'first commit to remove hsm and tpm code'

beezy-dev · Oct 3, 2024 · 6ccf959 · 6ccf959
1 parent d04e6ef
commit 6ccf959
Show file tree

Hide file tree

Showing 10 changed files with 15 additions and 492 deletions.
diff --git a/Containerfile-kleidi-kms-hsm b/Containerfile-kleidi-kms-hsm
diff --git a/Containerfile-kleidi-kms-vault b/Containerfile-kleidi-kms-vault
@@ -12,7 +12,7 @@ RUN go mod download
 
 RUN CGO_ENABLED=1 GO111MODULE=on go build -ldflags "-X main.kleidiVersion=$VERSION" -a -installsuffix cgo cmd/kleidi/main.go
 
-FROM quay.io/centos/centos:stream9
+FROM quay.io/centos/centos:stream9-minimal
 
 LABEL org.opencontainers.image.source=https://github.com/beezy-dev/kleidi 
 LABEL org.opencontainers.image.title="Kleidi - Kubernetes KMS Plugin for Vault" 

diff --git a/README.md b/README.md
@@ -1,54 +1,5 @@
-# kleidi KMS provider plugin for Kubernetes
+# Kleidi KMS HashiCorp Vault Provider Plugin for Kubernetes
 
-## Why? 
-The traditional credentials handling practices enforce a clear separation of concerns between application and infrastructure teams.   
-However, Kubernetes centralized credentials through the ```secret``` and ```configmap``` API objects within ```etcd``` with an encryption layer. 
-
-More here [Security](docs/exposures.md) or with [Kubernetes Secrets Handbook](https://www.amazon.com/Kubernetes-Secrets-Handbook-production-grade-management/dp/180512322X)
-
-## How?
-Kubernetes introduces a KMS plugin framework to support access to an external security (hardware or software) module and enable an envelope encryption practice. 
-The Kubernetes API server will encrypt plaintext data with a data key, request kleidi to encrypt the data key with a third-party key, and store all the encrypted payload in ```etcd```. 
-Reading the payload will require access to the third-party provider via Kleidi.
-
-## Current state
-* KMSv2 with Kubernetes 1.29 and onwards.
-* PKCS#11 interface to [SoftHSM](https://www.opendnssec.org/softhsm/) deployed on the control plane nodes.   
-* HashiCorp Vault Community/Enterprise integration
-More here [Implementation](docs/architecture.md)
-
-# Deployments
-
-* [HashiCorp Vault Implementation](docs/vault.md)
-* [SoftHSM Implementation](docs/softhsm.md)
-
-## Future state  
-* (v)TPM integration (see R&D)
-* AWS/Azure Key Vault integration
-* Delinea/Thycotic integration 
-
-
-## Additional collaterals
-
-### Code of Conduct
-We believe in a space for everyone and we embrace the following [code of conduct](docs/code_of_conduct.md).
-
-### Contributing
-The essence of open source is sharing and contributing to knowledge. The guidelines are available [here](docs/contributing.md).
-
-### Security
-We take security and trust seriously. If you believe that you have found a security issue in this project, *please disclose responsibly the details by following the [security policy](docs/security.md). 
-
-
-## Origin of kleidi
-<img align="right" src="https://beezy.dev/images/DALL-E-kleid%C3%AD_comic_strip.png" width="25%">
-
-Initially, [romdalf](https://github.com/romdalf) founded [Trousseau](https://trousseau.io) in 2019 and released a production-grade KMSv1 provider plugin during his tenure at Ondat.  
-
-With the Kubernetes project moving to KMSv2 stable at 1.29 and KMSv1 being deprecated since 1.27, a decision needed to be made regarding rewriting the plugin, leading to the creation of kleidi.
-
-The origin is Greek, and the meaning is "key". (Source: [Wikipedia](https://en.wiktionary.org/wiki/%CE%BA%CE%BB%CE%B5%CE%B9%CE%B4%CE%AF))
-
-<br clear="left"/>
-<br clear="left"/>
+This repository is a strip down version of Kleidi to support HashiCorp Vault only. 
 
+Please refer to [beezy-dev/kleidi](https://github.com/beezy-dev/kleidi) for more details about the project.
diff --git a/cmd/kleidi/main.go b/cmd/kleidi/main.go
@@ -21,7 +21,6 @@ func main() {
 	// Generic vars considering the consistency across providers.
 	var (
 		listenAddr         = flag.String("listen", "unix:///tmp/kleidi/kleidi-kms-plugin.socket", "gRPC listen address")
-		providerService    = flag.String("provider", "softhsm", "KMS provider to connect to (hvault, softhsm, tpm)")
 		providerConfigFile = flag.String("configfile", "/opt/kleidi/config.json", "Provider config file pat")
 		debugMode          = flag.Bool("debugmode", false, "Enable debug mode")
 	)
@@ -31,7 +30,7 @@ func main() {
 
 	// Prettyfy the starting header fetching built version at compile time.
 	log.Println("--------------------------------------------------------")
-	log.Println("Kleidi", "v"+kleidiVersion, "KMS Provider Plugin for Kubernetes.")
+	log.Println("Kleidi", "v"+kleidiVersion, "for HashiCorp Vault Provider Plugin for Kubernetes.")
 	log.Println("License Apache 2.0 - https://github.com/beezy-dev/kleidi")
 	log.Println("--------------------------------------------------------")
 
@@ -46,12 +45,6 @@ func main() {
 		log.Fatalln("EXIT: unable to delete existing socket file", addr, "from directory!")
 	}
 
-	// Validating the provider.
-	provider, err := utils.ValidateProvider(*providerService)
-	if err != nil {
-		log.Fatalln("EXIT: flag -provider set to", provider, "failed with error:\n", err.Error())
-	}
-
 	// Validating the provider config.
 	providerConfig, err := utils.ValidateConfigfile(*providerConfigFile)
 	if err != nil {
@@ -63,6 +56,6 @@ func main() {
 	//Starting the appropriate provider once previously validated.
 	//REFACTOR to a simple interface
 
-	utils.StartProvider(addr, provider, providerConfig, debug)
+	utils.StartHvault(addr, providerConfig, debug)
 
 }
diff --git a/devContainerBuild.sh b/devContainerBuild.sh
@@ -19,9 +19,8 @@ NC='\033[0m' # No Color
 
 # Define variables 
 VERSION=$(git log -1 --pretty=%h)
-GITREPO="https://github.com/beezy-dev/kleidi.git" 
-CONTREG="ghcr.io/beezy-dev/kleidi-kms-plugin" 
-INITREG="ghcr.io/beezy-dev/kleidi-kms-init" 
+GITREPO="https://github.com/beezy-dev/kleidi-vault.git" 
+CONTREG="ghcr.io/beezy-dev/kleidi-vault" 
 BUILDDT=$(date '+%F_%H:%M:%S' )
 
 STR="'$*'" 
@@ -42,22 +41,10 @@ echo
 echo -e "${NC}Building kleidi vault dev container image ${BLUE}$CONTREG:$VERSION${NC} on ${BLUE}$BUILDDT${NC}."  
 podman build -f Containerfile-kleidi-kms-vault -t "$CONTREG:vault-$VERSION" -t "$CONTREG:vault-dev" --build-arg VERSION="$VERSION"
 
-echo
-echo -e "${NC}Building kleidi hsm dev container image ${BLUE}$CONTREG:$VERSION${NC} on ${BLUE}$BUILDDT${NC}."  
-podman build -f Containerfile-kleidi-kms-hsm -t "$CONTREG:hsm-$VERSION" -t "$CONTREG:hsm-dev" --build-arg VERSION="$VERSION"
-
 echo
 echo -e "${NC}Container pushed to push to ${BLUE}$CONTREG${NC} with tags ${BLUE}$VERSION${NC} and ${BLUE}dev${NC}." 
 podman push $CONTREG:vault-$VERSION
-podman push $CONTREG:hsm-$VERSION
 
 echo
 echo -e "${NC}Container pushed to push to ${BLUE}$CONTREG${NC} with tags ${BLUE}$VERSION${NC} and ${BLUE}dev${NC}." 
 podman push $CONTREG:vault-dev
-podman push $CONTREG:hsm-dev
-
-echo
-echo -e "${NC}Building kleidi hsm dev init container image ${BLUE}$INITREG:$VERSION${NC} on ${BLUE}$BUILDDT${NC}."  
-podman build -f configuration/kleidi-init/Containerfile -t "$INITREG:hsm-$VERSION" -t "$INITREG:hsm-dev" --build-arg VERSION="$VERSION"
-podman push $INITREG:hsm-$VERSION
-podman push $INITREG:hsm-dev
diff --git a/internal/providers/pkcs11.go b/internal/providers/pkcs11.go
diff --git a/internal/providers/tpm2.go b/internal/providers/tpm2.go