kms-operator
kms-operator copied to clipboard
kubaj
KMS operator for Kubernetes
Operator for decryption of data for Kubernetes. This allows storing encrypted credentials or sensitive data in the repository. These are decrypted on the fly when data are created in a Kubernetes.
Currently supported KMS provider is Google Cloud.
Resource for encrypted resource is similar to v1/Secret resource:
apiVersion: kubaj.kms/v1alpha1
kind: SecretKMS
metadata:
name: example-service-account
spec:
secret: example-service-account
file: credentials.json
provider:
google-cloud:
project: gcp-project # Google Cloud project
location: global # KMS Location
keyring: testring # Name of the keyring
key: test # Name of the key
data: CiQAFRg31wZQ1pHlR4bBAU8O7nrlz/QEkeKUyrLRsgD92CzIWxkSaQAJc5gIwtzhUZXW9vt1d3+oVl2i+l+tPrUMCN59zybemHro2Y6Gyzrgn0YQ2r3QDR1V+nFMcAvnsCgbInEELhJdXwH/SIRDIHCVVyQqlLr2xEmVXsZVdd3XVH2ivNFEP54XihkRBBaCCg==
After creating this resource, operator decrypts data using specified provider and creates v1/Secret with decrypted data:
apiVersion: v1
kind: Secret
metadata:
name: example-service-account
data:
credentials.json: dGhlIG1vc3Qgc2VjcmV0IHNlY3JldCBpbiB0aGUgd29ybGQgb2Ygc2VjcmV0cw==
Installation
You can use Helm to install the operator into the cluster:
$ git clone https://github.com/kubaj/kms-operator.git
$ helm install -n kms-operator --namespace kube-system ./helm/kms-operator
Cluster with RBAC disabled (not recommended):
$ git clone https://github.com/kubaj/kms-operator.git
$ helm install -n kms-operator --namespace kube-system ./helm/kms-operator
By default, Google Cloud provider is enabled, you have to create secret that contains Google Cloud service account with KMS decryption scope. To create secret from file:
$ kubectl create secret generic google-sa-kms -n kube-system --from-file=credentials.json=/path/to/service-account.json
Installation can be customized by passing custom values to Helm. List of possible options:
| Option | Default | Description |
|---|---|---|
| rbac | true | Install RBAC resources |
| googleCloud.enabled | true | Enable Google Cloud KMS provider |
| googleCloud.svcAccountSecret | "google-sa-kms" | Name of the secret with Google Cloud Service Account (To use Default Service Account, pass "") |
SecretKMS resource creation
Google Cloud
Unencrypted data are in file plaintext.txt. Encrypt using gcloud sdk:
$ gcloud kms encrypt --location global --keyring testring --key test --plaintext-file=plaintext.txt --ciphertext-file=encrypted.bin
Encode encrypted data in Base64 and put them to resource:
$ cat encrypted.bin | base64
CiQAFRg31wZQ1pHlR4bBAU8O7nrlz/QEkeKUyrLRsgD92CzIWxkSaQAJc5gIwtzhUZXW9vt1d3+oVl2i+l+tPrUMCN59zybemHro2Y6Gyzrgn0YQ2r3QDR1V+nFMcAvnsCgbInEELhJdXwH/SIRDIHCVVyQqlLr2xEmVXsZVdd3XVH2ivNFEP54XihkRBBaCCg==
Final resource will look like this:
apiVersion: kubaj.kms/v1alpha1
kind: SecretKMS
metadata:
name: example-service-account
spec:
secret: example-service-account
file: credentials.json
provider:
google-cloud:
project: gcp-project # Google Cloud project
location: global # KMS Location
keyring: testring # Name of the keyring
key: test # Name of the key
data: CiQAFRg31wZQ1pHlR4bBAU8O7nrlz/QEkeKUyrLRsgD92CzIWxkSaQAJc5gIwtzhUZXW9vt1d3+oVl2i+l+tPrUMCN59zybemHro2Y6Gyzrgn0YQ2r3QDR1V+nFMcAvnsCgbInEELhJdXwH/SIRDIHCVVyQqlLr2xEmVXsZVdd3XVH2ivNFEP54XihkRBBaCCg==
kubaj