Vaultproviderspec (#1) #888
Conversation
kksriram
commented
Aug 9, 2017
kksriram
commented
- Initial version of Vault KMS Provider
- Renamed image file to be consistent with spec name
- Brought spec inline with EnvelopeTransformer interfaces in PR 49350
- Wrap at 80
|
Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please follow instructions at https://github.com/kubernetes/kubernetes/wiki/CLA-FAQ to sign the CLA. It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
k8s-ci-robot
added
the
cncf-cla: no
|
check CLA again |
k8s-ci-robot
added
cncf-cla: yes
|
Proposal for Issue kubernetes/kubernetes#49817 |
|
I'm very interested in having a second example of a KMS provider. @kubernetes/sig-api-machinery-feature-requests @kubernetes/sig-auth-feature-requests |
k8s-ci-robot
added
sig/api-machinery
|
This is the same content that was socialized via the google doc at sig-auth 7/27, with a few updates to bring it inline with @sakshamsharma 's changes. |
| - secrets | ||
| providers: | ||
| - kms: | ||
| name: vault |
There was a problem hiding this comment.
Indent the properties of KMS (name, cache size, config file) one more level.
| #### Authentication Configuration | ||
| ##### Vault Server Authentication | ||
|
|
||
| For the Kubernetes cluster to authenticate the vault server, if TLS is enabled : |
There was a problem hiding this comment.
"if TLS is enabled" why optional? let's mandate it!
There was a problem hiding this comment.
Makes sense. Fixed.
| 1. ``role-id`` : RoleID of the AppRole | ||
| 2. ``secret-id`` : secret Id only if associated with the appRole. | ||
|
|
||
| Here's a sample configuration file with Vault AppRole |
There was a problem hiding this comment.
This sample configuration did not render well when i clicked on "view"
| ### Pseudocode | ||
| #### Prefix Metadata | ||
| Every encrypted secret will have the following metadata prefixed. | ||
| ``k8s:enc:kms:<api-version>:vault:len(<KEK-key-name>:<KEK-key-version>:<DEK |
There was a problem hiding this comment.
Should all this just be json or yaml?
| performance impact. Hence, depending on the cache size, there will be a | ||
| performance impact. | ||
| 3. Response time. | ||
| 4. will depend on choice of encryption algorithm and strength. |
There was a problem hiding this comment.
Still not fixed. If you look at the file preview, the bullet points are inline and not nested as you wanted.
There was a problem hiding this comment.
I see it. Thanks. Will fix it on the next go around with other comments.
| to implement specific providers for each (in K8S). | ||
| * Reduced risk of encryption key compromise. | ||
| * encryption key is stored and managed in Vault. | ||
| * encryption key does not need to leave the Vault. |
k8s-github-robot
added
the
size/L
|
@destijl You had a question at sig-auth today whether supporting additional Vault Auth Backends will need code changes. Right now, of the supported Auth Backends, typically its just the three in the current spec that would be used by system processes. The rest would typically be used by humans (which I think doesn't matter in this particular case). At first glance, I don't see how we can get away with not changing code when adding other auth backends. Talking over with @vineet-garg we will need code changes if supporting new auth back-ends beyond what's in the proposal. I would prefer to focus on a small set of auth backends (the ones in the proposal) and get those in first. Based on interest in the community, we can consider supporting others. |
| key(s) locally in a server configuration file. The provider encrypts and | ||
| decrypts secrets in-process. Building upon these, a KMS provider framework with | ||
| an option to support different KMS providers like google cloud KMS is being | ||
| added via PRs [48574](https://github.com/kubernetes/kubernetes/pull/48575) and |
There was a problem hiding this comment.
48574
Shouldn't it be kubernetes/kubernetes#48522 ?
There was a problem hiding this comment.
the proposal refers to pull request#(48574), what you posted is corresponding issue#(48522).
| role-id: db02de05-fa39-4855-059b-67221c5c2f63 | ||
| ``` | ||
|
|
||
| ## Key Generation and rotation |
There was a problem hiding this comment.
How is DEK generated?
There was a problem hiding this comment.
That is in envelope.generateKey which is part of existing envelope transformer.
There was a problem hiding this comment.
Worth adding that note to the proposal?
|
This comment on the Google KMS review will affect your implementation. Basically, the expected direction is to implement these integrations out of the Kubernetes repo. The mechanism to accomplish that does not exist yet. |
|
I still think gaining experience with a small number of encryption providers in-tree is valuable in designing an out of process plugin mechanism. |
|
@jcbsmpsn @liggitt I haven't caught up on the in-tree v out-of-process discussion over on @sakshamsharma PR 48574. FWIW, my colleague @vineet-garg has an implementation for this spec, that should be coming upstream later this week. We could use that to review what the impact is with a second provider. More after I catch up on the discussion on 48574. |
@destijl the response #888 (comment) looked pretty reasonable as a starting point. Do you have further questions? |
|
I meant to update earlier but slipped my mind. I did catch up on the in-tree vs out-of-tree discussion and the proposal . I agree with @liggitt earlier comment that gaining experience with a second encryption provider in-tree would help guide the design of the proposal for out-of-tree. As such, my preference would be to get the Vault code merged after review, as an in-tree provider and then refactor based on what we learn with the out-of-tree proposal. |
|
This lgtm. I'm going to see where we'll put it in API machinery, but the KMS plugin structure is unopinionated about whether it is or isn't a cloud provider, so that won't cause any trouble. |
|
What new (compile-time) dependencies would be required? This is not really a sustainable way of developing addons/plugins. I would much rather have a process boundary here. I am slightly persuaded by the argument that we should have two concrete uses before generalizing, but only slightly. I would definitely want an agreement that we would force the next person to want to add one of these to build a cross-process API. We can talk about it at tomorrow's sig meeting. |
Assuming this one goes well and doesn't expose fundamental concerns, I'm ok with that. Though I may be inclined to force the existing impls out of tree a release or two later to maintain equal footing. |
| The KEK is generated in Vault and rotated using direct API call or CLI to Vault | ||
| itself. The Key never leaves the vault. | ||
|
|
||
| Note that when a key is rotated, Vault does not allow to choose a different |
There was a problem hiding this comment.
s/Vault does not allow to choose/Vault does not allow choosing/g
| 2. ``key-names`` list of names of the keys in Vault to be used. eg: key-name: | ||
| kube-secret-enc-key. | ||
|
|
||
| Note : key name does not need to be changed if key is rotated in Vault, the |
There was a problem hiding this comment.
s/if key is/if the key is/
| minimum: | ||
|
|
||
| 1. ``addr`` Vault service base endpoint eg. https://example.com:8200 | ||
| 2. ``key-names`` list of names of the keys in Vault to be used. eg: key-name: |
There was a problem hiding this comment.
Do you need an API version field for the config here to inform the <api-version> of the metadata listed above?
There was a problem hiding this comment.
Probably do. Missed that. Thanks for catching it.
There was a problem hiding this comment.
It is the existing EnvelopeTransformer that is reading the property from configuration file and adding it to metadata, Not the vaultEnvelopeService as mentioned in above : "Of the above metadata..."
|
@lavalamp Compile time dependencies: |
* Initial version of Vault KMS Provider * Renamed image file to be consistent with spec name * Brought spec inline with EnvelopeTransformer interfaces in PR 49350 * Wrap at 80
kksriram
force-pushed
the
for/upstream/master/vault_provider_spec
branch
from
2841b7b to
526cd08
Compare
|
/lgtm Discussed in sig-auth and sig-apimachinery. This will be the second impl. |
k8s-ci-robot
added
the
lgtm
|
Automatic merge from submit-queue. |
12 participants
