Quick Start

Configure Kubernetes

Note

Kubernetes documentation on setting up encryption can be found here

Create an encryption configuration for the Kubernetes api server

./encryption-configuration.yaml

apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
  - resources:
      - secrets
    providers:
      - kms:
          apiVersion: v2
          name: vault-kms-provider
          endpoint: unix:///mnt/vault-kms-provider.sock
          timeout: 3s
      - identity: {}

Point the api server to your encryption configuration

/etc/kubernetes/manifests/kube-apiserver.yaml

# add these commands to your Kubernetes api server configuration
spec:
  containers:
    - command:
        - kube-apiserver
        # Point to your encryption file
        - --encryption-provider-config="/path/to/your/encryption-configuration.yaml"

This is done in differently in some flavors of kubernetes, if yours is different, consult the documentation of your Kubernetes distro for instructions on how to point Kubernetes to your configuration file.

Set up Vault

Note

The Vault KMS Provider will use any transit key found at the default or user specified transit path, if no key is found the provider will initialize one with Vault transits default key type (aes256-gcm96).

See Vault documentation for creating keys.

Encryption

Enable the transit gateway in Vault for encryption/decryption of data for Kubernetes.

vault secrets enable transit

Create a policy granting the permissions to the KMS provider to encrypt/decrypt data.

./transit.hcl

path "/transit/decrypt/vault-kms-provider" {
  capabilities = ["update", "create"]
}
path "/transit/encrypt/vault-kms-provider" {
  capabilities = ["update", "create"]
}
path "/transit/keys/vault-kms-provider" {
  capabilities = ["read"]
}

Add the policy to vault

vault policy write vault-kms-provider transit.hcl

Authentication

Enable authentication via kubernetes

vault auth enable kubernetes

Set the host URL to the kubernetes API

vault write auth/kubernetes/config kubernetes_host="https://kubernetes.default.svc/"

Create a role for the KMS provider's service account so that it can authenticate with vault.

vault write auth/kubernetes/role/vault-kms-provider \
    bound_service_account_names=vault-kms-provider \
    bound_service_account_namespaces=default \
    audience=vault \
    token_policies=vault-kms-provider \
    ttl=1h

With vault configured you should be able to deploy the vault-kms-provider to kubernetes without error.

Install via Helm

Add the helm repository

helm repo add vault-kms-provider https://vault-kms-provider.io 

Install the chart

helm install vault-kms-provider