-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Adding in Dep and Docker build process for easier distro
- Loading branch information
Justin Nauman
committed
Apr 30, 2018
1 parent
3e749da
commit 4819714
Showing
1,198 changed files
with
533,470 additions
and
16 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
Dockerfile |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
FROM golang:1.9 as builder | ||
|
||
RUN go get -u github.com/golang/dep/cmd/dep | ||
|
||
WORKDIR /go/src/github.com/jrnt30/k8-kms-enc-provider | ||
|
||
COPY . . | ||
|
||
RUN dep ensure && \ | ||
CGO_ENABLED=0 go build --ldflags '-extldflags "-static"' -o k8-kms-enc-provider . | ||
|
||
FROM alpine:3.7 | ||
RUN apk add --no-cache ca-certificates | ||
COPY --from=builder /go/src/github.com/jrnt30/k8-kms-enc-provider/k8-kms-enc-provider /usr/local/bin/k8-kms-enc-provider | ||
|
||
ENTRYPOINT ["/usr/local/bin/k8-kms-enc-provider"] |
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
|
||
# Gopkg.toml example | ||
# | ||
# Refer to https://github.com/golang/dep/blob/master/docs/Gopkg.toml.md | ||
# for detailed Gopkg.toml documentation. | ||
# | ||
# required = ["github.com/user/thing/cmd/thing"] | ||
# ignored = ["github.com/user/project/pkgX", "bitbucket.org/user/project/pkgA/pkgY"] | ||
# | ||
# [[constraint]] | ||
# name = "github.com/user/project" | ||
# version = "1.0.0" | ||
# | ||
# [[constraint]] | ||
# name = "github.com/user/project2" | ||
# branch = "dev" | ||
# source = "github.com/myfork/project2" | ||
# | ||
# [[override]] | ||
# name = "github.com/x/y" | ||
# version = "2.4.0" | ||
|
||
|
||
[[constraint]] | ||
name = "github.com/aws/aws-sdk-go" | ||
version = "1.13.38" | ||
|
||
[[constraint]] | ||
name = "github.com/golang/protobuf" | ||
version = "1.0.0" | ||
|
||
[[constraint]] | ||
name = "github.com/spf13/cobra" | ||
version = "0.0.2" | ||
|
||
[[constraint]] | ||
name = "github.com/spf13/viper" | ||
version = "1.0.2" | ||
|
||
[[constraint]] | ||
branch = "master" | ||
name = "golang.org/x/net" | ||
|
||
[[constraint]] | ||
name = "google.golang.org/grpc" | ||
version = "1.11.3" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
# Overview | ||
This is an *experiment* to create a [Kubernetes KMS provider](https://kubernetes.io/docs/tasks/administer-cluster/kms-provider/). The goal is to provide an implementation of the K8 KMS specification using AWS KMS. | ||
|
||
The CLI also comes with a very simple Client CLI to test the Client/Server/AWS interaction. | ||
|
||
This should *NOT* be used for production, it is just an attempt to learn several new technologies and better understand this interaction. | ||
|
||
# Installation | ||
|
||
## Local Installation | ||
|
||
**Installation:** | ||
`go get github.com/jrnt30/k8-kms-enc-provider` | ||
|
||
**Testing:** | ||
``` | ||
# server | ||
k8-kms-enc-provider server --key-id <ARN TO YOUR KEY> --region <AWS REGION OF KEY> | ||
# client encrypt | ||
k8-kms-enc-provider client encrypt --plain-text=test1234 | ||
# client decrypt | ||
k8-kms-enc-provider client decrypt --cipher-text=<OUTPUT FROM ENCRYPT> | ||
# client roundtrip | ||
k8-kms-enc-provider client encrypt --plain-text=test1234 | xargs k8-kms-enc-provider client decrypt --cipher-text | ||
``` | ||
|
||
# Cluster Installation | ||
|
||
**NOTE:** The KMS API is in Alpha in K8 1.10 and is sure to change. During the testing of this I noted several differences with the cluster I had running on 1.9, so please consult the [Official K8 KMS Documentation](https://kubernetes.io/docs/tasks/administer-cluster/kms-provider/#encrypting-your-data-with-the-kms-provider) | ||
|
||
My process was to: | ||
|
||
- Add a [KMS Encryption Configuration](examples/encryption.conf) to the master node | ||
- Create a [static Pod specification](examples/kms-server.yaml) for the KMS server, copy it to the master's static pod manifests folder | ||
- Adjust the API Server Specification: | ||
- Add the `- --experimental-encryption-provider-config=/etc/kubernetes/kms/encryption.conf` | ||
- Add an additional mount to the API server for the shared socket | ||
- Restart the API server | ||
|
||
Deployment notes: | ||
|
||
- Using the static pods was easiest to ensure the KMS sidecar was bootstrapped, however it makes debugging slightly difficult | ||
- Initially tried adding this as a sidecar to the apiserver |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
kind: EncryptionConfig | ||
apiVersion: v1 | ||
resources: | ||
- resources: | ||
- secrets | ||
providers: | ||
- identity: {} | ||
- kms: | ||
name: myKmsPlugin | ||
endpoint: unix:///etc/kubernetes/kms/socketfile.sock | ||
cachesize: 100 |
Oops, something went wrong.