Skip to content

add support for exposing the gRPC API on TCP and using TLS from PEM files#72

Draft
Nicolas-Peiffer wants to merge 42 commits into
masterfrom
fix-tls-grpc
Draft

add support for exposing the gRPC API on TCP and using TLS from PEM files#72
Nicolas-Peiffer wants to merge 42 commits into
masterfrom
fix-tls-grpc

Conversation

@Nicolas-Peiffer

@Nicolas-Peiffer Nicolas-Peiffer commented Jul 17, 2025
edited
Loading

Copy link
Copy Markdown
Collaborator
  • add support for exposing the gRPC API on TCP and using TLS, as well as continue to support unix socket
  • add support for mutual TLS
  • add new flags grpc-network and enable-tls which replace enable-server and disable-socket.
    • grpc-network allow to choose the type of connection: unix or tcp.
    • enable-tls when using TCP, enable TLS and use PEM x509 files from filesystem.

Note: In the future, we might implement support of using a TLS server key stored inside a TPM. But for now, only PEM x509 files is supported.

@Nicolas-Peiffer
Improve cobra cli by using viper. Patch viper to support flag priorit…
7713519 
…y "CLI flags > environment variables > configuration files > default". Improve logging. Update to go1.23.9

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

go mod tidy

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>
@Nicolas-Peiffer
Add support for Kubernetes KMS v2. Drop support for KMS v1. Add sampl…
b35739f 
…e kubernetes KMS v2 manifest

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

add sequence diagram for KMS v2

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

add import kms/apis/v2 and start update to v2

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

add kek key id to NewP11

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

rename dek label

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

reorganize switch case to put EncryptRequest after StatusResponse

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

refactor StatusResponse

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

refactor unaryinterceptor

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

unaryinterceptor use StatusResponse

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

unaryinterceptor use EncryptResponse

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

refactor unaryinterceptor & Status

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

refactor unaryinterceptor & Status

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

refactor Status

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

add key id in encryptresponse

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

fix UML

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

refactor UML

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

refactor UML & update SVG

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

improve logrus for Status

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

refactor UnaryInterceptor

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

add return to status

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

encrypt retrun CKA_ID

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

update decrypt

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

uniformise keyId type accross StatusResponse and EncryptResponse

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

add TTL infinite retention for DEK cache

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

remove references to KMS v1 ; identify with comments istio related methods ; add usefull TODOs that need to be checked ; improve logging ; rename some objects

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

improve a comment

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

improve logs of Encrypt

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

remove return in UnaryInterceptor

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

add logrus error to decrypt

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

need to handle the KEK ID (CKA_ID) and key label (CKA_LABEL) better

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

viper add support for cobra MarkFlagsMutuallyExclusive and MarkFlagsOneRequired

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

modify title

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

NewP11 handle retrieving the KEK ID by label or label by ID

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

remove defaultKekId from the default value of the cobra flag for KEK ID

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

fix eval for empty byte array

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

initialize p11 context before FindKey

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

remove annotations from EncryptResponse

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

remove annotations from EncryptResponse

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

remove default values for labels

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

improve logging

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

improve converting KeyId from byte array to string

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

refactor keyId and conversion from string to byte array

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

fix NewP11 label for RSA

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

use crypto11 patch return error in findkey when key is nil

ThalesGroup/crypto11#122
Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

user can use CKA_ID for the HMAC

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

NewP11 better handle HMAC ID or Label

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

version does not exist in KMSv2

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

separate istio related function in a dedicated file

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

separate istio related test in a dedicated file

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

clean to converge toward KMS v2 testing BUT tests are not fully compatible with KMSv2

this needs further work

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

upgrade dependencies

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

update doc with KMSv2 updates

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

re-order the atttribute of the struct that caches values of the CLI

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

create a branch for key rotation

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

serve command: re-order the attribute of the struct that caches values of the CLI

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

implement FindCkaAttrByIdOrLabel to simplify NewP11 and update crypto11

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

fix typo hmac

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

add support for key rotation during decrypt

for now key rotation is a sub command of serve

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

fix viper init of subcommand fix grpc fir p11 default

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

add rotation param do NewP11

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

support key roation for AES CBC hmac and improve Decrypt method for key rotation

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

add timestamps to logrus

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

update documentation for KMS v2 support

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

rotation subcommand MarkFlagsMutuallyExclusive for labels and ids

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

GoLint don't use Yoda conditions (ST1017)

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

catch exception generateDEK

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

catch exception

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

catch exception for empty byte arrays

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

separate unit tests from integration tests

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

simplify string related content

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

harmonize names

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

add tests for NewP11

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

update ViperFlagsServe

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

fix rebase error isKeyRotation for HMAC

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>
@Nicolas-Peiffer
use new flags to choose between unix socket or TCP
5a5e4d6 
Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>
@Nicolas-Peiffer
differentiate between tcp, tcp4 and tcp6 in net.Listen
222e29f 
Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>
@Nicolas-Peiffer
catch user input mismatch when setting --socket flag when --grpc-netw…
e054f44 
…ork is set to tcp*

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>
@Nicolas-Peiffer
add a flag enable-tls and modify grpc server to use x509 certificates…
77b7a6a 
… & keys from PEM files

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>
@Nicolas-Peiffer
add a trace log for enabling tls
8d15c7e 
Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>
@Nicolas-Peiffer
add example and improve toggle from unix to TCP TLS
f3a5516 
Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>
@Nicolas-Peiffer
update doc with support for TLS on the gRPC API
c95cda7 
Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>
@Nicolas-Peiffer Nicolas-Peiffer self-assigned this Jul 17, 2025
@Nicolas-Peiffer Nicolas-Peiffer added documentation Improvements or additions to documentation enhancement New feature or request labels Jul 17, 2025
@Nicolas-Peiffer
add support for mutual TLS
d078b6e 
Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>
@Nicolas-Peiffer
adapt KMSv2 manifests to TLS
39fb1b1 
Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>
@Nicolas-Peiffer

Nicolas-Peiffer commented Jul 18, 2025
edited
Loading

Copy link
Copy Markdown
Collaborator Author

As of now (tested on k3s v1.33.1+k3s1), the KMSv2 API implementation from Kubernetes only supports unix socket gRPC as network connection endpoint:

The KMSv2 API does not support TCP and TLS.

@Nicolas-Peiffer
KMSv2 0.33.3 gRPC API does not support TCP and TLS but only supports …
4cdd22e 
…unix socket

#72 (comment)

https://pkg.go.dev/k8s.io/kms@v0.33.3/pkg/util#ParseEndpoint

https://github.com/kubernetes/kms/blob/b8a79480db40eda7916f633621690b1ca9993373/pkg/util/util.go#L26
Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>
@Nicolas-Peiffer
add a script to create self signed certificates for dev testing
b698ccd 
Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>
@Nicolas-Peiffer
update to go 1.24.5 on the TLS & mTLS support branch
7f12b6f 
Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>
@Nicolas-Peiffer
Add support for Kubernetes KMS v2. Drop support for KMS v1. Update to…
2203f80 
… go1.24.5.

Update and Improve Documentation. Add sample kubernetes KMS v2 manifest.

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

add sequence diagram for KMS v2

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

add import kms/apis/v2 and start update to v2

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

add kek key id to NewP11

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

rename dek label

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

reorganize switch case to put EncryptRequest after StatusResponse

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

refactor StatusResponse

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

refactor unaryinterceptor

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

unaryinterceptor use StatusResponse

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

unaryinterceptor use EncryptResponse

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

refactor unaryinterceptor & Status

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

refactor unaryinterceptor & Status

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

refactor Status

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

add key id in encryptresponse

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

fix UML

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

refactor UML

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

refactor UML & update SVG

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

improve logrus for Status

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

refactor UnaryInterceptor

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

add return to status

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

encrypt retrun CKA_ID

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

update decrypt

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

uniformise keyId type accross StatusResponse and EncryptResponse

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

add TTL infinite retention for DEK cache

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

remove references to KMS v1 ; identify with comments istio related methods ; add usefull TODOs that need to be checked ; improve logging ; rename some objects

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

improve a comment

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

improve logs of Encrypt

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

remove return in UnaryInterceptor

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

add logrus error to decrypt

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

need to handle the KEK ID (CKA_ID) and key label (CKA_LABEL) better

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

viper add support for cobra MarkFlagsMutuallyExclusive and MarkFlagsOneRequired

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

modify title

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

NewP11 handle retrieving the KEK ID by label or label by ID

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

remove defaultKekId from the default value of the cobra flag for KEK ID

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

fix eval for empty byte array

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

initialize p11 context before FindKey

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

remove annotations from EncryptResponse

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

remove annotations from EncryptResponse

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

remove default values for labels

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

improve logging

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

improve converting KeyId from byte array to string

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

refactor keyId and conversion from string to byte array

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

fix NewP11 label for RSA

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

use crypto11 patch return error in findkey when key is nil

ThalesGroup/crypto11#122
Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

user can use CKA_ID for the HMAC

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

NewP11 better handle HMAC ID or Label

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

version does not exist in KMSv2

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

separate istio related function in a dedicated file

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

separate istio related test in a dedicated file

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

clean to converge toward KMS v2 testing BUT tests are not fully compatible with KMSv2

this needs further work

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

upgrade dependencies

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

update doc with KMSv2 updates

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

re-order the atttribute of the struct that caches values of the CLI

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

create a branch for key rotation

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

serve command: re-order the attribute of the struct that caches values of the CLI

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

implement FindCkaAttrByIdOrLabel to simplify NewP11 and update crypto11

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

fix typo hmac

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

add support for key rotation during decrypt

for now key rotation is a sub command of serve

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

fix viper init of subcommand fix grpc fir p11 default

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

add rotation param do NewP11

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

support key roation for AES CBC hmac and improve Decrypt method for key rotation

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

add timestamps to logrus

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

update documentation for KMS v2 support

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

rotation subcommand MarkFlagsMutuallyExclusive for labels and ids

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

GoLint don't use Yoda conditions (ST1017)

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

catch exception generateDEK

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

catch exception

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

catch exception for empty byte arrays

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

separate unit tests from integration tests

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

simplify string related content

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

harmonize names

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

add tests for NewP11

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

update ViperFlagsServe

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

fix rebase error isKeyRotation for HMAC

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

update main README

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

add archlinux

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

add TLDR and fix typo

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

Improve docs

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

Improve docs with svg figures

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

add a README

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

move user cli auto generated docs

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

add a script to mimic k8s KMS APIserver

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

add references to gose and crypto11 and github repo

add docs for YubiHSM and Thales eToken fusion

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

fetch the KMS v2 protobuf file

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

test if file api.proto is already there

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

update documentation

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

remove KMS v1 config file

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

update go version of goreleaser custom image

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

fix an env var example in config file

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

update to go 1.24.5

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

fix spelling mistake

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

add verbose mode doc

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

add a k3s doc

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

DEPRECATED: nfpms.builds should not be used anymore

check https://goreleaser.com/deprecations#nfpmsbuilds for more info

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

update golang.org/x/sys & protobuf

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

update gose and crypto11 with latest go 1.23.6 versions (#66)

go mod tidy

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

add full default path for k3s sqlite db

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

rename and fix link to KMS manifest sample file

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

update figure

Update k8s-kms-plugin-deployment-scenario-examples.svg

fix embeded images

add Drawio source file

Add emoji to show the hidden figure

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

update goreleaser metadata

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

add figures for k8s x3 server nodes HA cluster

add ref to figure for HA k8s cluster

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

update puml before spliting it

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

start spliting plantUML diagrams

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

update indentation

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

update puml

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

rename puml

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

add patch for key rotation

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

remove old SVG add new SVG

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

updage with JWE

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

add key rotation figure examples

Update k8s-kms-plugin-Key_Rot_1.svg

Update k8s-kms-plugin-Key_Rot_2.svg

Update k8s-kms-plugin-Key_Rot_3.svg

 add section about key rotation

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

update package installation section

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>
@Nicolas-Peiffer
Merge branch 'master' into update-to-kms-api-v2
bdacdf3
@Nicolas-Peiffer
merge branch update-to-kms-api-v2 into fix-tls-grpc
340943b 
this allo updating the README and doc, as well as file location

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>
@Nicolas-Peiffer
remove obsolete puml figures
5593934 
Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>
@Nicolas-Peiffer
remove obsolete table that is at a different location now
6ef91d0 
Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>
@Nicolas-Peiffer
update dependencies
51744ff 
Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

update dependencies

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>
@Nicolas-Peiffer
rollback k8s.io/kms to v0.33.x
e526dea 
Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>
@Nicolas-Peiffer
fix duplicate line after last merge
bc1a954 
Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>
@Nicolas-Peiffer
update comments and cobra doc
034ea01 
Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>
@Nicolas-Peiffer
update to kms v0.34.1
861b4be 
and be compatible with github.com/protocolbuffers/protobuf-go UnimplementedKeyManagementServiceServer

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>
@Nicolas-Peiffer Nicolas-Peiffer mentioned this pull request Sep 29, 2025
Closed
Nicolas-Peiffer and others added 18 commits September 29, 2025 16:53
@Nicolas-Peiffer
Add support for Kubernetes KMS v2. Drop support for KMS v1. Update to…
45e9017 
… go1.24.5.

Update and Improve Documentation. Add sample kubernetes KMS v2 manifest.
Implement key rotation #52
Remove KMS v1 #43

add sequence diagram for KMS v2

add import kms/apis/v2 and start update to v2

add kek key id to NewP11

rename dek label

reorganize switch case to put EncryptRequest after StatusResponse

refactor StatusResponse

refactor unaryinterceptor

unaryinterceptor use StatusResponse

unaryinterceptor use EncryptResponse

refactor unaryinterceptor & Status

refactor unaryinterceptor & Status

refactor Status

add key id in encryptresponse

refactor UML & update SVG

improve logrus for Status

refactor UnaryInterceptor

add return to status

encrypt retrun CKA_ID

update decrypt

uniformise keyId type accross StatusResponse and EncryptResponse

remove references to KMS v1 ; identify with comments istio related methods ; add usefull TODOs that need to be checked ; improve logging ; rename some objects

improve logs of Encrypt

remove return in UnaryInterceptor

add logrus error to decrypt

need to handle the KEK ID (CKA_ID) and key label (CKA_LABEL) better

viper add support for cobra MarkFlagsMutuallyExclusive and MarkFlagsOneRequired

modify title

NewP11 handle retrieving the KEK ID by label or label by ID

remove defaultKekId from the default value of the cobra flag for KEK ID

fix eval for empty byte array

initialize p11 context before FindKey

remove annotations from EncryptResponse

remove annotations from EncryptResponse

remove default values for labels

improve logging

improve converting KeyId from byte array to string

refactor keyId and conversion from string to byte array

fix NewP11 label for RSA

use crypto11 patch return error in findkey when key is nil

ThalesGroup/crypto11#122

user can use CKA_ID for the HMAC

NewP11 better handle HMAC ID or Label

version does not exist in KMSv2

separate istio related function in a dedicated file

clean to converge toward KMS v2 testing BUT tests are not fully compatible with KMSv2

upgrade dependencies

update doc with KMSv2 updates

re-order the atttribute of the struct that caches values of the CLI

create a branch for key rotation

serve command: re-order the attribute of the struct that caches values of the CLI

implement FindCkaAttrByIdOrLabel to simplify NewP11 and update crypto11

fix typo hmac

add support for key rotation during decrypt

for now key rotation is a sub command of serve

fix viper init of subcommand fix grpc fir p11 default

add rotation param do NewP11

support key roation for AES CBC hmac and improve Decrypt method for key rotation

add timestamps to logrus

update documentation for KMS v2 support

rotation subcommand MarkFlagsMutuallyExclusive for labels and ids

GoLint don't use Yoda conditions (ST1017)

catch exception generateDEK

catch exception for empty byte arrays

separate unit tests from integration tests

simplify string related content

harmonize names

add tests for NewP11

update ViperFlagsServe

fix rebase error isKeyRotation for HMAC

update main README

add archlinux

add TLDR and fix typo

Improve docs

Improve docs with svg figures

add a README

move user cli auto generated docs

add a script to mimic k8s KMS APIserver

add references to gose and crypto11 and github repo

add docs for YubiHSM and Thales eToken fusion

fetch the KMS v2 protobuf file

test if file api.proto is already there

update documentation

remove KMS v1 config file

update go version of goreleaser custom image

fix an env var example in config file

update to go 1.24.5

fix spelling mistake

add verbose mode doc

add a k3s doc

DEPRECATED: nfpms.builds should not be used anymore

check https://goreleaser.com/deprecations#nfpmsbuilds for more info

update golang.org/x/sys & protobuf

update gose and crypto11 with latest go 1.23.6 versions (#66)

go mod tidy

add full default path for k3s sqlite db

rename and fix link to KMS manifest sample file

update figure

Update k8s-kms-plugin-deployment-scenario-examples.svg

fix embeded images

add Drawio source file

Add emoji to show the hidden figure

add figures for k8s x3 server nodes HA cluster

add ref to figure for HA k8s cluster

update puml before spliting it

start spliting plantUML diagrams

update indentation

update puml

rename puml

add patch for key rotation

remove old SVG add new SVG

updage with JWE

add key rotation figure examples

Update k8s-kms-plugin-Key_Rot_1.svg

Update k8s-kms-plugin-Key_Rot_2.svg

Update k8s-kms-plugin-Key_Rot_3.svg

 add section about key rotation

update package installation section

update dependencies & update to kms v0.34.1

and be compatible with github.com/protocolbuffers/protobuf-go UnimplementedKeyManagementServiceServer

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>
@Nicolas-Peiffer
Merge branch 'master' into update-to-kms-api-v2
3984cca
@Nicolas-Peiffer
update to go 1.25.1
77c5a2d 
Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>
@Nicolas-Peiffer
grpcurl has TCP & mutual TLS example
f1c9513 
Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>
@Nicolas-Peiffer
update link to proto.api kms v0.34.1
2aab7ea 
Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>
@Nicolas-Peiffer
update gose and crypto11 remove replace statement
c94e09a 
use corresponding go1.24.5 release tags for gose and crypto11

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>
@Nicolas-Peiffer
Merge branch 'master' into update-to-kms-api-v2
d50e196 
Conflicts:
	.go-version
	QUICKSTART.md
	README.md
	cmd/k8s-kms-plugin/cmd/docs.go
	cmd/k8s-kms-plugin/cmd/root.go
	cmd/k8s-kms-plugin/cmd/serve.go
	configs/config.example.yaml
	deployments/k8s/encryption-conf-kmsv1.yaml
	deployments/k8s/encryption-conf-kmsv2-unix-socket.yaml
	deployments/k8s/encryption-conf.yaml
	go.mod
	go.sum
	pkg/providers/p11.go
	pkg/providers/p11_test.go
@Nicolas-Peiffer
add user provided id to pkcs11-tool aes key generation cmd
e766362 
without the --id option of pkcs11-tool the key will have no CKA_ID

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>
@Nicolas-Peiffer
add a grpcurl script to test serve rotation
18f0d38 
Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

improve the key rot grpcurl

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>
@Nicolas-Peiffer
fix header
0c90b8c 
this redundancy in the header was probably caused by the merge conflict resolution

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>
@Nicolas-Peiffer
modify docs table header & YAML keys
c4fafde 
Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>
@IceManGreen @Nicolas-Peiffer
feat: checkup CKA_ID of kek in hsm at startup (#74)
6a143c0 
* create a base64 output for the Encrypt response; this can then be used to test a serve rotation

* feat: checkup CKA_ID of kek in hsm at startup; also fix arguments names consistency for kek

Signed-off-by: Louis Cailliot <louis.cailliot@thalesgroup.com>

* fix: address pr #74 comments

Signed-off-by: Louis Cailliot <louis.cailliot@thalesgroup.com>

---------

Signed-off-by: Louis Cailliot <louis.cailliot@thalesgroup.com>
Co-authored-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>
@Nicolas-Peiffer
move quick start guide up
aa079e2 
Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>
@Nicolas-Peiffer
update link to KMS pkg.go.dev
c44a15f 
update to 0.34.1 to match the go.mod

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>
@Nicolas-Peiffer
remove env var from cobra description field
b665383 
Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>
@Nicolas-Peiffer
use 8 bytes long key ID
4e3246d 
Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>
@Nicolas-Peiffer
update with latest flags
25b88a9 
Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>
@Nicolas-Peiffer
merge latest KMSv2 update including new flag names
6e47663 
Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@Nicolas-Peiffer Nicolas-Peiffer

Labels

documentation Improvements or additions to documentation enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Nicolas-Peiffer @IceManGreen