Trousseau

Trousseau is an open-source project, based on Kubernetes KMS provider design. It is designed to be a framework for any KMS provider (see release notes).

Why Trousseau?

Kubernetes platform users are all facing the very same question: how do we handle Secrets?

While there are significant efforts to improve Kubernetes component layers, the state of Secret Management isn't receiving much interest. Using etcd to store API object definition & states, Kubernetes secrets are encoded in Base64 and shipped into the key value store database. Even if the filesystems on which etcd runs are encrypted, the secrets are still not.

Instead of leveraging the native Kubernetes way to manage secrets, commercial and open source solutions solve this design flaw by leveraging different approaches all using different toolsets or practices. This leads to training and maintaining niche skills and tools increasing the cost and complexity of Kubernetes day 0, 1 and 2.

Once deployed, Trousseau will enable seamless secret management using the native Kubernetes API and kubectl CLI usage while leveraging an existing Key Management Service (KMS) provider.

How? By using the Kubernetes KMS provider framework to provide an envelope encryption scheme to encrypt secrets on the fly.

Trousseau software architecture

Trousseau is fully developed in Go addressing the Kubernetes KMS provider. Here is the quote from the Kubernetes project defining the overall process that trousseau is based on:

The KMS encryption provider uses an envelope encryption scheme to encrypt data in etcd. The data is encrypted using a data encryption key (DEK); a new DEK is generated for each encryption.

The DEKs are encrypted with a key encryption key (KEK) that is stored and managed in a remote KMS. The KMS provider uses gRPC to communicate with a specific KMS plugin. The KMS plugin, which is implemented as a gRPC server and deployed on the same host(s) as the Kubernetes master(s), is responsible for all communication with the remote KMS.