• Stars
    star
    913
  • Rank 50,033 (Top 1.0 %)
  • Language
    C#
  • License
    Apache License 2.0
  • Created over 6 years ago
  • Updated about 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

An open source, git-ops, zero-trust secret encryption and decryption solution for Kubernetes applications

Helm Package Slack Twitter CircleCI

logo

Kamus

An open source, GitOps, zero-trust secrets encryption and decryption solution for Kubernetes applications. Kamus enable users to easily encrypt secrets than can be decrypted only by the application running on Kubernetes. The encryption is done using strong encryption providers (currently supported: Azure KeyVault, Google Cloud KMS and AES). To learn more about Kamus, check out the blog post and slides.

Getting Started

The simple way to run Kamus is by using the Helm chart:

helm repo add soluto https://charts.soluto.io
helm upgrade --install kamus soluto/kamus

Refer to the installation guide for more details. After installing Kamus, you can start using it to encrypt secrets. Kamus encrypt secrets for a specific application, represent by a Kubernetes Service Account. Create a service account for your application, and mount it on the pods running your application. Now, when you know the name of the service account, and the namespace it exists in, install Kamus CLI:

npm install -g @soluto-asurion/kamus-cli

Use Kamus CLI to encrypt the secret:

kamus-cli encrypt --secret super-secret --service-account kamus-example-sa --namespace default --kamus-url <Kamus URL>

If you're running Kamus locally the Kamus URL will be like http://localhost:<port>. So you need to add --allow-insecure-url flag to enable http protocol.

Pass the value returned by the CLI to your pod, and use Kamus Decrypt API to decrypt the value. The simplest way to achieve that is by using the init container. An alternative is to use Kamus decrypt API directly in the application code. To make it clearer, take a look on a working example app. You can deploy this app to any Kubernetes cluster that has Kamus installed, to understand how it works.

Have a question? Something is not clear? Reach out to us on Kamus Slack!

Architecture

Kamus has 3 components:

  • Encrypt API
  • Decrypt API
  • Key Management System (KMS)

The encrypt and decrypt APIs handle encryption and decryption requests. The KMS is a wrapper for various cryptographic solutions. Currently supported:

  • AES - uses one key for all secrets
  • AWS KMS, Azure KeyVault, Google Cloud KMS - creates one key per service account.

We look forward to add support for other cloud encryption backends.

Consult the installation guide for more details on how to deploy Kamus using the relevant KMS.

Utilities

Kamus is shipped with 2 utilities that make it easier to use:

  • Kamus CLI - a small CLI that eases the interaction with the Encrypt API. Refer to the docs for more details.
  • Kamus init container - a init container that interacts with the Decrypt API. Refer to the docs for more details.
  • CRD Controller - allowing to create native Kubernetes secrets using Kamus. Refer to the docs for more details.

Users

Using Kamus? Open a PR and add your company name here!

Security

We take security seriously at Soluto. To learn more about the security aspects of Kamus refer to the Threat Modeling docs containing all the various threats and mitigations we discussed. Before installing Kamus in production refer to the installation guide to learn the best practices of deploying Kamus securely. In case you find a security issue or have something you would like to discuss refer to our security.md policy.

Contributing

Found a bug? Have a missing feature? Please open an issue and let us know. We would like to help you use Kamus! Please notice: Do not report security issues on GitHub. We will immediately delete such issues.

More Repositories

1

tweek

Tweek - an open source feature manager
C#
345
star
2

graphql-to-mongodb

Allows for generic run-time generation of filter types for existing graphql types and parsing client requests to mongodb find queries
TypeScript
314
star
3

oidc-server-mock

Configurable Mock Server for OpenId Connect
C#
204
star
4

python-flask-sklearn-docker-template

A simple example of python api for real time machine learning, using scikit-learn, Flask and Docker
Python
135
star
5

dynamico

Dynamico allows a remote (web-like) code push work-flow for continuous delivery of specific features native or web.
TypeScript
97
star
6

webdriverio-zap-proxy

Demo - how to easily build security testing for Web App, using Zap and Glue
JavaScript
58
star
7

mobsf-ci

All that is required to run MobSF in the ci
Shell
42
star
8

shisell-js

A service agnostic library for building immutable scoped analytic event dispatchers with extra data, identities and lazy filters.
TypeScript
41
star
9

monitored

A utility for monitoring services πŸ”
TypeScript
37
star
10

dqd

Dequeue daemon
Go
35
star
11

wordpress-plugin-tests-template

A template for a Wordpress plugin with tests that are running using Docker
Shell
35
star
12

golang-docker-healthcheck-example

Simple HEALTHCHECK solution for Go Docker container
Dockerfile
34
star
13

owasp-zap-glue-ci-images

Ready to use images of Zap and Glue, especially for CI integration.
Shell
33
star
14

stitch

Stitch is a no-code GraphQL tool for your existing APIs and data sources
TypeScript
29
star
15

docker-compose-jest-runner

This package allows to run tests that use docker-compose and supports multi-stage setup.
TypeScript
28
star
16

containers-security-project

A place for documenting threats and mitigations related to containers orchestrators (Kubernetes, Swarm etc)
Gherkin
25
star
17

Miro

MIRO - Merge it robot!
C#
25
star
18

airbag

Tiny OAuth2 and metrics sidecar for your docker containers
C#
23
star
19

fluent-plugin-kubernetes-log-level

Dynamic filtering of kubernetes logs according to pod labels
Ruby
23
star
20

simple-fake-server

Small and simple http server for mocking and asserting http calls
TypeScript
17
star
21

react-shisell

React binding for Shisell-js
TypeScript
8
star
22

mustache-async.js

Logic-less {{mustache}} templates with async view function Support
JavaScript
8
star
23

helm-charts

Soluto's Helm Charts Repository
Smarty
8
star
24

testcafe-reporter-teamcity

This is a TeamCity reporter plugin for TestCafe.
JavaScript
7
star
25

tweek-clients

clients for https://www.github.com/soluto/tweek
TypeScript
6
star
26

casbin-nats-watcher

Casbin watcher implementation with Nats.io
Go
5
star
27

flowz

Flowz is a library for writing resumable asynchronous code
JavaScript
4
star
28

soluto-kafka

Java
4
star
29

test-ssl-cipher-suites

A ruby script that use NMap to test SSL cipher suites
Ruby
3
star
30

shisell-python

Shisell is a service agnostic abstraction for analytic dispatchers.
Python
3
star
31

nagios-plugins

JavaScript
3
star
32

fetch-jwk

This library provides methods to fetch jwt keys from jwks url
Go
2
star
33

linkerd-disable-injection-mutation-webhook

Go
2
star
34

Tweek.JPad

JPad is the default rules engine for Tweek.
F#
2
star
35

taking-care-of-quizness-ui

JavaScript
2
star
36

congo-examples

JavaScript
1
star
37

react-tweek-shop-example

JavaScript
1
star
38

react-native-tweek-example

Objective-C
1
star
39

tweek-deploy

TypeScript
1
star
40

IdentityServer.Contrib.JsonWebKeyAdapter

A small nuget package allow to work with JsonWebKey instead of X509Certificate.
C#
1
star
41

tweek-authoring-php-client

NOT OFFICIAL - PHP client for Tweek Authoring, auto-generated from swagger
PHP
1
star
42

taking-care-of-quizness-api

JavaScript
1
star