From 215b1b2763960685ea8e3e6ba304ce82d9adc4dd Mon Sep 17 00:00:00 2001 From: Tom Morelly Date: Sat, 16 Nov 2024 22:18:51 +1100 Subject: [PATCH] chore(docs): update docs --- README.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 10df97f..f50d63b 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,7 @@ # vault-kms-plugin +> [!IMPORTANT] +> as of [`v1.0.0`](https://github.com/FalcoSuessgott/vault-kubernetes-kms/releases/tag/v1.0.0) `vault-kubernetes-kms` is considered stable and production-grade + A Kubernetes KMS Plugin that uses [HashiCorp Vaults](https://developer.hashicorp.com/vault) [Transit Engine](https://developer.hashicorp.com/vault/docs/secrets/transit) for securely encrypting Secrets, Config Maps and other Kubernetes Objects in etcd at Rest (on disk). [![E2E](https://github.com/FalcoSuessgott/vault-kubernetes-kms/actions/workflows/e2e.yml/badge.svg)](https://github.com/FalcoSuessgott/vault-kubernetes-kms/actions/workflows/e2e.yml) @@ -23,6 +26,8 @@ To do so, you will have to enable Data at Rest encryption, by configuring the `k :warning: As a result of that, **the `kube-apiserver` requires the `vault-kubernetes-kms` plugin to be up & running before the `kube-apiserver` starts**. To ensure this, setting a priority class in the plugins manifest (`"priorityClassName: system-node-critical"`) is recommended. :warning: +Following the scenario that `vault-kubernetes-kms` is deployed as a static pod, then your Vault server has to reside **outside** of your Kubernetes cluster, as it is [recommended](https://developer.hashicorp.com/vault/tutorials/kubernetes/kubernetes-security-concerns). If you decide to deploy the plugin not as a static pod, then theoretically the Vault server can be deployed on the same cluster, you then would have to patch the `kube-apiserver` after startup to find its `EncryptionProviderConfig`. + **[Check out the official documentation](https://falcosuessgott.github.io/vault-kubernetes-kms/)** ## Features @@ -36,7 +41,7 @@ To do so, you will have to enable Data at Rest encryption, by configuring the `k # create any secret $> kubectl create secret generic secret-unencrypted -n default --from-literal=key=value -# proof that k8s secrets are stored unencrypted on disk and in etctd +# proof that k8s secrets are stored unencrypted on disk in etctd $> kubectl -n kube-system exec etcd-minikube -- sh -c "ETCDCTL_API=3 etcdctl \ --endpoints=https://127.0.0.1:2379 \ --cert /var/lib/minikube/certs/etcd/server.crt \ @@ -69,7 +74,7 @@ $> kubectl -n kube-system exec etcd-minikube -- sh -c "ETCDCTL_API=3 etcdctl \ # create any k8s secret $> kubectl create secret generic secret-encrypted -n default --from-literal=key=value -# proof that now secrets are stored encrypted on disk and in etctd +# proof that now secrets are stored encrypted on disk in etctd $> kubectl -n kube-system exec etcd-minikube -- sh -c "ETCDCTL_API=3 etcdctl --endpoints=https://127.0.0.1:2379 \ --cert /var/lib/minikube/certs/etcd/server.crt \ --key /var/lib/minikube/certs/etcd/server.key \