Preparing the SDS for Kubernetes init container environment
The SDS for Kubernetes init container is provided as a compressed archive containing:
-
The Docker image for the init container: sds-kubernetes-init-container-<version>.tar.gz
-
The encryptor.cjs script to encrypt the sensitive data with the SDSDK. It must be run before the pod manifest is applied.
-
A Kubernetes pod manifest example (pod.yaml) to deploy the "sdskub" pod using the SDS for Kubernetes init container and the test application container.
Loading the Docker images in Kubernetes
You can either deploy Docker image to a Docker registry or to a local registry.
Load the init container image provided in the sds-kubernetes-init-container-<version>.tar archive, and push them into an image registry.
-
To load the image, with Docker, run the following command:
$ docker load -i sds-kubernetes-init-container-<version>.tar.gz
-
To tag the image and push it in a registry, run the following commands:
$ docker tag stormshield/sdskub-init-container:<VERSION> <IMAGE_REGISTRY_URL>/<IMAGE_TAG>:<VERSION>
$ docker push <IMAGE_REGISTRY_URL>/<IMAGE_TAG>:<VERSION>
For more information, refer to the Kubernetes documentation.
Configuring the KMaaS
The SDS Key Management as a Service (KMaaS) provides the API for encrypting/decrypting sensitive data using Data Encryption Keys (DEKs).
You must configure the KMaaS config.json file as follows:
-
Enable the KAS feature,
-
Specify at least one API key in the authentication method of the KAS.
For more information, refer to the KMaaS Administration guide.
Setting the KMaaS parameters in the environment
On the host where you will encrypt the sensitive data, set the KMaaS parameters as environment variables as described in the table below.
The KMAAS_API_KEY value is the following string encoded in base64:
_KAS_AUTHENTICATION_API_KEY_NAME:_KAS_AUTHENTICATION_API_KEY_VALUE
You can find it in the KMaaS config.json file.
On Unix environments, you can encode the KMaaS API key with this command:
$ echo -n "_KAS_AUTHENTICATION_API_KEY_NAME:_KAS_AUTHENTICATION_API_KEY_VALUE" | base64
| Environment variable | Description |
|---|---|
| KMAAS_URL | URL of the KMaaS. |
| KMAAS_TENANT_ID | ID of the tenant declared in the tenant_id parameter of the KMaaS config.json file. |
| KMAAS_API_KEY | Base64 string of the concanetated values _KAS_AUTHENTICATION_API_KEY_NAME:_KAS_AUTHENTICATION_API_KEY_VALUEof the KMaaS config.json file. |
$ export KMAAS_URL=https://host.kmaas:443
$ export KMAAS_TENANT_ID=025f02fe-bee2-231c-bf76-b5ead30327c0
$ export KMAAS_API_KEY=NCH2aG9yaXplZEFwaUtleTpvY2dZWENFSzY2UHJUSTYxTnkzSmtBRkxyM0JaL0x4Vw==