Key Features • Why • Documentation • Press • Hands-on Lab • How to test • Roadmap • Contributing • License • Security
Notes:
⚠️ for production deployment, consult the Documentation
Clone the repo and create your environment file:
TR_VERSION=d3e4f2569b2eddeea992e47dae29a931182379dd
TR_VERBOSE_LEVEL=1
TR_SOCKET_LOCATION=/opt/trousseau-kms
TR_PROXY_IMAGE=ghcr.io/ondat/trousseau:proxy-${TR_VERSION}
TR_TROUSSEAU_IMAGE=ghcr.io/ondat/trousseau:trousseau-${TR_VERSION}
# Please configure your KMS plugins, maximum 2
TR_ENABLED_PROVIDERS="--enabled-providers=awskms --enabled-providers=azurekms --enabled-providers=vault"
TR_AWSKMS_IMAGE=ghcr.io/ondat/trousseau:awskms-${TR_VERSION}
TR_AWSKMS_CONFIG=awskms.yaml # For Kubernetes, file must exists only for generation
TR_AWSKMS_CREDENTIALS=.aws/credentials
TR_AZUREKMS_IMAGE=ghcr.io/ondat/trousseau:azurekms-${TR_VERSION}
TR_AZUREKMS_CONFIG=azurekms.yaml # For Kubernetes, file must exists only for generation
TR_AZUREKMS_CREDENTIALS=config.json
TR_VAULT_IMAGE=ghcr.io/ondat/trousseau:vault-${TR_VERSION}
TR_VAULT_ADDRESS=https://127.0.0.1:8200
TR_VAULT_CONFIG=vault.yaml
Create shared items on target host:
mkdir -p $TR_SOCKET_LOCATION
sudo chown 10123:10123 $TR_SOCKET_LOCATION
sudo chown 10123:10123 $TR_AWSKMS_CREDENTIALS
# On case you haven't enable Vault agen config generation
sudo chown 10123:10123 $TR_VAULT_CONFIG
Create your config files:
# awskms.yaml
profile: profile
keyArn: keyArn
# Optional fields
roleArn: roleArn
encryptionContext:
foo: bar
# azurekms.yaml
configFilePath: configFilePath
keyVaultName: keyVaultName
keyName: keyName
keyVersion: keyVersion
# vault.yaml
keyNames:
- keyNames
address: address
token: token
Generate service files or manifests:
make prod:generate:systemd ENV_LOCATION=./bin/trousseau-env
make prod:generate:docker-compose ENV_LOCATION=./bin/trousseau-env
make prod:generate:kustomize ENV_LOCATION=./bin/trousseau-env
make prod:generate:helm ENV_LOCATION=./bin/trousseau-env
Verify output:
ls -l generated_manifests/systemd
ls -l generated_manifests/docker-compose
ls -l generated_manifests/kustomize
ls -l generated_manifests/helm
Deploy the application and configure encryption:
kind: EncryptionConfiguration
apiVersion: apiserver.config.k8s.io/v1
resources:
- resources:
- secrets
providers:
- kms:
name: vaultprovider
endpoint: unix:///opt/trousseau-kms/proxy.socket
cachesize: 1000
- identity: {}
Reconfigure Kubernetes API server:
kind: ClusterConfiguration
apiServer:
extraArgs:
encryption-provider-config: "/etc/kubernetes/encryption-config.yaml"
extraVolumes:
- name: encryption-config
hostPath: "/etc/kubernetes/encryption-config.yaml"
mountPath: "/etc/kubernetes/encryption-config.yaml"
readOnly: true
pathType: File
- name: sock-path
hostPath: "/opt/trousseau-kms"
mountPath: "/opt/trousseau-kms"
Finally restart Kubernetes API server.