bao-kms-providerSearch GitHub

Architecture

These pages explain why the provider is shaped the way it is. They are maintainer-facing and assume operator-side context from Start Here, Deployment, and Operations.

Topics

  • Overview for the component model, data flow, trust boundaries, and deployment shape.
  • Background for the Kubernetes etcd encryption and KMS v2 protocol primer, plus the OpenBao Transit primer.
  • Transit Key Model for the OpenBao Transit key, policy, and isolation design.
  • Rotation Model for the rotation invariants the provider enforces against the Transit key version.
  • Failure Modes for the catalog of failure scenarios, observability signals, and design responses.
  • Related Work for existing Vault Transit KMS plugin work and the design influences this project carries forward.

Use Another Section If

  • the question is about how to install, wire, or operate the provider: go to Start Here or Operations .
  • the question is about exact behavior or contract detail: go to Reference .
  • the question is about contributing or local development: go to Development .

Browse

In This Section

Overview Component model, data flow, trust boundaries, deployment shape, internal active key model, startup sequence, and multi-control-plane operation for bao-kms-provider. Background Kubernetes etcd encryption-at-rest, KMS v2 protocol primer, and OpenBao Transit primer that bao-kms-provider builds on. Transit Key Model OpenBao Transit key, policy, and isolation design rationale: key ownership, recommended profile, optional key types, features to use and avoid. Rotation Model Rotation invariants, state machine, flip-flop guards, and version restriction semantics for bao-kms-provider. Failure Modes Comprehensive catalog of failure modes the design considers: cause, impact, detection signals, mitigation, recovery, startup blocking, and data loss risk. Related Work Existing Vault Transit Kubernetes KMS plugin work that informed bao-kms-provider, and the project-specific design boundaries this implementation chooses.