Trousseau is an open-source project based on Kubernetes Key Management Service (KMS) provider design that is designed to be a framework for any KMS provider. This works to provide users with a way to store and access secrets the Kubernetes native way with any externalKMS.
Once deployed, Trousseau brings seamless secret management by using native Kubernetes API and kubectl CLI usage while also leveraging an existing Key Management Service provider. This works by utilizing the Kubernetes KMS provider framework in order to provide an envelope encryption scheme to encrypt secrets.
Trousseau is developed fully in Go addressing the Kubernetes KMS provider. The data is encrypted using a data encryption key, creating a new separate key for each encryption. The data encryption keys are also encrypted with a key that is stored and managed in a remote KMS.
The KMS provider then uses gRPC to communicate with a specific KMS plugin which is implemented as a gRPC server and deployed on the same host(s) as the Kubernetes master(s). This KMS plugin is responsible for all communication with the remote KMS.
The workflow operates as follows:
- Create a secret
- Kube-api calls Trousseau
- Trousseau sends the encryption request to the KMS provider
- The provider returns the encrypted data to Trousseau
- Trousseau sends the encrypted data back to kube-api
- Kube-api stores the encrypted resource in ectd