constellation/s3proxy/deploy
Otto Bittner 887dcda78b s3proxy: add keyservice integration
Encrypt each object with a random DEK and attach
the encrypted DEK as object metadata.
Encrpt the DEK with a key from the keyservice.
All objects use the same KEK until a keyrotation
takes place.
2023-10-06 11:23:32 +02:00
..
deployment-s3proxy.yaml s3proxy: add intial implementation 2023-10-06 11:23:32 +02:00
README.md s3proxy: add keyservice integration 2023-10-06 11:23:32 +02:00

Deploying s3proxy

Caution: Using s3proxy outside Constellation is insecure as the connection between the key management service (KMS) and s3proxy is protected by Constellation's WireGuard VPN. The VPN is a feature of Constellation and will not be present by default in other environments.

Disclaimer: the following steps will be automated next.

  • Within constellation/build: bazel run //:devbuild
  • Copy the container name displayed for the s3proxy image. Look for the line starting with [@//bazel/release:s3proxy_push].
  • Replace the image key in deployment-s3proxy.yaml with the image value you just copied. Use the sha256 hash instead of the tag to make sure you use the latest image.
  • Replace the replaceme values with valid AWS credentials. The s3proxy uses those credentials to access S3.
  • Run kubectl apply -f deployment-s3proxy.yaml

Deploying Filestash

Filestash is a demo application that can be used to see s3proxy in action. To deploy Filestash, first deploy s3proxy as described above. Then run the below commands:

$ cat << EOF > "deployment-filestash.yaml"
apiVersion: apps/v1
kind: Deployment
metadata:
    name: filestash
spec:
    replicas: 1
    selector:
        matchLabels:
            app: filestash
    template:
        metadata:
            labels:
                app: filestash
        spec:
          imagePullSecrets:
          - name: regcred
          hostAliases:
          - ip: $(kubectl get svc s3proxy-service -o=jsonpath='{.spec.clusterIP}')
            hostnames:
            - "s3.eu-west-1.amazonaws.com"
          containers:
          - name: filestash
            image: machines/filestash:latest
            ports:
            - containerPort: 8334
            volumeMounts:
            - name: ca-cert
              mountPath: /etc/ssl/certs/kube-ca.crt
              subPath: kube-ca.crt
          volumes:
          - name: ca-cert
            secret:
              secretName: s3proxy-tls
              items:
              - key: ca.crt
                path: kube-ca.crt
EOF

$ kubectl apply -f deployment-filestash.yaml

Afterwards you can use a port forward to access the Filestash pod:

  • kubectl port-forward pod/$(kubectl get pod --selector='app=filestash' -o=jsonpath='{.items[*].metadata.name}') 8443:8443