Fortanix Data Security Manager Using Secret Store CSI Driver

1.0 Introduction

This article describes how to integrate Fortanix-Data-Security-Manager (DSM) with Secrets Store Container Storage Interface (CSI) Driver solution to securely access secrets such as API keys, passwords, and certificates in Kubernetes pods.

The Fortanix CSI Provider allows you to use secrets stored in Fortanix DSM and mount them into Kubernetes pods using the CSI Driver to securely access and manage the data stored in Fortanix DSM by the applications running in Kubernetes.

2.0 Tested Product Versions

The following product versions were tested:

• Fortanix DSM version 4.33.2488

• Kubernetes version 1.16 or above

• Secret Store CSI Driver version 1.4.6

• Fortanix CSI Provider version 0.0.21

3.0 Prerequisites

Ensure the following:

• A Kubernetes cluster version 1.16 or above is installed and running.

• The Fortanix DSM is accessible. For more information, refer to Section 5.1: Signing Up and 5.2: Creating an Account.

• Download the Fortanix CSI Provider from the GitHub repository.

4.0 Architecture Diagram

The Secret Store CSI Driver facilitates secure access and management of secrets within Kubernetes by integrating with an external secret management system, specifically Fortanix DSM. When a container requires a secret, it initiates a request to the Secret Store CSI Driver.

The Secret Store CSI Driver works by interfacing with the secret management system, fetching the required secrets, and making them available at runtime without storing them on the cluster. To configure which secrets to fetch and how to mount them into the pod's file system, it utilizes a SecretProviderClass resource.

After receiving the request, the CSI Driver interacts with a custom provider designed for Fortanix DSM. This provider is responsible for authenticating using predefined credentials and retrieving the requested secrets from Fortanix DSM. After the secrets are obtained, the CSI Driver makes them accessible to applications by either mounting them to a designated storage volume or exposing them as environment variables.

This integration streamlines the process of secret retrieval for applications running in Kubernetes.

5.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

5.1 Signing Up

5.2 Creating an Account

Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.

5.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. In the DSM left navigation panel, click the Groups menu item, and then click the + button to create a new group.

   

2. On the Adding new group page, do the following:

   1. Title: Enter a name for your group.

   2. Description (optional): Enter a short description of the group.

3. Click SAVE to create the new group.

The new group is added to the Fortanix DSM successfully.

5.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. In the DSM left navigation panel, click the Apps menu item, and then click the + button to create a new app.

   

2. On the Adding new app page, do the following:

   1. App name: Enter the name for your application.

   2. ADD DESCRIPTION (optional): Enter a short description of the application.

   3. Authentication method: Select the default API Key as the authentication method from the drop down menu. For more information on these authentication methods, refer to the User's Guide: Authentication.

   4. Assigning the new app to groups: Select the group created in Section 5.3: Creating a Group from the list.

3. Click SAVE to add the new application.

The new application is added to the Fortanix DSM successfully.

5.5 Copying the API Key

Perform the following steps to copy the API key from the Fortanix DSM:

1. In the DSM left navigation panel, click the Apps menu item, and then click the app created in Section 5.4: Creating an Application to go to the detailed view of the app.

2. On the INFO tab, click VIEW API KEY DETAILS.

3. From the API Key Details dialog box, copy the API Key of the app to use it while configuring the Fortanix CSI Provider.

5.6 Creating a Security Object

NOTE

For this guide, two tokenization security objects are created.

Perform the following steps to import a Secret key in the Fortanix DSM:

1. In the DSM left navigation panel, click the Security Objects menu item, and then click the + button to create a new security object.

   

2. On the Add new Security Object page, do the following:

   1. Security Object Name: Enter the name of your security object. For example, secret_name_1.

   2. Group: Select the group as created in Section 5.3: Creating a Group.

   3. Select the IMPORT radio button.

   4. In the Choose a type section, select the Secret key type.

   5. In the Place value here or import from file section, select the value format type as Hex, Base64, or Raw, and click UPLOAD A FILE to upload the key file.

   6. In the Key operations permitted section, select the required operations to define the actions that can be performed with the cryptographic keys, such as encryption, decryption, signing, and verifying.

      NOTE

      Ensure that the Export permission is selected.

3. Click IMPORT to create the new security object.

4. Similarly, repeat Steps 1 to 3 to create another security object. For example, secret_name_2.

The two new security objects are added to the Fortanix DSM successfully.

6.0 Infrastructure Setup

6.1 Installing the Secret Store CSI Driver

Perform the following steps to install the Secret Store CSI Driver using Helm:

1. Run the following command to add the CSI Driver:

   helm repo add secrets-store-csi-driver https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts

2. Run the following command to install the CSI Driver:

   helm install csi-secrets-store secrets-store-csi-driver/secrets-store-csi-driver --namespace <namespace> 

   Where, <namespace> refers to the name of the Kubernetes namespace.

   NOTE

   Ensure you apply for it in the same namespace where the CSI Driver is installed.

6.2 Installing the Fortanix CSI Provider

Perform the following steps to install the Fortanix CSI Provider:

1. Ensure that the fortanix-csi-provider.yaml file is cloned from the GitHub repository.

2. Run the following command to apply the YAML file to your Kubernetes cluster:

   kubectl apply -f  fortanix-csi-provider.yaml -n <namespace>

6.3 Configuring the Fortanix CSI Provider

Perform the following steps to configure the Fortanix CSI Provider :

1. Create a new <secret_provider_class>.yaml file and update it with the following:

   • Update the name and namespace, if required.

   • Specify the dsmEndpoint in the configuration.

   • Add the dsmAPIkey generated in Section 5.5: Copying the API Key.

   • Specify the secretName for both the security objects generated in Section 5.6: Creating a Security Object.

   apiVersion: secrets-store.csi.x-k8s.io/v1
   kind: SecretProviderClass
   metadata:
     name: fortanix-test
     namespace: <namespace>
   spec:
     provider: fortanix-csi-provider
     parameters:
       dsmEndpoint: "<fortanix_dsm_endpoint>"
       dsmApikey: "<fortanix_dsm_apikey>"
       objects: |
         - secretName: "<secret_name>"

   NOTE

   Ensure that the namespace in <secret_provider_class>.yaml matches the namespace in your deployment.yaml file.

   Refer to the sample fortanix-secret-provider-class.yaml file in the Examples section to update the Fortanix CSI Provider.

   To verify that the SecretProviderClass is configured correctly, refer to the following test pod YAML configuration (for example, test-pod.yaml) for validation:

   apiVersion: v1
   kind: Pod
   metadata:
     name: test-pod
     namespace: csi-driver
   spec:
     serviceAccountName: fortanix-csi-provider
     containers:
     - name: test-container
       image: busybox
       command: ["sleep", "3600"]
       volumeMounts:
       - name: secrets-store-inline
         mountPath: "/mnt/secrets"
         readOnly: true
     volumes:
     - name: secrets-store-inline
       csi:
         driver: secrets-store.csi.k8s.io
         readOnly: true
         volumeAttributes:
           secretProviderClass: "fortanix-test"

2. Save the updated file and run the following command to apply it to the cluster:

   kubectl apply -f <secret_provider_class>.yaml -n <namespace>

   Where,

   • <secret_provider_class> refers to the secret provider class as created in Step 1.

   • <namespace> refers to the Kubernetes namespace.

7.0 Configuring Secret Rotation and Synchronization

7.1 Enabling the Secret Rotation

Perform the following steps to install the Secrets Store CSI Driver with secret rotation enabled:

1. Run the following command to install the Secrets Store CSI Driver with secret rotation enabled:

   helm install csi-secrets-store secrets-store-csi-driver/secrets-store-csi-driver \
     --namespace <namespace> \
     --set enableSecretRotation=true \
     --set rotationPollInterval=<duration>

   Where,

   • <namespace> refers to the name of the Kubernetes namespace.

   • enableSecretRotation=true enables automatic secret rotation.

   • rotationPollInterval=<duration> specifies how often the CSI Driver checks for updated secrets. You can define the interval in minutes (for example, 2m) or seconds (for example, 120s).

7.2 Configuring Synchronization as Kubernetes Secret

Perform the following steps to install the secrets store CSI Driver with secret synchronization enabled:

1. Run the following command to install the Secrets Store CSI Driver:

   helm install secrets-store-csi-driver secrets-store-csi-driver/secrets-store-csi-driver --namespace <namespace> --
   set syncSecret.enabled=true

   Where, <namespace> refers to the name of the Kubernetes namespace.

2. Add the following content to the <secret_provider_class>.yaml file:

   secretObjects:
   - secretName: "<secretName>" #The Kubernetes secret name
   type: Opaque #type of kubernetes secret (tls,sat,basic etc..,)
   labels:
   environment: "test"
   data:
   - objectName: <objectName> #This should match the secret name given in Fortanix CSI Provider
   key: <key-value pair>

   Where,

   • <secretName> refers to the specific Kubernetes secret name.

   • <objectName> refers to the name of the object same as the secret name given in Fortanix CSI Provider.

   • <key-value pair> refers to the specific key-value pairs that match the Fortanix CSI Provider.

   NOTE

   • If the provider supports an alias for a mounted file, ensure that the objectName in secretObjects matches the mounted content. This can be either the original object name or the alias.

   • Secrets are synced only when a pod mounts them. Enabling synchronization alone does not create or update Kubernetes Secrets.

   • When all pods consuming a secret are deleted, the corresponding Kubernetes Secret is also deleted.

   • You can also combine secret rotation and synchronization in a single Helm installation by using both flags together:

     helm install secrets-store-csi-driver secrets-store-csi-driver/secrets-store-csi-driver \
       --namespace <namespace> \
       --set enableSecretRotation=true \
       --set syncSecret.enabled=true \
       --set syncSecret.retryDuration=1m

7.3 Secret Consumption Options

• File-based mount – Secrets are mounted into the pod’s filesystem at a path (/mnt/secrets).

• Kubernetes Secret sync – Secrets are synced into Kubernetes native Secret objects and can be consumed, such as any other Secret.

• Environment variable injection – Secrets (synced as K8s Secrets) can be referenced in pod specifications.

8.0 Troubleshooting

Perform the following steps to check logs from the CSI Provider pod:

1. Run the following command to get details about the DaemonSet pods and look for any errors:

   kubectl get pods -n <namespace> -l app=fortanix-csi-provider

2. Run the following command to get detailed information if the pod is not running:

   kubectl describe pod -n <namespace> <fortanix-csi-provider-pod-name>

   Look for events and error messages in the output, such as Failed, CrashLoopBackOff, or Error.

   Where,  <fortanix-csi-provider-pod-name> refers to the pod name of the Fortanix CSI Provider.

3. Run the following command to check the logs of the Fortanix CSI Provider pod to identify any issues that occurred during startup:

   kubectl logs -n <namespace> <fortanix-csi-provider-pod-name>

   NOTE

   If there are multiple containers in the pod, ensure to specify the container name with the -c flag:

   kubectl logs -n <namespace> <fortanix-csi-provider-pod-name> -c provider-fortanix-installer

4. Run the following command if you suspect that the issue might be related to the node where the Fortanix CSI Provider is running. You can check the node logs for more context:

   kubectl logs -n <namespace> <node-name> -l app=fortanix-csi-provider

   Where,

   • <namespace> refers to the name of the Kubernetes namespace.

   • <node-name> refers to the name of the Kubernetes node.