#  version = "2.4.0"
+
+
+[[constraint]]
+  name = "github.com/aws/aws-sdk-go"
+  version = "1.13.38"
+
+[[constraint]]
+  name = "github.com/golang/protobuf"
+  version = "1.0.0"
+
+[[constraint]]
+  name = "github.com/spf13/cobra"
+  version = "0.0.2"
+
+[[constraint]]
+  name = "github.com/spf13/viper"
+  version = "1.0.2"
+
+[[constraint]]
+  branch = "master"
+  name = "golang.org/x/net"
+
+[[constraint]]
+  name = "google.golang.org/grpc"
+  version = "1.11.3"

Makefile

@@ -4,4 +4,8 @@ default: ; @true
 # For each .proto file, ensure there is a correpsonding .db.go file present
 .PHONY: protos
 protos:
-	protoc --go_out plugins=grpc:generated/ --proto_path proto/ proto/*.proto
+	protoc --go_out plugins=grpc:generated/ --proto_path proto/ proto/*.proto
+
+docker-build: 
+	docker build -t kms-server . 
+

README.md

@@ -0,0 +1,46 @@
+# Overview
+This is an *experiment* to create a [Kubernetes KMS provider](https://kubernetes.io/docs/tasks/administer-cluster/kms-provider/).  The goal is to provide an implementation of the K8 KMS specification using AWS KMS.
+
+The CLI also comes with a very simple Client CLI to test the Client/Server/AWS interaction.
+
+This should *NOT* be used for production, it is just an attempt to learn several new technologies and better understand this interaction.
+
+# Installation
+
+## Local Installation
+
+**Installation:**
+`go get github.com/jrnt30/k8-kms-enc-provider`
+
+**Testing:**
+```
+# server
+k8-kms-enc-provider server --key-id <ARN TO YOUR KEY> --region <AWS REGION OF KEY>
+
+# client encrypt
+k8-kms-enc-provider client encrypt --plain-text=test1234
+
+# client decrypt
+k8-kms-enc-provider client decrypt --cipher-text=<OUTPUT FROM ENCRYPT>
+
+# client roundtrip
+k8-kms-enc-provider client encrypt --plain-text=test1234 | xargs k8-kms-enc-provider client decrypt --cipher-text
+```
+
+# Cluster Installation
+
+**NOTE:** The KMS API is in Alpha in K8 1.10 and is sure to change.  During the testing of this I noted several differences with the cluster I had running on 1.9, so please consult the [Official K8 KMS Documentation](https://kubernetes.io/docs/tasks/administer-cluster/kms-provider/#encrypting-your-data-with-the-kms-provider)
+
+My process was to:
+
+- Add a [KMS Encryption Configuration](examples/encryption.conf) to the master node
+- Create a [static Pod specification](examples/kms-server.yaml) for the KMS server, copy it to the master's static pod manifests folder
+- Adjust the API Server Specification:
+  - Add the `- --experimental-encryption-provider-config=/etc/kubernetes/kms/encryption.conf`
+  - Add an additional mount to the API server for the shared socket
+  - Restart the API server
+
+Deployment notes:
+
+- Using the static pods was easiest to ensure the KMS sidecar was bootstrapped, however it makes debugging slightly difficult
+- Initially tried adding this as a sidecar to the apiserver

cmd/decrypt.go

@@ -28,7 +28,7 @@ import (
 	"net"
 	"time"
 
-	"github.com/jrnt30/aws-kms-k8-enc-provider/v1beta1"
+	"github.com/jrnt30/k8-kms-enc-provider/v1beta1"
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc"
 )
@@ -67,7 +67,7 @@ to quickly create a Cobra application.`,
 		if err != nil {
 			log.Fatal(err)
 		}
-		fmt.Println("Got response: ", resp)
+		fmt.Printf("%s", string(resp.Plain))
 	},
 }
 

cmd/encrypt.go

@@ -28,7 +28,7 @@ import (
 	"net"
 	"time"
 
-	"github.com/jrnt30/aws-kms-k8-enc-provider/v1beta1"
+	"github.com/jrnt30/k8-kms-enc-provider/v1beta1"
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc"
 )
@@ -67,7 +67,7 @@ to quickly create a Cobra application.`,
 		if err != nil {
 			log.Fatal(err)
 		}
-		fmt.Printf("Got response: [%s]", string(encodedCipherString))
+		fmt.Printf("%s", string(encodedCipherString))
 	},
 }
 

cmd/root.go

@@ -33,7 +33,7 @@ var cfgFile string
 
 // RootCmd represents the base command when called without any subcommands
 var RootCmd = &cobra.Command{
-	Use:   "aws-kms-k8-enc-provider",
+	Use:   "k8-kms-enc-provider",
 	Short: "A brief description of your application",
 	Long: `A longer description that spans multiple lines and likely contains
 examples and usage of using your application. For example:
@@ -61,7 +61,7 @@ func init() {
 	// Here you will define your flags and configuration settings.
 	// Cobra supports Persistent Flags, which, if defined here,
 	// will be global for your application.
-	RootCmd.PersistentFlags().StringVar(&cfgFile, "config", "", "configuration file to use (default is ~/.aws-kms-k8-enc-provider)")
+	RootCmd.PersistentFlags().StringVar(&cfgFile, "config", "", "configuration file to use (default is ~/.k8-kms-enc-provider)")
 	RootCmd.PersistentFlags().StringVar(&socketPath, "socket", "/tmp/kms-grpc", "path to the socket to use")
 }
 
@@ -71,7 +71,7 @@ func initConfig() {
 		viper.SetConfigFile(cfgFile)
 	}
 
-	viper.SetConfigName(".aws-kms-k8-enc-provider") // name of config file (without extension)
+	viper.SetConfigName(".k8-kms-enc-provider") // name of config file (without extension)
 	viper.AddConfigPath("$HOME")                    // adding home directory as first search path
 	viper.AutomaticEnv()                            // read in environment variables that match
 

cmd/server.go

@@ -32,8 +32,8 @@ import (
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc"
 
-	"github.com/jrnt30/aws-kms-k8-enc-provider/pkg"
-	"github.com/jrnt30/aws-kms-k8-enc-provider/v1beta1"
+	"github.com/jrnt30/k8-kms-enc-provider/pkg"
+	"github.com/jrnt30/k8-kms-enc-provider/v1beta1"
 )
 
 var awsRegion string
@@ -54,13 +54,21 @@ to quickly create a Cobra application.`,
 			AwsRegion: aws.String(awsRegion),
 			KeyId:     aws.String(keyID),
 		})
+		if err != nil {
+			log.Fatal("Error creating the backing KMS provider: ", err)
+		}
 
 		server := grpc.NewServer()
-		lis, err := net.Listen("unix", socketPath)
-		defer lis.Close()
+		addr, err := net.ResolveUnixAddr("unix", socketPath)
+		if err != nil {
+			log.Fatal("Error resolving the socket, existing", err)
+		}
+
+		lis, err := net.ListenUnix("unix", addr)
 		if err != nil {
 			log.Fatal("Error creating the socket listener, existing", err)
 		}
+		defer lis.Close()
 
 		sigTerm := make(chan os.Signal, 1)
 		signal.Notify(sigTerm, os.Interrupt, os.Kill, syscall.SIGTERM)
@@ -69,6 +77,7 @@ to quickly create a Cobra application.`,
 		waits.Add(1)
 
 		go func() {
+			log.Print("Registering listener on the GRPC server")
 			v1beta1.RegisterKeyManagementServiceServer(server, keyProviderServer)
 			server.Serve(lis)
 			waits.Done()

cmd/version.go

@@ -27,7 +27,7 @@ import (
 	"net"
 	"time"
 
-	"github.com/jrnt30/aws-kms-k8-enc-provider/v1beta1"
+	"github.com/jrnt30/k8-kms-enc-provider/v1beta1"
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc"
 )

examples/encryption.conf

@@ -0,0 +1,11 @@
+kind: EncryptionConfig
+apiVersion: v1
+resources:
+  - resources:
+    - secrets
+    providers:
+    - identity: {}
+    - kms:
+        name: myKmsPlugin
+        endpoint: unix:///etc/kubernetes/kms/socketfile.sock
+        cachesize: 100