bao-kms-providerSearch GitHub

Reference

These pages answer behavior-specific questions. Use them when the workflow guidance has already pointed you to a concept and you need exact field, command, metric, or contract detail.

Lookups

  • CLI for command, flag, and exit-code behavior.
  • Configuration for the provider configuration file shape, defaults, and validation rules.
  • KMS v2 Contract for the gRPC protocol surface the Kubernetes API server consumes.
  • Key ID And AAD for the key_id format, annotation rules, and AAD envelope.
  • EncryptionConfiguration for the Kubernetes API server EncryptionConfiguration shape used with this provider.
  • Observability for the principles of metrics, logs, error classes, and health endpoints.
  • Metrics for the metric-by-metric and log-field reference.
  • Compatibility for the supported Kubernetes and OpenBao version envelope.
  • Support Policy for the supported configurations and version-pinning expectations.
  • Release Policy for release channels, artifact policy, and verification materials.
  • Transit Policy Examples for least-privilege OpenBao policies for the provider hot path.

Use Another Section If

  • the question is about how to install or wire the provider: go to Start Here .
  • the question is about an operational task or runbook: go to Operations .
  • the question is about why a given behavior is the way it is: go to Architecture .

Browse

In This Section

CLI Authoritative reference for the bao-kms-provider command-line interface: serve, doctor, verify-key, benchmark, rotation-plan, verify-rotation, config, policy openbao, completion, exit codes. Configuration Authoritative reference for the bao-kms-provider configuration file: example, defaults, validation rules, identity-bearing fields, and unsafe options. KMS v2 Contract The Kubernetes KMS v2 gRPC behavior bao-kms-provider satisfies: endpoint, provider name, Status, Encrypt, Decrypt, annotations, error semantics, and conformance tests. Key ID And AAD Authoritative reference for the Kubernetes key_id format, KMS v2 annotations, AAD envelope shape, decrypt validation order, and local registry state. EncryptionConfiguration Authoritative reference for the Kubernetes API server EncryptionConfiguration shape used with bao-kms-provider: required fields, semantics, automatic reload caveats, and resource selection. Observability Principles, error classes, health endpoints, alerts, log shape, and debug correlation for bao-kms-provider. Metrics Authoritative metric and log-field reference: every Prometheus metric exported by bao-kms-provider and every stable log field name. Compatibility Tested Kubernetes, OpenBao, OS, deployment mode, Transit key type, and compatibility rules for bao-kms-provider. Support Policy Current preview support scope, tested versions, security fix expectations, and operator responsibilities for bao-kms-provider. Release Policy Release channels, versioning, artifact families, and verification materials for bao-kms-provider. Transit Policy Examples Reference OpenBao policy, auth role, and Transit key configuration examples for bao-kms-provider, plus capabilities to avoid.