{"id":18238191,"url":"https://github.com/infisical/k8-kms-plugin","last_synced_at":"2025-04-04T06:32:43.774Z","repository":{"id":260472128,"uuid":"880163717","full_name":"Infisical/k8-kms-plugin","owner":"Infisical","description":"Infisical KMS plugin for Kubernetes","archived":false,"fork":false,"pushed_at":"2024-10-31T14:11:06.000Z","size":55,"stargazers_count":7,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-03-28T18:58:15.697Z","etag":null,"topics":["encryption","kubernetes","security"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Infisical.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-10-29T08:32:37.000Z","updated_at":"2025-02-20T16:31:22.000Z","dependencies_parsed_at":"2024-10-31T14:48:37.110Z","dependency_job_id":null,"html_url":"https://github.com/Infisical/k8-kms-plugin","commit_stats":null,"previous_names":["infisical/k8-kms-plugin"],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Infisical%2Fk8-kms-plugin","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Infisical%2Fk8-kms-plugin/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Infisical%2Fk8-kms-plugin/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Infisical%2Fk8-kms-plugin/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Infisical","download_url":"https://codeload.github.com/Infisical/k8-kms-plugin/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247134992,"owners_count":20889412,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["encryption","kubernetes","security"],"created_at":"2024-11-05T03:04:18.971Z","updated_at":"2025-04-04T06:32:38.762Z","avatar_url":"https://github.com/Infisical.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# KMS Plugin for Infisical\n\nEnables [encryption at rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/#providers) of your Kubernetes data in etcd using Infisical. With this plugin, you can use a key in Infisical for etcd encryption.\n\n💡 **NOTE**: Currently, this KMS plugin only supports Kubernetes KMS v2. Also, key rotation is not yet supported by Infisical.\n\n## Getting Started\n\n### Prerequisites\n- Your Kubernetes cluster must use etcd v3 or later.\n- Your Kubernetes cluster must be at least version 1.28.\n- You will need to have an existing KMS key on Infisical. To create one, refer to the documentation [here](https://infisical.com/docs/documentation/platform/kms#key-management-service-kms).\n\n### Authentication\nThere are multiple ways to authenticate the KMS plugin with Infisical:\n- [GCP Auth](https://infisical.com/docs/documentation/platform/identities/gcp-auth): recommended if you're running the cluster on GCP\n- [Azure Auth](https://infisical.com/docs/documentation/platform/identities/azure-auth): recommended if you're running the cluster on Azure\n- [AWS Auth](https://infisical.com/docs/documentation/platform/identities/aws-auth): recommended if you're running the cluster on AWS\n- [Universal Auth](https://infisical.com/docs/documentation/platform/identities/universal-auth): recommended if you're running the cluster on-premise.\n\n## Installation\nThe recommended cluster installation method of the KMS plugin is via [static pods](https://kubernetes.io/docs/tasks/configure-pod-container/static-pod).\n\n💡 **IMPORTANT NOTE**: If you have multiple control plane nodes, you will have to perform the following steps for each of them.\n\n### 1. Add the Infisical KMS plugin\nCreate the appropriate resource definition file for the Infisical KMS plugin. You can refer to the file [here](https://github.com/Infisical/k8-kms-plugin/blob/main/templates/infisical-kms-plugin.yaml) as the starting point. The following are the supported arguments:\n| Flag | Default Value | Description |\n|------|--------------|-------------|\n| `--host-url` | `https://app.infisical.com` | URL of Infisical instance |\n| `--listen-addr` | `/opt/infisicalkms.socket` | gRPC socket address for the plugin to listen on |\n| `--kms-key` |  | Infisical KMS key ID (required) |\n| `--ca-certificate` |  | SSL/TLS certificate for the Infisical instance |\n| `--identity-id` | | Machine identity ID for authentication |\n| `--ua-client-id` |  | Universal Auth client ID |\n| `--ua-client-secret` |  | Universal Auth client secret |\n| `--azure-resource` |  | Azure resource identifier |\n| `--service-account-keyfile-path` |  | File path to the service account credentials |\n| `--healthz-port` | `8787` | Port number for health check endpoint |\n| `--healthz-path` | `/healthz` | URL path for health check endpoint |\n| `--healthz-timeout` | `20s` | Timeout duration for health check RPC calls |\n\n💡 **NOTE**: Ensure that you have attached the volume mount for the path `/opt` in the plugin's resource definition.\n\nSave the Infisical KMS plugin resource definition to the `/etc/kubernetes/manifests` directory on the control plane node. This will automatically create a static pod for the KMS plugin which you can confirm by listing the pods in the `kube-system` namespace.\n\n### 2. Create an encryption configuration resource\nCreate a new encryption configuration file `/etc/kubernetes/enc/encryption-config.yaml` with the appropriate properties.\n```yaml\napiVersion: apiserver.config.k8s.io/v1\nkind: EncryptionConfiguration\nresources:\n  - resources:\n      - secrets\n    providers:\n      - kms:\n          apiVersion: v2\n          name: infisical-kms-plugin\n          endpoint: unix:///opt/infisicalkms.socket    # This should match the listen-addr declared in the Infisical KMS plugin's static pod definition\n          timeout: 20s\n      - identity: {}\n```\n\n### 3. Update the kube-apiserver resource definition\nIn the `etc/kubernetes/manifests` directory, open the `kube-apiserver.yaml` file. \n\nUpdate the `volumes` section so that it has the following:\n```yaml\n  volumes:\n  ...\n  - hostPath:\n      path: /etc/kubernetes/enc\n    name: enc\n  - hostPath:\n      path: /opt\n    name: socket\n```\n\nConsequently, update the `volumeMounts` section of the `spec.container` property so that it uses the volumes in the preceding step.\n```yaml\n    volumeMounts:\n    ...\n    - mountPath: /etc/kubernetes/enc\n      name: enc\n      readOnly: true\n    - mountPath: /opt\n      name: socket\n```\nThen, update the `command` section of the `spec.container` property so that it includes the `encryption-provider-config` and the `encryption-provider-config-automatic-reload` flags.\n```yaml\nspec:\n  containers:\n  - command:\n    - kube-apiserver\n    - --advertise-address=192.168.49.2\n    ...\n    - --encryption-provider-config=/etc/kubernetes/enc/encryption-config.yaml\n    - --encryption-provider-config-automatic-reload=true\n```\n\n### 4. Restart your Kubernetes API server\n\n## Verification\nIn order to verify that Infisical KMS encryption is working, we can do the following:\n\n1. Create a new secret:\n\n   ```bash\n   kubectl create secret generic secret1 -n default --from-literal=mykey=mysecret\n   ```\n\n2. Using `etcdctl`, read the secret from etcd:\n\n   ```bash\n   sudo ETCDCTL_API=3 etcdctl --cacert=/etc/kubernetes/certs/ca.crt --cert=/etc/kubernetes/certs/etcdclient.crt --key=/etc/kubernetes/certs/etcdclient.key get /registry/secrets/default/secret1\n   ```\n\n3. Check that the stored secret is prefixed with `k8s:enc:kms:v2:infisical-kms-plugin`. This indicates that the secret is stored as encrypted after being processed by the Infisical KMS plugin.\n\n4. To ensure that decryption works, fetch the secret using the following:\n\n   ```bash\n   kubectl get secrets secret1 -o yaml\n   ```\n\n   The output should match `mykey: bXlzZWNyZXQ=`, which is the encoded data of `mysecret`.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Finfisical%2Fk8-kms-plugin","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Finfisical%2Fk8-kms-plugin","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Finfisical%2Fk8-kms-plugin/lists"}