Fortanix Data Security Manager Using Secret Store CSI Driver

1.0 Introduction

This article describes how to integrate Fortanix-Data-Security-Manager (DSM) with Secrets Store Container Storage Interface (CSI) Driver solution to securely access secrets such as API keys, passwords, and certificates in Kubernetes pods.

The Fortanix CSI Provider allows you to use secrets stored in Fortanix DSM and mount them into Kubernetes pods using the CSI Driver to securely access and manage the data stored in Fortanix DSM by the applications running in Kubernetes.

2.0 Tested Product Versions

The following product versions were tested:

• Fortanix DSM version 4.33.2488

• Kubernetes version 1.16 or above

• Secret Store CSI Driver version 1.4.6

• Fortanix CSI Provider version 0.0.21

3.0 Prerequisites

Ensure the following:

• A Kubernetes cluster version 1.16 or above is installed and running.

• The Fortanix DSM is accessible. For more information, refer to Section 5.1: Signing Up and 5.2: Creating an Account.

• Download the Fortanix CSI Provider from the Github repository.

4.0 Architecture Diagram

The Secret Store CSI Driver facilitates secure access and management of secrets within Kubernetes by integrating with an external secret management system, specifically Fortanix DSM. When a container requires a secret, it initiates a request to the Secret Store CSI Driver.

The Secret Store CSI Driver works by interfacing with the secret management system, fetching the required secrets, and making them available at runtime without storing them on the cluster. To configure which secrets to fetch and how to mount them into the pod's file system, it utilizes a SecretProviderClass resource.

After receiving the request, the CSI Driver interacts with a custom provider designed for Fortanix DSM. This provider is responsible for authenticating using predefined credentials and retrieving the requested secrets from Fortanix DSM. After the secrets are obtained, the CSI Driver makes them accessible to applications by either mounting them to a designated storage volume or exposing them as environment variables.

This integration streamlines the process of secret retrieval for applications running in Kubernetes.

5.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

5.1 Signing Up

To get started with the Fortanix Data Security Manager (DSM) cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

5.2 Creating an Account

Access the <Your_DSM_Service_URL> on the web browser and enter your credentials to log in to the Fortanix DSM.

5.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. Click the Groups menu item in the DSM left navigation panel and click the + button on the Groups page to add a new group.

   

2. On the Adding new group page, enter the following details:

   • Title: Enter a title for your group.

   • Description (optional): Enter a short description for the group.

3. Click the SAVE button to create the new group.

The new group has been added to the Fortanix DSM successfully.

5.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. Click the Apps menu item in the DSM left navigation panel and click the + button on the Apps page to add a new app.

   

2. On the Adding new app page, enter the following details:

   • App name: Enter the name of your application.

   • ADD DESCRIPTION (optional): Enter a short description for the application.

   • Authentication method: Select the default API Key as the method of authentication from the drop down menu. For more information on these authentication methods, refer to User's Guide: Authentication documentation.

   • Assigning the new app to groups: Select the group created in Section 5.3: Creating a Group from the list.

3. Click the SAVE button to add the new application. 

The new application has been added to the Fortanix DSM successfully.

5.5 Copying the API Key

Perform the following steps to copy the API key from the Fortanix DSM:

1. Click the Apps menu item in the DSM left navigation panel and click the app created in Section 5.4: Creating an Application to go to the detailed view of the app.

2. On the INFO tab, click the VIEW API KEY DETAILS button.

3. From the API Key Details dialog box, copy the API Key of the app to use it later while configuring the Fortanix CSI Provider.

5.6 Creating a Security Object

Perform the following steps to generate a tokenization key in the Fortanix DSM:

1. Click the Security Objects menu item in the DSM left navigation panel and click the + button on the Security Objects page to add a security object.

   

2. On the Add new Security Object page, enter the following details:

   • Security Object Name: Enter the name of your security object. For example, secret_name_1.

   • Group: Select the group as created in Section 5.3: Creating a Group.

   • Select the IMPORT radio button.

   • Choose a type: Select the Secret key type to generate.

   • In the Place value here or import from file section, select the value format type as Hex, Base64, or Raw and click the UPLOAD A FILE button to upload the key file.

   • Key Size: Indicates the size of the key in bits.

   • Key operations permitted: Select the required operations to define the actions that can be performed with the cryptographic keys, such as encryption, decryption, signing, and verifying.

     NOTE

     Ensure that the Export permission is selected.

   • Select the attributes if required using ADD ATTRIBUTE.

   • Enter the key Expiration Date and key Activation Date.

3. Click the IMPORT button to create the new security object.

4. Similarly, repeat the Steps 1 to 3 to create another security object. For example, secret_name_2.

The two new security objects have been added to the Fortanix DSM successfully.

6.0 Infrastructure Setup

6.1 Installing the Secret Store CSI Driver

Perform the following steps to install the Secret Store CSI Driver using helm:

1. Run the following command to add the CSI Driver:

   helm repo add secrets-store-csi-driver https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts

2. Run the following command to install the CSI Driver:

   helm install csi-secrets-store secrets-store-csi-driver/secrets-store-csi-driver --namespace <namespace> 

   Where,

   • <namespace> refers to the name of the Kubernetes namespace.

6.2 Installing the Fortanix CSI Provider

Perform the following steps to install the Fortanix CSI Provider:

1. Ensure that the Fortanix CSI Provider is downloaded from the Github repository.

2. Run the following command to apply the YAML file to your Kubernetes cluster:

   kubectl apply -f  /fortanix-csi-provider.yaml

6.3 Configuring the Fortanix CSI Provider

Perform the following steps to configure the Fortanix CSI Provider :

1. Open the fortanix-secret-provider-class.yaml file, update the following:

   • Update the name and namespace, if required.

   • Specify the dsmEndpoint in the configuration.

   • Add the dsmAPIKey generated in Section 5.5: Copying the API Key.

   • Specify the secretName for both the security object names generated in Section 5.6: Creating a Security Object.

   kind: SecretProviderClass
   metadata:
     name: <SecretProviderClass>
     namespace: <namespace>
   spec:
     provider: fortanix-csi-provider
     parameters:
       dsmEndpoint: "<your_endpoint_here>"
       dsmApiKey: "<your_api_key_here>"
       objects: |
         - secretName: "<secret_name_1>"  
         - secretName: "<secret_name_2>"

6.4 Setting Up the Fortanix CSI Provider on a Kubernetes Cluster

Perform the following steps to set up the Fortanix CSI Provider:

1. Run the following command to install Fortanix CSI Provider in the required namespace:

   kubectl apply -f fortanix-csi-provider.yaml -n <namespace>

   Where,

   • <namespace> refers to the name of the Kubernetes namespace.

2. Run the following command to apply the secret provider class:

   In the SecretProviderClass, specify the name of your SecretProviderClass, the namespace, DSM credentials, and the secrets that need to be retrieved.

   kubectl apply -f deployment/secret-provider-class.yaml

3. Add the following parameters to your deployment pod to use the Fortanix CSI Provider:

   volumeMounts:
       - name: secrets-store-inline
         mountPath: "/mnt/secrets"
         readOnly: true
     volumes:
     - name: secrets-store-inline
       csi:
         driver: secrets-store.csi.k8s.io
         readOnly: true
         volumeAttributes: 
           secretProviderClass: "<secretProviderClass>"

   Where,

   • <secretProviderClass> refers to the name of Secret Provider Class.

4. After the setup is complete and the pod is running, run the following command to execute into the pod:

   kubectl exec -it <pod_name> -n <namespace> --/bin/bash

   Where,

   • <pod_name> refers to the name of the pod.

   • <namespace> refers to the name of the Kubernetes namespace.

7.0 Configuring Secret Rotation and Synchronization

7.1 Enabling Secret Rotation

Perform the following steps to install the Secrets Store CSI Driver with secret rotation enabled:

1. Run the following command to install the Secrets Store CSI Driver with secret rotation enabled:

   helm install csi-secrets-store secrets-store-csi-driver/secrets-store-csi-driver \
   --namespace <namespace> \ 
   --set syncSecret.retryDuration=<duration>

   Where,

   • <namespace> refers to the name of the Kubernetes namespace.

   • set syncSecret.retryDuration=<duration>: To set the duration for retrying the fetching of secrets if the initial attempt fails in minutes (for example, 2m) or seconds (for example, 120s).

7.2 Configuring Secret Synchronization

Perform the following steps to install the secrets store CSI Driver with secret synchronization enabled:

1. Run the following command to install the Secrets Store CSI Driver:

   helm install secrets-store-csi-driver secrets-store-csi-driver/secrets-store-csi-driver --namespace <namespace> --
   set syncSecret.enabled=true

   Where,

   • <namespace> refers to the name of the Kubernetes namespace.

2. Add the following content to the YAML file:

   secretObjects:
   - secretName: "<secretName>" #The Kubernetes secret name
   type: Opaque #type of kubernetes secret (tls,sat,basic etc..,)
   labels:
   environment: "test"
   data:
   - objectName: <objectName> #This should match the secret name given in Fortanix CSI Provider
   key: <key-value pair>

   Where,

   • <secretName> refers to the specific Kubernetes secret name.

   • <objectName> refers to the name of the object same as the secret name given in Fortanix CSI Provider.

   • <key-value pair> refers to the specific key-value pairs that match the Fortanix CSI Provider.

3. Run the following command to use the secret as environment variable:

   env:
   - name: <env_var_name>
   valueFrom:
     secretKeyRef:
   name: <name> # Reference the created Kubernetes secret
   key: <key-value pair> # Reference the key in the secret

   Where,

   • <env_var_name> refers to the name of the environment variable.

   • <name> refers to the Kubernetes secret name.

   • <key-value pair> refers to the actual key you are referencing.

7.3 Auto-Rotation

Perform the following steps to enable the secret auto-rotation and synchronization:

1. Run the following command to enable both secret rotation and synchronization:

   helm install secrets-store-csi-driver secrets-store-csi-driver/secrets-store-csi-driver --namespace <namespace> --
   set enableSecretRotation=true --set syncSecret.enabled=true --set syncSecret.retryDuration=<duration>

   Where,

   • <namespace> refers to the name of the Kubernetes namespace.

   • set syncSecret.enabled=true: To enable the synchronization of secrets from Fortanix DSM.

   • set syncSecret.retryDuration=<duration> refers to the specific duration value.

2. Run the following command to upgrade an existing helm installation:

   helm upgrade secrets-store-csi-driver secrets-store-csi-driver/secrets-store-csi-driver --namespace <namespace> --
   set syncSecret.enabled=true --set syncSecret.enabled=true --set syncSecret.retryDuration=1m

8.0 Troubleshooting

Perform the following steps to check logs from the CSI Provider pod:

1. Run the following command to get details about the DaemonSet pods and look for any errors:

   kubectl get pods -n csi -l app=fortanix-csi-provider

2. Run the following command to get detailed information if the pod is not in the Running state:

   kubectl describe pod -n csi <fortanix-csi-provider-pod-name>

   Look for events and error messages in the output, such as Failed, CrashLoopBackOff, or Error.

   Where,

   • <fortanix-csi-provider-pod-name> refers to the pod name of the Fortanix CSI Provider.

3. Run the following command to check the logs of the Fortanix CSI Provider pod to identify any issues that occurred during startup:

   kubectl logs -n csi <fortanix-csi-provider-pod-name>

   NOTE

   If there are multiple containers in the pod, ensure to specify the container name with the -c flag:

   kubectl logs -n csi <fortanix-csi-provider-pod-name> -c provider-fortanix-installer

4. Run the following command if you suspect that the issue might be related to the node where the Fortanix CSI Provider is running, you can check the node logs for more context:

   kubectl logs -n <namespace> <node-name> -l app=fortanix-csi-provider

   Where,

   • <namespace> refers to the name of the Kubernetes namespace.

   • <node-name> refers to the name of the Kubernetes node.