Deploying KMSProxy Container
The following steps describe how to deploy the KMSProxy container.
- Run the following command to generate the TLS server certificate for the KMS-Proxy service.
CreateCertificate_Linux_x64_<Version>.sh server --name <Directory> --dns <Release_Name>.<namespace>.svc
For example:
CreateCertificate_Linux_x64_<Version>.sh server --name kms-proxy-server --dns kms-proxy.<namespace>.svc
For more information about generating the client certificates, refer to the section Creating Certificates.
The following server certificates files are created in the kms-proxy-server folder:
- cert.pem
- cert.key
- CA.pem
- secret.txt
These certificates are used by the protector as a server certificate to authenticate the KMS-Proxy service.
Ensure that the namespace and release name that you specify in this command are the same names that you specify in step 5 while deploying the KMS-Proxy Helm chart.
For more information about the data encryption key used in the AWS KMS, refer to the section Creating an Data Encryption Key (DEK)
2. Run the following command to generate the secret for the KMS-Proxy server certificate.
kubectl -n <KMS-Proxy_Namespace> create secret generic service-certs --from-file=CA.pem=<path-to-CA.pem> --from-file=cert.key=<path-to-cert.key> --from-file=cert.pem=<path-to-cert.pem> --from-file=secret.txt=<path-to-secret.txt>
For more information about generating the client certificates, refer to the section Creating Certificates.
Specify this secret as the value of the service/certificateSecret parameter in the values.yaml file.
On the Linux instance, navigate to the location where you have extracted the Helm charts to deploy the KMSProxy container.
For more information about the extracted Helm charts, refer to the section Extracting the Installation Package.The kms-proxy > values.yaml file contains the default configuration values for deploying the RPP container on the Kubernetes cluster.
...
# -- service account must be linked to a cloud role to access appropriate KMS keyid.
# the cloud role must have decrypt permission on keyid
serviceAccount:
# The name of the service account to use.
name:
# Specify any additional annotation to be associated with pod
podAnnotations:
checksum/kmsproxy-config: '{{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}'
## set the Pod's security context object
podSecurityContext:
fsGroup: 2000
## set the Container's security context object
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
#-- cloud kms related configuration
kms:
# -- Specify Cloud KMS vendor
# expected values are: AWS, GCP, AZURE
vendor: ""
#--- specify identifier for RSA key hosted by the cloud KMS.
# In case of AWS identifier is the key ARN (Amazon resource identifier)
# In GCP, identifier is key resourceid
# and for Azure identifier is keyid
keyid: ""
# kms-proxy service configuration
application:
# -- The cache will keep the content(decrypted KEK) for the specified TTL(time to live)
# duration in seconds. Once the TTL expires the value from the cache is cleared.
# Based on amount of time require to update/install the protector deployment, update
# the ttl. Default is 1200 seconds(20 minutes)
ttl: 1200
# -- By default, log level for the application is set to INFO.
# available logging levels ares INFO, DEBUG, TRACE
# to enable http access log set the logLevel to TRACE
logLevel: INFO
# Kubernetes service configuration, represents a HTTP service to host
# kms proxy endpoint.
service:
# -- Configure service type: ClusterIP for kms-proxy endpoint
type: ClusterIP
port: 443
# -- TLS certificate of kms-proxy service.
# kubectl -n $NAMESPACE create secret generic pty-kms-proxy-tls \
# --from-file=cert.pem=./certs/cert.pem \
# --from-file=cert.key=./certs/cert.key \
# --from-file=CA.pem=./ca/CA.pem \
# --from-file=secret.txt=./certs/secret.txt
certificates:
- Modify the default values in the values.yaml file as required.
| Field | Description |
|---|---|
| serviceAccount/name | Specify the name of the service account that is linked to a role having access to the Key ID of the respective cloud. Ensure that the role has decrypt permissions on the Key ID. |
| podSecurityContext | Specify the privilege and access control settings for the pod. The default values are set as follows:
|
| kms/vendor | Specify the cloud vendor. For example, AWS, Azure, or GCP. |
| kms/keyid | Specify the key Amazon Resource Name (ARN) for AWS. |
| application/ttl | Specify the time to live in seconds till which the KMSProxy cache retains the decrypted KEK. The default value is 1200, which equals 20 minutes. |
| application/logLevel | Specify the log level for the application. The following values are applicable:
Set this value to TRACE to enable HTTP access log. |
| service/type | Specify the HTTP service type to host the KMSProxy endpoint. The default value is ClusterIP. |
| service/port | Specify the port number for the KMSProxy end point. The default value is 443. |
| service/certificates | Specify the secret value of the TLS certificate for the KMS Proxy service that you have created in step 2. |
5. Run the following command to deploy the KMSProxy container on the Kubernetes cluster.
helm install <Release_Name> --namespace <Namespace to deploy KMSProxy container> <Location of the directory containing Helm charts>
For example:
helm install kmsproxy --namespace iap-rest kms-proxy/
- Run the following command to check the status of the pods.
kubectl get pods -n <Namespace>
For example:
kubectl get pods -n iap-rest
NAME READY STATUS RESTARTS AGE
kms-10-v1-kms-proxy-7b97d5dff7-grqph 2/2 Running 0 11h
log1-logforwarder-f6gvj 1/1 Running 0 11h
log1-logforwarder-ls4hn 1/1 Running 0 11h
log1-logforwarder-phk4t 1/1 Running 0 11h
log1-logforwarder-z2mz7 1/1 Running 0 11h
Feedback
Was this page helpful?