A plugin for kubernetes encryption that allows the use of vault as a KMS provider
See usage documentation here
All commits must use conventional commit messages to ensure versioning happens correctly.
Unit tests should be colocated with the code they test, you can run unit tests using the following command
cargo test --bins --libIntegration tests will be located in the tests directory at the root of the project, they require some set up locally.
Make sure just is installed on your system
cargo install justRun the justfile to set up the environment
justThen you can run the integration tests with the following command
cargo test --test *End to end tests are implemented using helm's testing library, you can find the tests themselves in the helm/templates/tests directory. There are also some files used for testing located in the test_files directory.
In order to run the tests you will need to deploy a vault server and the helm chart for this repository, you can do this using their respective helm charts
helm install vault-kms-provider ./helm -n vault \
--set "image.tag=$IMAGE_TAG" \
--set "role.rules[0].apiGroups={}" \
--set "role.rules[0].resources={secrets}" \
--set "role.rules[0].verbs={get,create}"The parameters we set here are giving the tests the ability to create and modify secrets (so that we can check that they are encrypted/decrypted as expected). The image tag is self-explanatory, but keep in mind that if you are testing new changes, you will need to push them to a repository and specify the image you wish to pull and test in the IMAGE_TAG declaration.
The tests expect there to be an etcd backend for them to access in order to confirm the stored data (secrets) is encrypted. There are too many potential k8s tools to cover how to make this work, but you may look to this repositories circleci config for examples on how to set one up if your brand of k8s does not use etcd. Either way, you will need to be sure the tests have access to an etcd backend to retrieve the data stored by k8s.
The tests will need to be able to make requests to etcd. In order to communicate over tls, you will need to point to tls certificates that can verify communication with Etcd. The tests run by helm will mount a volume at /tmp/certs where it will look for three files:
ca.crt, tls.crt, and tls.key. With these certificates in place the tests should run fine over tls.
Once the vault KMS provider has been set up, you can run the tests with the following command:
helm test vault-kms-providerTls is enabled by setting environment variables that point to the relevant certificate files required for tls.
# Defines the path to a ca certificate file
VAULT_CA_CERT="/path/to/cert/file.crt"
# Defines the path to a directory containing ca certificate file
VAULT_CA_PATH="/path/to/cert/directory"
![@renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=64&v=4){kind=small}