Conversation
|
Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement Learn more about why HashiCorp requires a CLA and what the CLA includes 2 out of 3 committers have signed the CLA.
Michael Blaum seems not to be a GitHub user. Have you signed the CLA already but the status is still pending? Recheck it. |
Vercel Previews Deployed
|
Broken Link CheckerNo broken links found! 🎉 |
| encryption at rest. The Kubernetes API server uses a DEK (data encryption key) | ||
| [seed](https://kubernetes.io/docs/tasks/administer-cluster/kms-provider/#kms-encryption-and-per-object-encryption-keys) | ||
| to generate DEKs for encrypting and decrypting cluster data. The API server | ||
| encrypts and decrypts this DEK seed by calling Vault, rather than storing key |
There was a problem hiding this comment.
not sure if it matters that much for this overview, but the API server is not calling Vault, it's calling Vault Kubernetes KMS, which is then calling Vault.
| Vault Kubernetes KMS, automatically renew authentication tokens, and handle | ||
| re-authentication if the token expires. | ||
|
|
||
| 1. The Kubernetes administrator configures a Unix socket for gRPC communication |
There was a problem hiding this comment.
Let's actually remove this step because the plugin does this on behalf of the user now.
|
|
||
| On startup: | ||
|
|
||
| 1. The Kubernetes API server creates and caches the Vault client. |
There was a problem hiding this comment.
Let's remove this step as it's not accurate (Vault Kubernetes KMS does this, not the Kubernetes API server) and is already covered by the Vault client-related mention above and below.
There was a problem hiding this comment.
Good catch. I meant to delete that and missed it while editing 🙃
| 1. The Kubernetes API server generates a single DEK seed and uses the client to | ||
| request encryption from Vault Kubernetes KMS. | ||
|
|
||
| 1. Vault Kubernetes KMS creates and caches a Vault client that authenticates to |
There was a problem hiding this comment.
This should be the top step of this "On startup:" section., because the "generates a single DEK seed" step mentions the client.
content/vault/v1.21.x/content/docs/deploy/kubernetes/kms/security.mdx
Outdated
Show resolved
Hide resolved
content/vault/v1.21.x/content/docs/deploy/kubernetes/kms/security.mdx
Outdated
Show resolved
Hide resolved
content/vault/v1.21.x/content/docs/deploy/kubernetes/kms/security.mdx
Outdated
Show resolved
Hide resolved
content/vault/v1.21.x/content/docs/deploy/kubernetes/kms/index.mdx
Outdated
Show resolved
Hide resolved
content/vault/v1.21.x/content/docs/deploy/kubernetes/kms/security.mdx
Outdated
Show resolved
Hide resolved
content/vault/v1.21.x/content/docs/deploy/kubernetes/kms/setup.mdx
Outdated
Show resolved
Hide resolved
content/vault/v1.21.x/content/docs/deploy/kubernetes/kms/setup.mdx
Outdated
Show resolved
Hide resolved
| Success! Data written to: auth/k8s-approle/role/k8s-kms-role | ||
| ``` | ||
|
|
||
| 1. Fetch the new AppRole ID and secret ID for later use when configuring the |
There was a problem hiding this comment.
The secret ID is generated by a separate call:
vault write -f auth/k8s-approle/role/k8s-kms-role/secret-id
content/vault/v1.21.x/content/docs/deploy/kubernetes/kms/setup.mdx
Outdated
Show resolved
Hide resolved
| 1. Copy the AppRole secret ID from your Transit plugin to each control plane | ||
| node at `/etc/vault-kms/approle-secret-id`. | ||
|
|
||
| 1. Create a manifest file, `vault-kms-plugin.yaml, for the Vault Kubernetes KMS |
There was a problem hiding this comment.
Is there supposed to be another backtick here?
content/vault/v1.21.x/content/docs/deploy/kubernetes/kms/setup.mdx
Outdated
Show resolved
Hide resolved
content/vault/v1.21.x/content/docs/deploy/kubernetes/kms/setup.mdx
Outdated
Show resolved
Hide resolved
content/vault/v1.21.x/content/docs/deploy/kubernetes/kms/setup.mdx
Outdated
Show resolved
Hide resolved
content/vault/v1.21.x/content/docs/deploy/kubernetes/kms/troubleshooting.mdx
Outdated
Show resolved
Hide resolved
content/vault/v1.21.x/content/docs/deploy/kubernetes/kms/troubleshooting.mdx
Outdated
Show resolved
Hide resolved
content/vault/v1.21.x/content/docs/deploy/kubernetes/kms/best-practices.mdx
Outdated
Show resolved
Hide resolved
content/vault/v1.21.x/content/docs/deploy/kubernetes/kms/best-practices.mdx
Outdated
Show resolved
Hide resolved
content/vault/v1.21.x/content/docs/deploy/kubernetes/kms/best-practices.mdx
Outdated
Show resolved
Hide resolved
digivava
left a comment
digivava
left a comment
There was a problem hiding this comment.
Thanks for porting this over! I like the updated organization of it.
Co-authored-by: VAL <[email protected]>
2 participants
Recreate #1602 with text edits and added process flow diagram with walkthrough