Quick Start
Configure Kubernetes
Note
Kubernetes documentation on setting up encryption can be found here
Create an encryption configuration for the Kubernetes api server
./encryption-configuration.yaml
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- resources:
- secrets
providers:
- kms:
apiVersion: v2
name: vault-kms-provider
endpoint: unix:///mnt/vault-kms-provider.sock
timeout: 3s
- identity: {}
Point the api server to your encryption configuration
/etc/kubernetes/manifests/kube-apiserver.yaml
# add these commands to your Kubernetes api server configuration
spec:
containers:
- command:
- kube-apiserver
# Point to your encryption file
- --encryption-provider-config="/path/to/your/encryption-configuration.yaml"
This is done in differently in some flavors of kubernetes, if yours is different, consult the documentation of your Kubernetes distro for instructions on how to point Kubernetes to your configuration file.
Set up Vault
Note
The Vault KMS Provider will use any transit key found at the default or user specified transit path, if no key is found the provider will initialize one with Vault transits default key type (aes256-gcm96).
See Vault documentation for creating keys.
Encryption
Enable the transit gateway in Vault for encryption/decryption of data for Kubernetes.
vault secrets enable transit
Create a policy granting the permissions to the KMS provider to encrypt/decrypt data.
./transit.hcl
path "/transit/decrypt/vault-kms-provider" {
capabilities = ["update", "create"]
}
path "/transit/encrypt/vault-kms-provider" {
capabilities = ["update", "create"]
}
path "/transit/keys/vault-kms-provider" {
capabilities = ["read"]
}
Add the policy to vault
vault policy write vault-kms-provider transit.hcl
Authentication
Enable authentication via kubernetes
vault auth enable kubernetes
Set the host URL to the kubernetes API
vault write auth/kubernetes/config kubernetes_host="https://kubernetes.default.svc/"
Create a role for the KMS provider's service account so that it can authenticate with vault.
vault write auth/kubernetes/role/vault-kms-provider \
bound_service_account_names=vault-kms-provider \
bound_service_account_namespaces=default \
audience=vault \
token_policies=vault-kms-provider \
ttl=1h
With vault configured you should be able to deploy the vault-kms-provider to kubernetes without error.
Install via Helm
Add the helm repository
helm repo add vault-kms-provider https://vault-kms-provider.io
Install the chart
helm install vault-kms-provider