GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → enj → citadel

enj / citadel

Licence: Apache-2.0 License
Turn an arbitrary command into a Kubernetes Key Management Service GRPC server

Programming Languages

go
31211 projects - #10 most used programming language

Labels

kuberneteskmskekopenshiftvaultgrpcfreeipacitadelclevisc5l

Projects that are alternatives of or similar to citadel

cryptorious
CLI Password Manager
Stars: ✭ 15 (+0%)
Mutual labels:  kms, vault
vaultssh
A Go based Vault client to support ssh sessions, remote commands and scp transfers all in memory
Stars: ✭ 25 (+66.67%)
Mutual labels:  kms, vault
ddns
Simple restful dynamic DNS service
Stars: ✭ 25 (+66.67%)
Mutual labels:  grpc
ldhcpd
Light DHCPd -- a DHCP server with a small feature set and a remotely programmable control plane
Stars: ✭ 49 (+226.67%)
Mutual labels:  grpc
tailor
Infrastructure as Code for OpenShift
Stars: ✭ 12 (-20%)
Mutual labels:  openshift
pcap-processor
Read and process pcap files using this nifty tool
Stars: ✭ 36 (+140%)
Mutual labels:  grpc
vault4s
Vault Client Library For Scala
Stars: ✭ 15 (+0%)
Mutual labels:  vault
s3backup
No more custom backup scripts please ...
Stars: ✭ 20 (+33.33%)
Mutual labels:  vault
keycloak-docker
Docker image for Keycloak 6.0.1 (postgres, ssl) + k8s + Openshift
Stars: ✭ 19 (+26.67%)
Mutual labels:  openshift
engine
a plugin based grpc framework
Stars: ✭ 16 (+6.67%)
Mutual labels:  grpc
vtprotobuf
A Protocol Buffers compiler that generates optimized marshaling & unmarshaling Go code for ProtoBuf APIv2
Stars: ✭ 418 (+2686.67%)
Mutual labels:  grpc
nameko-grpc
GRPC Extensions for Nameko
Stars: ✭ 51 (+240%)
Mutual labels:  grpc
k8s-vault-webhook
A k8s vault webhook is a Kubernetes webhook that can inject secrets into Kubernetes resources by connecting to multiple secret managers
Stars: ✭ 107 (+613.33%)
Mutual labels:  vault
openshift-install
Install Openshift Docker Meetup Jakarta-Indonesia
Stars: ✭ 17 (+13.33%)
Mutual labels:  openshift
protobuf-compiler
online protobuf compiler
Stars: ✭ 24 (+60%)
Mutual labels:  grpc
faas-tutorial
Java FaaS demos with OpenWhisk and OpenShift
Stars: ✭ 43 (+186.67%)
Mutual labels:  openshift
grpcoin
API-driven cryptocurrency paper trading game. Write a bot and play!
Stars: ✭ 53 (+253.33%)
Mutual labels:  grpc
grpcdebug
grpcdebug is a command line interface focusing on simplifying the debugging process of gRPC applications.
Stars: ✭ 25 (+66.67%)
Mutual labels:  grpc
RHCA-study-notes
Red Hat Certified Architect personal study notes
Stars: ✭ 95 (+533.33%)
Mutual labels:  openshift
upper
Upper is a open source back-end framework based on the Dart language.
Stars: ✭ 39 (+160%)
Mutual labels:  grpc
View All Similar Projects ➔

Welcome to Citadel!

Citadel (c5l) is a simple daemon that implements the Kubernetes Key Management Service (KMS) interface by acquiring a key encryption key (KEK) from an arbitrary command. This makes it easy to plug in your own key management solution as a simple unix command that returns the KEK.

How does it work?

When c5l starts, it runs the command you provide it. This command returns the KEK on standard output. If this command fails during startup, c5l will exit. Otherwise, it will use the KEK from the command to encrypt and decrypt input from Kubernetes.

c5l caches the KEK, and thus does not call the command on every incoming request. The time limit of this cache is specified by the timeout argument. If c5l is not able to refresh the cache after trying several times, it will purge the KEK and report errors to Kubernetes. If c5l eventually succeeds in acquiring the KEK, normal operation will resume.

To specify the socket to create, use the endpoint argument. Otherwise, socket activation is assumed.

Arguments

Required

  • --command string: the command to retrieve the key encryption key

Optional

  • --endpoint string: the listen address (ex. unix:///tmp/socket)

  • --timeout duration: maximum time to cache KEK locally (default 1h)

  • --mode string: encryption mode to use, the options are [aescbc] (default "aescbc")

Crypto Details

The KEK is currently used to do AES-CBC encryption. This does not provide ciphertext authentication. Other methods are being considered with the intent of providing cryptographic agility and features such as authentication.

Examples

Here is an example which uses a Clevis decryption policy to allow access to the KEK only when a Tang server is accessible on the network.

First, you need to generate the KEK and encrypt it using the Clevis policy:

$ dd if=/dev/urandom bs=32 count=1 status=none \
  | clevis encrypt tang '{"url":"http://tang.srv"}' \
  > /var/db/citadel/kek.jwe

Next, you run c5l with the clevis decrypt command:

$ citadel --command 'clevis decrypt < /var/db/citadel/kek.jwe'

When run, c5l will be able to acquire the KEK if, and only if, the Tang server is accessible on the network. Attempts to read the file (/var/db/citadel/kek.jwe) directly will reveal only ciphertext.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].