-
Notifications
You must be signed in to change notification settings - Fork 67
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* use path.join to combine paths * fix secret in helm chart - did not handle AES key correctly * make example run * add default AES key * missed hello output * added vanilla secret example * Add readme file * Updated diagram * Update readme * installation guide - first draft * fix small bug in the CLI * clean up * added install guide
- Loading branch information
Showing
17 changed files
with
231 additions
and
66 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,61 @@ | ||
# Installing Kamus | ||
Kamus has an official helm chart, using it is the simplest way to install Kamus: | ||
``` | ||
helm upgrade --install incubator/kamus | ||
``` | ||
Careful - using this command will deploy Kamus with the default encryption keys. | ||
Meaning, anyone could decrypt the data that Kamus encrypt. | ||
This is fine for testing and playing with Kamus, but not for production installations. | ||
For production usage, please configuration one of the supported KMS. | ||
|
||
## AES KMS | ||
AES KMS is the simplest (but less secure) solution. | ||
Kamus will use one strong AES key to encrypt all the data. | ||
Currently, rolling this key is not supported. | ||
To deploy Kamus using AES Key: | ||
* Generate a strong AES key: | ||
``` | ||
key=$(openssl rand -base64 32 | tr -d '\n') | ||
``` | ||
* Pass the value when deploying kamus, either using `values.yaml` or directly in the helm command: | ||
``` | ||
helm upgrade --install kamus incubator/kamus --set keyManager.AES.key=$key | ||
``` | ||
|
||
## Azure KeyVault KMS | ||
Using [Azure KeyVault](https://azure.microsoft.com/en-us/services/key-vault/) as the key managment solution is a more secure solution. | ||
Azure documentation is far from perfect, so I'm going to reffer to a lot of different guides because there is no one guide documenting the required process. | ||
|
||
Start by creating a KeyVault instance. | ||
It is recommend to create a KeyVault with HSM backend for additional security. | ||
Follow this [guide](https://docs.microsoft.com/en-us/azure/key-vault/key-vault-manage-with-cli2#working-with-hardware-security-modules-hsms) for details on how to create a KeyVault using the CLI. It is recommend to protect the KeyVault with firewall, see this [guide](https://docs.microsoft.com/en-us/azure/key-vault/key-vault-network-security) for additional details. | ||
|
||
After creating a KeyVault instance, Kamus need permissions to access it. | ||
You grant Kamus permissions by creating an Azure Active Directory application for Kamus, and granting permissions for this application to access the KeyVault created in the previous step. | ||
Creating the required app is covered in 2 parts of the same guide. The [first part](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#create-an-azure-active-directory-application) will guide you through the process of creating the app. The [second part](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#get-application-id-and-authentication-key) will guide you through the process of creating the client id and client secret, that are used by Kamus for authentication. Try to create the client secret for short period, for example 6 months, and rotate it frequently. | ||
|
||
Now you should have 3 objects: KeyVault, client id and client secret. The last part is to grant the application the required permissions on the KeyVault. First we need to get the object id of the application: | ||
``` | ||
objectId=$(az ad app show --id <> --output json | jq '.objectId' -r) | ||
``` | ||
Now use the following command to grant access: | ||
``` | ||
az keyvault set-policy --name <> --object-id $objectId --key-permissions get list create encrypt decrypt | ||
``` | ||
|
||
Now it's time to deploy Kamus! Use the following settings in your `values.yaml` file: | ||
``` | ||
keyManagment: | ||
provider: AzureKeyVault | ||
azureKeyVault: | ||
clientId: <> | ||
clientSecret: <> | ||
keyVaultName: <> | ||
keyType: RSA-HSM //change to RSA if you choosed not to use premium SKU | ||
keySize: 2048 | ||
maximumDataLength: 214 | ||
``` | ||
And now deploy Kamus using the following helm command: | ||
``` | ||
helm upgrade --install kamus incubator/kamus -f <path/to/values.yaml> | ||
``` |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,28 +1,27 @@ | ||
@startuml | ||
|
||
actor User | ||
participant EncryptApi | ||
participant KMS | ||
participant DecryptApi | ||
participant Pod | ||
participant Kamus | ||
participant KubernetesApi | ||
participant KMS | ||
|
||
== Encryption == | ||
|
||
autonumber | ||
User -> Kamus: Encrypt - data, namespace, service account | ||
Kamus -> KubernetesApi: Get Service Account - namespace, service account | ||
KubernetesApi -> Kamus: Service Account details | ||
Kamus -> KMS: Encrypt - data, namespace, service account | ||
KMS -> Kamus: Enrypted data | ||
Kamus -> User: Enrypted data | ||
User -> EncryptApi: Encrypt - data, namespace, service account | ||
EncryptApi -> KMS: Encrypt - data, namespace, service account | ||
KMS -> EncryptApi: Enrypted data | ||
EncryptApi -> User: Enrypted data | ||
|
||
== Decryption == | ||
autonumber 1 | ||
Pod -> Kamus: Decrypt - data, service account token | ||
Kamus -> KubernetesApi: TokenReview - token | ||
KubernetesApi -> Kamus: service account, namespace | ||
Kamus -> KMS: Decrypt - data, service account, namespace | ||
KMS -> Kamus: Decrypted data | ||
Kamus -> Pod: Decrypted data | ||
Pod -> DecryptApi: Decrypt - data, service account token | ||
DecryptApi -> KubernetesApi: TokenReview - token | ||
KubernetesApi -> DecryptApi: service account, namespace | ||
DecryptApi -> KMS: Decrypt - data, service account, namespace | ||
KMS -> DecryptApi: Decrypted data | ||
DecryptApi -> Pod: Decrypted data | ||
|
||
@enduml |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
# Kamus Example | ||
A small example app, showing the power of Kamus. | ||
Before running this demo, make sure Kamus is up and running, and the CLI is installed. | ||
|
||
## Running the demo | ||
Start by encrypting a secret using the CLI: | ||
``` | ||
kamus-cli encrypt super-secret kamus-example-sa default --kamus-url <Kamus URL> | ||
``` | ||
You might have to pass aditional arguments, based on your installation. | ||
|
||
After encrypting the secret, open `deployment-kamus\configmap.yaml`. | ||
Modify the value of `key` to the encrypted value returned from the CLI. | ||
|
||
Now, run | ||
``` | ||
kubectl apply -f deployment-kamus/ | ||
``` | ||
To deploy the example app. | ||
Check deployment status using | ||
``` | ||
kubectl get pods | ||
``` | ||
Notice the `kamus-example` pods. Wait for the pod to be in `Completed` state, and check the logs using | ||
``` | ||
kubectl logs -l app=kamus-example | ||
``` | ||
You should see the following output | ||
``` | ||
{"key":"super-secret"} | ||
``` | ||
The example using an init container to decrypt the encrypted values. Checkout the documentation for additional details. | ||
|
||
## Kubernetes Secrets | ||
To complete the example, reffer to `deployment-secret`. | ||
This example shows the alternative to Kamus - using Kubernetes native secrets. | ||
Run the demo using | ||
``` | ||
kubectl apply -f deployment-kamus/ | ||
``` | ||
Notice the `kamus-example` pods. Wait for the pod to be in `Completed` state, and check the logs using | ||
``` | ||
kubectl logs -l app=kamus-example | ||
``` | ||
You should see the following output | ||
``` | ||
{"key":"super-secret"} | ||
``` | ||
Editing the secrets: | ||
* Open `secret.yaml` | ||
* Decode the value under `config.json` using base64 decoder | ||
* Edit the JSON | ||
* Encode the JSON using base64 encoder, and put this value under `config.json` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,7 @@ | ||
FROM ruby:2.5-alpine | ||
|
||
WORKDIR /example | ||
|
||
COPY . . | ||
|
||
CMD ["ruby", "hello.rb"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,5 @@ | ||
require 'json' | ||
|
||
config_file = File.read('config.json') | ||
puts config_file | ||
config_file = File.read('/secrets/config.json') | ||
puts config_file | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
apiVersion: extensions/v1beta1 | ||
kind: Deployment | ||
metadata: | ||
name: kamus-example | ||
labels: | ||
app: kamus-example | ||
spec: | ||
template: | ||
metadata: | ||
labels: | ||
app: kamus-example | ||
spec: | ||
serviceAccountName: kamus-example-sa | ||
automountServiceAccountToken: true | ||
containers: | ||
- name: app | ||
image: local/kamus:example | ||
imagePullPolicy: IfNotPresent | ||
volumeMounts: | ||
- name: secret-volume | ||
mountPath: /secrets | ||
volumes: | ||
- name: secret-volume | ||
secret: | ||
secretName: kamus-example-secret |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
apiVersion: v1 | ||
kind: Secret | ||
metadata: | ||
name: kamus-example-secret | ||
type: Opaque | ||
data: | ||
config.json: ewogICAgImtleSI6ICJ0ZXN0Igp9 |
Oops, something went wrong.