feat(k8s): add Kubernetes KMS plugin and operator#999
Open
p0wline wants to merge 6 commits into
Open
Conversation
p0wline
force-pushed
the
feat/k8s-kms-plugin
branch
2 times, most recently
from
c5e3675 to
2317356
Compare
Contributor
Author
|
@copilot resolve the merge conflicts in this pull request |
Contributor
Done — merged |
p0wline
force-pushed
the
feat/k8s-kms-plugin
branch
2 times, most recently
from
10eef1b to
dc6f4ba
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a new Kubernetes KMS v2 provider plugin binary (cosmian-kms-plugin) to let kube-apiserver delegate Encrypt/Decrypt operations to Cosmian KMS (via KMIP), along with documentation, test vectors, and Nix vendor-hash updates.
Changes:
- Introduces
cosmian_kms_k8s_plugincrate (gRPC service, YAML config, build-time proto generation). - Adds integration docs + MkDocs navigation entry for the Kubernetes plugin.
- Adds a KMS test vector runner entry for the plugin flow and updates Nix expected vendor hashes /
Cargo.lock.
Reviewed changes
Copilot reviewed 18 out of 19 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
nix/expected-hashes/ui.vendor.non-fips.sha256 |
Updates UI vendor hash for Nix builds. |
nix/expected-hashes/ui.vendor.fips.sha256 |
Updates UI vendor hash for Nix builds. |
nix/expected-hashes/server.vendor.static.sha256 |
Updates server vendor hash for Nix builds. |
nix/expected-hashes/cli.vendor.linux.sha256 |
Updates CLI vendor hash for Nix builds. |
documentation/mkdocs.yml |
Adds the Kubernetes plugin page to site navigation. |
documentation/docs/integrations/kubernetes_kms_plugin.md |
New integration documentation for the Kubernetes KMS v2 plugin. |
crate/test_kms_server/src/vector_runner.rs |
Registers a new test vector for the plugin wrap/unwrap flow. |
crate/clients/k8s_plugin/src/service.rs |
Implements the KMS v2 gRPC service delegating to KmsClient KMIP Encrypt/Decrypt. |
crate/clients/k8s_plugin/src/main.rs |
Adds CLI entrypoint: loads config, binds Unix socket, serves tonic gRPC. |
crate/clients/k8s_plugin/src/kmsv2.proto |
Adds the Kubernetes KMS v2 proto definition (Apache 2.0 source). |
crate/clients/k8s_plugin/src/integration_tests.rs |
New end-to-end test: spins up test KMS + plugin and checks Status/Encrypt/Decrypt. |
crate/clients/k8s_plugin/src/error.rs |
Introduces plugin error type and maps it to tonic::Status. |
crate/clients/k8s_plugin/src/config.rs |
Adds YAML config schema + loader for the plugin. |
crate/clients/k8s_plugin/Cargo.toml |
New crate manifest (deps: tonic/prost/protox, serde_yaml, etc.). |
crate/clients/k8s_plugin/build.rs |
Generates tonic bindings from the proto at build time (protox-based). |
Cargo.toml |
Adds the new crate to the workspace members list. |
Cargo.lock |
Locks new dependencies pulled in by the plugin (tonic-build/protox/etc.). |
p0wline
force-pushed
the
feat/k8s-kms-plugin
branch
from
2bbd24f to
10119df
Compare
- Add cosmian_kms_k8s_plugin: gRPC KMS Provider Plugin v2 for kube-apiserver (etcd encryption at rest via Cosmian KMS) - Add cosmian_kms_k8s_operator: KMSSecret CRD controller + mutating admission webhook (inject KMS secrets into pods as volumes) - Move all module logic to lib.rs targets so tests run under cargo test --lib - Bump cosmian_logger to 0.8.0; replace cosmian_logger with tracing in WASM-compiled crates (cosmian_kmip, cosmian_kms_client_utils) to avoid mio/tokio-net transitive dependency breaking WASM builds - Extract generic restart_resource helper (operator); use chrono for RFC 3339 - Add Kubernetes KMS plugin documentation and mkdocs nav entry - Fix Nix vendor hashes and CI scripts for k8s crates
p0wline
force-pushed
the
feat/k8s-kms-plugin
branch
from
f8543b9 to
c89a0cf
Compare
UnixListener/UnixListenerStream/UnixStream are not available on Windows. The integration_tests module was compiled as part of the lib test target on all platforms, causing compile errors on Windows CI. Gate it with #[cfg(all(test, unix))] so cargo test --lib --workspace passes on Windows.
…entry tests - k8s_plugin/main.rs: read ca_cert file to string before passing to HttpClientConfig.verified_cert (which expects inline PEM, not a path) - k8s_operator/config.rs: make kms_client_config() fallible (Result<KmsClientConfig, OperatorError>) and read tls_ca_cert file to string for the same reason; update call site in lib.rs with '?' - k8s_operator/lib.rs: add 7 unit tests for parse_uid_entry covering acceptance of a simple filename and rejection of path traversal, absolute paths, subdirectories, empty uid, and missing filename
…tils, pkcs11
Undo the cosmian_logger->tracing migration in all crates except the workspace
version bump (Cargo.toml: cosmian_logger = '0.8.0' stays).
Reverted files:
- crate/kmip/src/** (restore cosmian_logger::{trace,warn,...} macros)
- crate/kmip/Cargo.toml (restore original dep declaration)
- crate/clients/client_utils/ (restore cosmian_logger dep + macro usage)
- crate/clients/pkcs11/provider/src/lib.rs (restore original import path)
- Cargo.lock updated accordingly
Note: crate/server/Cargo.toml keeps features=[] since 'full' is gone in 0.8.0
cosmian_logger 0.8.0 exports 'error' as a module, which conflicts with the 'mod error' declaration in the same file (E0255). Import the macro from cosmian_logger::reexport::tracing instead.
p0wline
changed the title
- webhook: inject KMS API token via valueFrom.secretKeyRef (not literal value) New config field api_token_secret_ref: Option<SecretKeyRef> in KmsConfig; build_patches emits valueFrom.secretKeyRef instead of a plaintext value. - webhook: add 8 unit tests for build_patches covering: no/existing volumes, no/existing initContainers, multi-container volumeMounts, token secretKeyRef, no-token path, custom secrets dir. - operator/Cargo.toml: use ring crypto backend for rcgen (drop aws-lc default). - k8s_plugin/main.rs: set parent socket directory to 0700 before bind to close TOCTOU window between UnixListener::bind and subsequent 0o600 chmod.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Scope
This PR introduces two new crates under
crate/clients/:1.
k8s_plugin— Kubernetes KMS Provider Plugin (v2)A Unix-domain gRPC server implementing the Kubernetes KMS v2 provider API.
kube-apiserver calls it to encrypt/decrypt Data Encryption Keys (DEKs) stored in etcd.
The plugin delegates all crypto to the Cosmian KMS server.
Key files:
src/main.rs,src/service.rs,src/config.rs,proto/v2.proto2.
k8s_operator— Kubernetes Operator (CRD controller + mutating admission webhook)A full Kubernetes operator that:
KMSSecretCRD — declarative KMS-backed secrets with auto-refreshThis component is security-sensitive: it mutates Pod specs, injects init-containers, and manages long-lived KMS credentials on behalf of workloads.
Key files:
src/webhook.rs,src/controller.rs,src/crd.rs,src/config.rsSecurity notes
valueFrom.secretKeyRef(not as a literal value)0700directory before bind to eliminate the TOCTOU window