bao-kms-providerSearch GitHub

Start Here

Use this section when you are new to bao-kms-provider or when you need the shortest safe path from first install to a working KMS v2 encryption configuration.

  1. Overview to confirm what the provider does and does not do, and that the OpenBao Transit pattern fits your platform.
  2. OpenBao Setup to provision the Transit mount, key, policy, and provider authentication.
  3. Install to fetch a verified binary and validate the local environment.
  4. Deployment: Choosing A Model to run the provider on every control-plane node through a supported deployment model.
  5. Kubernetes Encryption Config to write the EncryptionConfiguration the Kubernetes API server consumes.
  6. First Encrypt to run the smoke test and confirm encrypted resources land in etcd as expected.

Then Move To

  • Operations for rotation, disaster recovery, upgrade, and troubleshooting once the provider is live.
  • Reference when the question becomes behavior-specific instead of workflow-specific.

Browse

In This Section

Overview What bao-kms-provider does, what it does not do, the trust boundary, and the supported version envelope. OpenBao Setup Provision the Transit mount, key, least-privilege policy, and OpenBao authentication required by bao-kms-provider. Install Fetch a verified provider binary or container image, place the runtime files, and validate the local environment with doctor. Choosing A Model Compare systemd and static-pod deployment for bao-kms-provider against control-plane lifecycle, bootstrap dependencies, and operational constraints. Kubernetes Encryption Config Wire bao-kms-provider into the Kubernetes API server through EncryptionConfiguration, restart or reload the API server, and migrate existing API resources. First Encrypt Verify end-to-end encryption: create a probe Secret, confirm storage in etcd is ciphertext, and read the provider's health and metric signals.