Skip to content

[RFC-0010] Introduce object-level workload identity for KMS decryption#1426

Merged
matheuscscp merged 1 commit intomainfrom
rfc-0010
May 7, 2025
Merged

[RFC-0010] Introduce object-level workload identity for KMS decryption#1426
matheuscscp merged 1 commit intomainfrom
rfc-0010

Conversation

@matheuscscp
Copy link
Copy Markdown
Member

@matheuscscp matheuscscp commented Apr 18, 2025
edited
Loading

Depends on: fluxcd/pkg#919

Part of: fluxcd/flux2#5022

Fixes: #324

This PR also introduces a token cache in kustomize-controller for caching the cloud provider access tokens used for interacting with the respective KMS services. This token cache will report the following metrics:

  • Counter gotk_token_cache_events_total
    • Help: Total number of cache retrieval events for a Gitops Toolkit resource reconciliation.
    • Labels: event_type, kind, name, namespace, operation. The values of event_type can be cache_miss or cache_hit. The value of operation is decrypt_with_<cloud_provider>.
  • Counter gotk_token_cache_requests_total
    • Help: Total number of cache requests partioned by success or failure.
    • Labels: status. The values of status can be success or failure.
  • Counter gotk_token_cache_evictions_total
    • Help: Total number of cache evictions.
    • No labels.
  • Gauge gotk_token_cached_items
    • Help: Total number of items in the cache.
    • No labels.

I tested this PR in the following setups:

EKS:

  • Single-tenant Pod Identity
  • Single-tenant IRSA
  • Multi-tenant IRSA
  • Single-tenant IRSA with the SOPS feature for assuming a role
  • Multi-tenant IRSA with the SOPS feature for assuming a role

AKS:

  • Single-tenant workload identity
  • Multi-tenant workload identity

GKE:

  • Single-tenant workload identity
  • Multi-tenant workload identity with direct access
  • Multi-tenant workload identity with GCP service account impersonation
  • .secretRef with GCP service account JSON key (this is unrelated to workload identity but this code path is changing, so I tested that it still works)

@matheuscscp matheuscscp mentioned this pull request Apr 19, 2025
Closed
71 tasks
@matheuscscp matheuscscp force-pushed the rfc-0010 branch 3 times, most recently from 0bd9952 to 75c4de0 Compare April 20, 2025 08:37
@stefanprodan stefanprodan added area/sops SOPS related issues and pull requests area/security Security related issues and pull requests labels Apr 21, 2025
@matheuscscp matheuscscp force-pushed the rfc-0010 branch 4 times, most recently from 3cdd0e1 to f7bfb54 Compare May 1, 2025 09:15
matheuscscp
matheuscscp commented May 1, 2025
View reviewed changes
Comment thread internal/decryptor/decryptor.go Outdated
@matheuscscp matheuscscp force-pushed the rfc-0010 branch 4 times, most recently from 7adfdc7 to c413d47 Compare May 3, 2025 00:48
stefanprodan
stefanprodan reviewed May 3, 2025
View reviewed changes
Comment thread main.go Outdated
@matheuscscp matheuscscp mentioned this pull request May 3, 2025
Merged
@matheuscscp matheuscscp force-pushed the rfc-0010 branch 2 times, most recently from 776c7eb to e560ef4 Compare May 5, 2025 18:40
@matheuscscp
[RFC-0010] Introduce KMS provider decryption with service account
ac963f9 
Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>
stefanprodan
stefanprodan approved these changes May 7, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@stefanprodan stefanprodan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Thanks @matheuscscp 🏅

@stefanprodan stefanprodan changed the title [RFC-0010] Introduce KMS provider decryption with service account [RFC-0010] Introduce object-level workload identity for KMS decryption May 7, 2025
@matheuscscp matheuscscp merged commit d775ed3 into main May 7, 2025
5 checks passed
@matheuscscp matheuscscp deleted the rfc-0010 branch May 7, 2025 16:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stefanprodan stefanprodan stefanprodan approved these changes

Assignees

No one assigned

Labels

area/security Security related issues and pull requests area/sops SOPS related issues and pull requests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

SOPS multi-tenancy

2 participants

@matheuscscp @stefanprodan