Enable on Kubernetes
Enable the KMS Provider Plgin
Create the KMS provider plugin file
trousseau-vault-encryptionconfiguration.yml
---
kind: EncryptionConfiguration
apiVersion: apiserver.config.k8s.io/v1
resources:
- resources:
- secrets
providers:
- kms:
name: trousseau-vault-plugin
endpoint: unix:///opt/trousseau-kms/vaultkms.socket
cachesize: 1000
- identity: {}
Vanilla Kubernetes
Set the --encryption-provider-config flag for the kube-apiserver to point to the location of the configuration file.
Apply Trousseau's DaemonSet
kubectl apply -f trousseau-vault-daemonset.yml
trousseau-vault-daemonset.yml
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: trousseau-kms-provider
namespace: kube-system
labels:
tier: control-plane
app: trousseau-kms-provider
spec:
selector:
matchLabels:
name: trousseau-kms-provider
template:
metadata:
labels:
name: trousseau-kms-provider
spec:
serviceAccountName: trousseau-vault-auth
priorityClassName: system-cluster-critical
hostNetwork: true
initContainers:
- name: vault-agent
image: vault # (1)
securityContext:
privileged: true
args:
- agent
- -config=/etc/vault/vault-agent-config.hcl
- -log-level=debug
env:
- name: VAULT_ADDR
value: http://FQDN:8200 # (2)
volumeMounts:
- name: config
mountPath: /etc/vault
- name: shared-data
mountPath: /etc/secrets
containers:
- name: trousseau-kms-provider
image: ghcr.io/ondat/trousseau:v1.1.3 # (3)
imagePullPolicy: Always
env:
#- name: VAULT_NAMESPACE # (4)
# value: admin
- name: VAULT_SKIP_VERIFY # (5)
value: "true"
args:
- -v=5
- --config-file-path=/opt/trousseau/config.yaml
- --listen-addr=unix:///opt/trousseau-kms/vaultkms.socket # [REQUIRED] Version of the key to use
- --zap-encoder=json
- --v=3
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsUser: 0
ports:
- containerPort: 8787
protocol: TCP
livenessProbe:
httpGet:
path: /healthz
port: 8787
failureThreshold: 3
periodSeconds: 10
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: 300m
memory: 256Mi
volumeMounts:
- name: vault-kms
mountPath: /opt/trousseau-kms
- name: shared-data
mountPath: /opt/trousseau/
volumes:
- name: trousseau-kms
hostPath:
path: /opt/trousseau-kms
- configMap:
items:
- key: vault-agent-config.hcl
path: vault-agent-config.hcl
name: trousseau-vault-agent-config
name: config
- emptyDir: {}
name: shared-data
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: node-role.kubernetes.io/control-plane
operator: Exists
tolerations:
- key: node-role.kubernetes.io/control-plane
operator: Exists
effect: NoSchedule
- key: node-role.kubernetes.io/etcd
operator: Exists
effect: NoExecute
Verify the Trousseau's deployment status
kubectl get pod -n kube-system
Restart your API server only of Trousseau is up and running for at least 60 seconds without any restart.