Fortanix Data Security Manager Using Secret Store CSI Driver

1.0 Introduction

This article describes how to integrate Fortanix-Data-Security-Manager (DSM) with Secrets Store Container Storage Interface (CSI) Driver solution to securely access secrets such as API keys, passwords, and certificates in Kubernetes pods.

The Fortanix CSI Provider allows you to use secrets stored in Fortanix DSM and mount them into Kubernetes pods using the CSI Driver to securely access and manage the data stored in Fortanix DSM by the applications running in Kubernetes.

2.0 Tested Product Versions

The following product versions were tested:

• Fortanix DSM version 4.33.2488

• Kubernetes version 1.16 or above

• Secret Store CSI Driver version 1.4.6

• Fortanix CSI Provider version 0.0.21

3.0 Prerequisites

Ensure the following:

• A Kubernetes cluster version 1.16 or above is installed and running.

• The Fortanix DSM is accessible. For more information, refer to Section 5.1: Signing Up and 5.2: Creating an Account.

• Download the Fortanix CSI Provider from the GitHub repository.

4.0 Architecture Diagram

The Secret Store CSI Driver facilitates secure access and management of secrets within Kubernetes by integrating with an external secret management system, specifically Fortanix DSM. When a container requires a secret, it initiates a request to the Secret Store CSI Driver.

The Secret Store CSI Driver works by interfacing with the secret management system, fetching the required secrets, and making them available at runtime without storing them on the cluster. To configure which secrets to fetch and how to mount them into the pod's file system, it utilizes a SecretProviderClass resource.

After receiving the request, the CSI Driver interacts with a custom provider designed for Fortanix DSM. This provider is responsible for authenticating using predefined credentials and retrieving the requested secrets from Fortanix DSM. After the secrets are obtained, the CSI Driver makes them accessible to applications by either mounting them to a designated storage volume or exposing them as environment variables.

This integration streamlines the process of secret retrieval for applications running in Kubernetes.

5.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

5.1 Signing Up

To get started with the Fortanix DSM cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

5.2 Creating an Account

Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.

For more information on how to set up an account in Fortanix DSM, refer to the User's Guide: Getting Started with Fortanix Data Security Manager - UI.

5.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. In the DSM left navigation panel, click the Groups menu item, and then click the + button to create a new group.

   

2. On the Adding new group page, do the following:

   1. Title: Enter a name for your group.

   2. Description (optional): Enter a short description of the group.

3. Click SAVE to create the new group.

The new group is added to the Fortanix DSM successfully.

5.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. In the DSM left navigation panel, click the Apps menu item, and then click the + button to create a new app.

   

2. On the Adding new app page, do the following:

   1. App name: Enter the name for your application.

   2. ADD DESCRIPTION (optional): Enter a short description of the application.

   3. Authentication method: Select the default API Key as the authentication method from the drop down menu. For more information on these authentication methods, refer to the User's Guide: Authentication.

   4. Assigning the new app to groups: Select the group created in Section 5.3: Creating a Group from the list.

3. Click SAVE to add the new application.

The new application is added to the Fortanix DSM successfully.

5.5 Copying the API Key

Perform the following steps to copy the API key from the Fortanix DSM:

1. In the DSM left navigation panel, click the Apps menu item, and then click the app created in Section 5.4: Creating an Application to go to the detailed view of the app.

2. On the INFO tab, click VIEW API KEY DETAILS.

3. From the API Key Details dialog box, copy the API Key of the app to use it while configuring the Fortanix CSI Provider.

5.6 Creating a Security Object

NOTE

For this guide, two tokenization security objects are created.

Perform the following steps to import a Secret key in the Fortanix DSM:

1. In the DSM left navigation panel, click the Security Objects menu item, and then click the + button to create a new security object.

   

2. On the Add new Security Object page, do the following:

   1. Security Object Name: Enter the name of your security object. For example, secret_name_1.

   2. Group: Select the group as created in Section 5.3: Creating a Group.

   3. Select the IMPORT radio button.

   4. In the Choose a type section, select the Secret key type.

   5. In the Place value here or import from file section, select the value format type as Hex, Base64, or Raw, and click UPLOAD A FILE to upload the key file.

   6. In the Key operations permitted section, select the required operations to define the actions that can be performed with the cryptographic keys, such as encryption, decryption, signing, and verifying.

      NOTE

      Ensure that the Export permission is selected.

3. Click IMPORT to create the new security object.

4. Similarly, repeat Steps 1 to 3 to create another security object. For example, secret_name_2.

The two new security objects are added to the Fortanix DSM successfully.

6.0 Infrastructure Setup

6.1 Installing the Secret Store CSI Driver

Perform the following steps to install the Secret Store CSI Driver using Helm:

1. Run the following command to add the CSI Driver:

   helm repo add secrets-store-csi-driver https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts

2. Run the following command to install the CSI Driver:

   helm install csi-secrets-store secrets-store-csi-driver/secrets-store-csi-driver --namespace <namespace> 

   Where,

   • <namespace> refers to the name of the Kubernetes namespace.

6.2 Installing the Fortanix CSI Provider

Perform the following steps to install the Fortanix CSI Provider:

1. Ensure that the Fortanix CSI Provider is downloaded from the GitHub repository.

2. Run the following command to apply the YAML file to your Kubernetes cluster:

   kubectl apply -f  /fortanix-csi-provider.yaml

6.3 Configuring the Fortanix CSI Provider

Perform the following steps to configure the Fortanix CSI Provider :

1. Open the fortanix-secret-provider-class.yaml file, update the following:

   • Update the name and namespace, if required.

   • Specify the dsmEndpoint in the configuration.

   • Add the dsmAPIkey generated in Section 5.5: Copying the API Key.

   • Specify the secretName for both the security object names generated in Section 5.6: Creating a Security Object.

   kind: SecretProviderClass
   metadata:
     name: <SecretProviderClass>
     namespace: <namespace>
   spec:
     provider: fortanix-csi-provider
     parameters:
       dsmEndpoint: "<your_endpoint_here>"
       dsmApikey: "<your_api_key_here>"
       objects: |
         - secretName: "<secret_name_1>"  
         - secretName: "<secret_name_2>"

6.4 Setting Up the Fortanix CSI Provider on a Kubernetes Cluster

Perform the following steps to set up the Fortanix CSI Provider:

1. Run the following command to install Fortanix CSI Provider in the required namespace:

   kubectl apply -f fortanix-csi-provider.yaml -n <namespace>

   Where,

   • <namespace> refers to the name of the Kubernetes namespace.

2. Run the following command to apply the secret provider class:

   In the SecretProviderClass, specify the name of your SecretProviderClass, the namespace, DSM credentials, and the secrets that need to be retrieved.

   kubectl apply -f deployment/secret-provider-class.yaml

3. Add the following parameters to your deployment pod to use the Fortanix CSI Provider:

   volumeMounts:
       - name: secrets-store-inline
         mountPath: "/mnt/secrets"
         readOnly: true
     volumes:
     - name: secrets-store-inline
       csi:
         driver: secrets-store.csi.k8s.io
         readOnly: true
         volumeAttributes: 
           secretProviderClass: "<secretProviderClass>"

   Where,

   • <secretProviderClass> refers to the name of the Secret Provider Class.

4. After the setup is complete and the pod is running, run the following command to execute in the pod:

   kubectl exec -it <pod_name> -n <namespace> -- /bin/bash

   Where,

   • <pod_name> refers to the name of the pod.

   • <namespace> refers to the name of the Kubernetes namespace.

7.0 Configuring Secret Rotation and Synchronization

7.1 Enabling Secret Rotation

Perform the following steps to install the Secrets Store CSI Driver with secret rotation enabled:

1. Run the following command to install the Secrets Store CSI Driver with secret rotation enabled:

   helm install csi-secrets-store secrets-store-csi-driver/secrets-store-csi-driver \
   --namespace <namespace> \ 
   --set syncSecret.retryDuration=<duration>

   Where,

   • <namespace> refers to the name of the Kubernetes namespace.

   • set syncSecret.retryDuration=<duration>: To set the duration for retrying the fetching of secrets if the initial attempt fails in minutes (for example, 2m) or seconds (for example, 120s).

7.2 Configuring Secret Synchronization

Perform the following steps to install the secrets store CSI Driver with secret synchronization enabled:

1. Run the following command to install the Secrets Store CSI Driver:

   helm install secrets-store-csi-driver secrets-store-csi-driver/secrets-store-csi-driver --namespace <namespace> --
   set syncSecret.enabled=true

   Where,

   • <namespace> refers to the name of the Kubernetes namespace.

2. Add the following content to the YAML file:

   secretObjects:
   - secretName: "<secretName>" #The Kubernetes secret name
   type: Opaque #type of kubernetes secret (tls,sat,basic etc..,)
   labels:
   environment: "test"
   data:
   - objectName: <objectName> #This should match the secret name given in Fortanix CSI Provider
   key: <key-value pair>

   Where,

   • <secretName> refers to the specific Kubernetes secret name.

   • <objectName> refers to the name of the object same as the secret name given in Fortanix CSI Provider.

   • <key-value pair> refers to the specific key-value pairs that match the Fortanix CSI Provider.

3. Run the following command to use the secret as an environment variable:

   env:
   - name: <env_var_name>
   valueFrom:
     secretKeyRef:
   name: <name> # Reference the created Kubernetes secret
   key: <key-value pair> # Reference the key in the secret

   Where,

   • <env_var_name> refers to the name of the environment variable.

   • <name> refers to the Kubernetes secret name.

   • <key-value pair> refers to the actual key you are referencing.

7.3 Auto-Rotation

Perform the following steps to enable the secret auto-rotation and synchronization:

1. Run the following command to enable both secret rotation and synchronization:

   helm install secrets-store-csi-driver secrets-store-csi-driver/secrets-store-csi-driver --namespace <namespace> --
   set enableSecretRotation=true --set syncSecret.enabled=true --set syncSecret.retryDuration=<duration>

   Where,

   • <namespace> refers to the name of the Kubernetes namespace.

   • set syncSecret.enabled=true: To enable the synchronization of secrets from Fortanix DSM.

   • set syncSecret.retryDuration=<duration> refers to the specific duration value.

2. Run the following command to upgrade an existing Helm installation:

   helm upgrade secrets-store-csi-driver secrets-store-csi-driver/secrets-store-csi-driver --namespace <namespace> --
   set syncSecret.enabled=true --set syncSecret.enabled=true --set syncSecret.retryDuration=1m

8.0 Troubleshooting

Perform the following steps to check logs from the CSI Provider pod:

1. Run the following command to get details about the DaemonSet pods and look for any errors:

   kubectl get pods -n csi -l app=fortanix-csi-provider

2. Run the following command to get detailed information if the pod is not running:

   kubectl describe pod -n csi <fortanix-csi-provider-pod-name>

   Look for events and error messages in the output, such as Failed, CrashLoopBackOff, or Error.

   Where,

   • <fortanix-csi-provider-pod-name> refers to the pod name of the Fortanix CSI Provider.

3. Run the following command to check the logs of the Fortanix CSI Provider pod to identify any issues that occurred during startup:

   kubectl logs -n csi <fortanix-csi-provider-pod-name>

   NOTE

   If there are multiple containers in the pod, ensure to specify the container name with the -c flag:

   kubectl logs -n csi <fortanix-csi-provider-pod-name> -c provider-fortanix-installer

4. Run the following command if you suspect that the issue might be related to the node where the Fortanix CSI Provider is running. You can check the node logs for more context:

   kubectl logs -n <namespace> <node-name> -l app=fortanix-csi-provider

   Where,

   • <namespace> refers to the name of the Kubernetes namespace.

   • <node-name> refers to the name of the Kubernetes node.