diff --git a/README.md b/README.md
index e1d2809..54d3e26 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,5 @@
# vault-kms-plugin
-A Kubernetes KMS Plugin that uses [HashiCorp Vaults](https://developer.hashicorp.com/vault) [Transit Engine](https://developer.hashicorp.com/vault/docs/secrets/transit) for securely encrypting Secrets, Config Maps and other Kubernetes Objects in etcd at rcest (on disk).
+A Kubernetes KMS Plugin that uses [HashiCorp Vaults](https://developer.hashicorp.com/vault) [Transit Engine](https://developer.hashicorp.com/vault/docs/secrets/transit) for securely encrypting Secrets, Config Maps and other Kubernetes Objects in etcd at Rest (on disk).
[![E2E](https://github.com/FalcoSuessgott/vault-kubernetes-kms/actions/workflows/e2e.yml/badge.svg)](https://github.com/FalcoSuessgott/vault-kubernetes-kms/actions/workflows/e2e.yml)
@@ -31,7 +31,7 @@ Since the key used for encrypting secrets is not stored in Kubernetes, an attack
# create any secret
$> kubectl create secret generic secret-unencrypted -n default --from-literal=key=value
-# proof that k8s secrets are stored unenctyped on disk and in ectd
+# proof that k8s secrets are stored unencrypted on disk and in etctd
$> kubectl -n kube-system exec etcd-minikube -- sh -c "ETCDCTL_API=3 etcdctl \
--endpoints=https://127.0.0.1:2379 \
--cert /var/lib/minikube/certs/etcd/server.crt \
@@ -64,7 +64,7 @@ $> kubectl -n kube-system exec etcd-minikube -- sh -c "ETCDCTL_API=3 etcdctl \
# create any k8s secret
$> kubectl create secret generic secret-encrypted -n default --from-literal=key=value
-# proof that now secrets are stored enctyped on disk and in ectd
+# proof that now secrets are stored encrypted on disk and in etctd
$> kubectl -n kube-system exec etcd-minikube -- sh -c "ETCDCTL_API=3 etcdctl --endpoints=https://127.0.0.1:2379 \
--cert /var/lib/minikube/certs/etcd/server.crt \
--key /var/lib/minikube/certs/etcd/server.key \
diff --git a/docs/configuration.md b/docs/configuration.md
index ddbf947..024dfdf 100644
--- a/docs/configuration.md
+++ b/docs/configuration.md
@@ -59,8 +59,8 @@ path "transit/keys/kms" {
You can create the policy using `vault policy write kms ./kms-policy.hcl`.
### Kubernetes Auth
-`vault-kubernetes-kms` supports [Vaults Kubernetes Authentication Method](https://developer.hashicorp.com/vault/docs/auth/kubernetes). This way the curent specified service account is used for authentitation and authorization.
-Vault will need to be able to validate any incomming service accounts, thus we need to give Vault a token with the appropiate RBAC settings (`role-tokenreview-binding`).
+`vault-kubernetes-kms` supports [Vaults Kubernetes Authentication Method](https://developer.hashicorp.com/vault/docs/auth/kubernetes). This way the current specified service account is used for authentication and authorization.
+Vault will need to be able to validate any incoming service accounts, thus we need to give Vault a token with the appropriate RBAC settings (`role-tokenreview-binding`).
The following steps can help getting you started:
@@ -70,7 +70,7 @@ The following steps can help getting you started:
apply these manifests by running: `kubectl apply -f rbac.yml`.
-Then you can enable Vaults Kubernete Auth method:
+Then you can enable Vaults Kubernetes Auth method:
```bash
$> vault auth enable kubernetes
@@ -80,7 +80,7 @@ $> vault write auth/kubernetes/config \
token_reviewer_jwt="${token}" \
kubernetes_host="https://127.0.0.1:8443" \
kubernetes_ca_cert="${ca_cert}"
-$> vault write auth/kubernetes/role/kms }
+$> vault write auth/kubernetes/role/kms
bound_service_account_names=default \
bound_service_account_namespaces=kube-system \
policies=kms \
@@ -89,7 +89,7 @@ $> vault write auth/kubernetes/role/kms }
## Deploying `vault-kubernetes-kms`
### CLI Args & Environment Variables
-You can either pass the required arguments as commandline args or as environment variables (using a ConfigMap or Secrets)
+You can either pass the required arguments as command line args or as environment variables (using a ConfigMap or Secrets)
**Required**:
@@ -278,7 +278,7 @@ Copy the appropriate encryption provider configuration to your control plane nod
### Modify the `kube-api-server` Manifest
Last but not least, you would have to enable the encryption provider config for the `kube-apiserver`.
-This steps depends on wether your control plane components run as a systemd deamon or as static Pod on your control plane nodes (usually located at `/etc/kubernetes/manifests`).
+This steps depends on wether your control plane components run as a systemd daemon or as static Pod on your control plane nodes (usually located at `/etc/kubernetes/manifests`).
**Either way, the following changes need to be done:**
diff --git a/docs/development.md b/docs/development.md
index 33a6f5f..eb5bf33 100644
--- a/docs/development.md
+++ b/docs/development.md
@@ -8,9 +8,9 @@ Obviously you will need all the tools mentioned above installed. Also this setup
## Components
Basically, we will need:
-1. A local Vault server initialized & unsealed and with a transit engine enabled aswell as a transit key created.
+1. A local Vault server initialized & unsealed and with a transit engine enabled as well as a transit key created.
2. A local (docker) registry so kind can pull the currently unreleased `vault-kubernetes-kms` image.
-3. A local Kubernetes Cluster (kind) configured to use the local registry aswell as the required settings for the kube-apiservers encryption provider config.
+3. A local Kubernetes Cluster (kind) configured to use the local registry as well as the required settings for the kube-apiservers encryption provider config.
### 1. Local Vault Server using `vault`
The following snippets sets up a local vault development server and creates a transit engine as well as a key.
diff --git a/docs/quickstart.md b/docs/quickstart.md
index eeb3c3c..d73f463 100644
--- a/docs/quickstart.md
+++ b/docs/quickstart.md
@@ -2,7 +2,7 @@
This Guide will walk you through the required steps of installing and configuring the `vault-kms-plugin` for Kubernetes. It currently uses token based authentication and HTTP communication, which is not secure enough when running in production.
!!! tip
- Checkout [https://falcosuessgott.github.io/hashicorp-vault-playground/home/](https://falcosuessgott.github.io/hashicorp-vault-playground/home/) a project that helps you quickly setting up HashiCorp Vault locally with many useful Kubernetes Labs already preconfigured.
+ Checkout [https://falcosuessgott.github.io/hashicorp-vault-playground/home/](https://falcosuessgott.github.io/hashicorp-vault-playground/home/) a project that helps you quickly setting up HashiCorp Vault locally with many useful Kubernetes Labs already pre configured.
!!! warning
This guide uses the new version of the Kubernetes KMS Plugin API, which was introduced in Kubernetes v1.29.0 ([https://kubernetes.io/docs/tasks/administer-cluster/kms-provider/#kms-v2](https://kubernetes.io/docs/tasks/administer-cluster/kms-provider/#kms-v2)).
@@ -158,7 +158,7 @@ $> kubectl get secret secret -o json | jq '.data | map_values(@base64d)'
For production usage you should consider:
* use Vaults Kubernetes Auth Method (see [https://falcosuessgott.github.io/vault-kubernetes-kms/configuration/](https://falcosuessgott.github.io/vault-kubernetes-kms/configuration/))
-* deploy the `vault-kubenetes-kms` Pod using a dedicated Service Account, instead of `default` (also adjust the kubernetes auth role)
+* deploy the `vault-kubernetes-kms` Pod using a dedicated Service Account, instead of `default` (also adjust the kubernetes auth role)
* use HTTPS for the communication between Kubernetes & HashiCorp Vault (see [https://falcosuessgott.github.io/vault-kubernetes-kms/configuration/](https://falcosuessgott.github.io/vault-kubernetes-kms/configuration/))
* deploy the `vault-kubernetes-kms` plugin as a static pod on all control plane nodes
* automate the deployment using your preferred automation method
diff --git a/docs/troubleshooting.md b/docs/troubleshooting.md
index 5270497..5be64db 100644
--- a/docs/troubleshooting.md
+++ b/docs/troubleshooting.md
@@ -1,4 +1,4 @@
# Troubleshooting
## Rollback
--> Follow the official [Kubernetes docunentation](https://kubernetes.io/docs/tasks/administer-cluster/decrypt-data/#decrypting-all-data) for decryption all data again.
+-> Follow the official [Kubernetes documentation](https://kubernetes.io/docs/tasks/administer-cluster/decrypt-data/#decrypting-all-data) for decryption all data again.