search

ondat / trousseau

Store and access your secrets the Kubernetes native way with any external KMS.
https://trousseau.io
Apache License 2.0
178 stars 11 forks source link

[RFE] KMS migration helper #105

Open romdalf opened 2 years ago

romdalf commented 2 years ago

-->Is it linked to a user story? (use the "#" to tag the user story)

50 - Result of Design meeting held on June 9th 2022 with @cvlc @mhmxs @vfiftyfive @rovandep

-->What do we want to build?

Trousseau to migrate from one KMS provider to another

-->Why do we want to build it?

Chaning KMS is not a common operation but if it happens it should done in a smooth and secure way. As Trousseau is the broker between the k8s api manager and the KMS, it should help in replacing the secrets encrypted with the old KMS with the new KMS.

-->How do we want to design it?

103 will provide the ability to run contiguous KMS provider plugin in sidecars

This will help to perform a replace transaction in a secure and transparent way. A safe switch might need to be thought of to handle this migration with a human validation.

romdalf commented 2 years ago

Migration scenario is carried within v2. Documentation has to be writtent.