Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Support a Vault based KMS provider for envelope encryption of resources in a cluster #49817
Resources (not just secrets) in a Kubernetes cluster can be encrypted using an envelope encryption scheme with the DEK being encrypted with a KEK that is managed in Vault.
Add support for using Hashicorp Vault as a KMS provider to manage KEKs.
Would address several concerns discussed in the issues referenced:
Alpha release Target 1.8 ?
Relies on support added via PRs
This was referenced
Aug 30, 2017
referenced this issue
Sep 1, 2017
We spoke in sig-auth and sig-apimachinery. We'll be adding this as another example of building a KMS plugin to gain more experience with the API. After we have those two examples, we'll be more competent to shape an external API that is likely to work.
Oct 6, 2017
[MILESTONENOTIFIER] Milestone Issue Current
@mfilotto Not sure. The approach proposed for this issue assumed an in-tree provider. The agreement at sig-auth and sig-api-machinery at the end of 1.9 was to have all future KMS providers be out-of-tree. We're working on implementing that for 1.10 via #51965 and the corresponding implementation in #55684 . With that direction, we are discussing a couple of ways forward for this issue
Will keep this updated as we discuss and decide. I'll update next week if this will not make 1.10.