New to KubeVault? Please start here.

mode.googleKmsGcs

To use googleKmsGcs mode specify mode.googleKmsGcs. In this mode, unseal keys and root token will be stored in Google Cloud Storage and they will be encrypted using google cryptographic keys.

spec:
  unsealer:
    mode:
      googleKmsGcs:
        bucket: <bucket_name>
        kmsProject: <project_name>
        kmsLocation: <location>
        kmsKeyRing: <key_ring_name>
        kmsCryptoKey: <crypto_key_name>
        credentialSecret: <secret_name>

mode.googleKmsGcs has the following fields:

googleKmsGcs.bucket

googleKmsGcs.bucket is a required field that specifies the name of the bucket to store keys.

spec:
  unsealer:
    mode:
      googleKmsGcs:
        bucket: "vault-key-store"

googleKmsGcs.kmsProject

googleKmsGcs.kmsProject is a required field that specifies the name of the projects under which the keyring is created.

spec:
  unsealer:
    mode:
      googleKmsGcs:
        kmsProject: "project"

googleKmsGcs.kmsLocation

googleKmsGcs.kmsLocation is a required field that specifies the location of the keyring.

spec:
  unsealer:
    mode:
      googleKmsGcs:
        kmsLocation: "global"

googleKmsGcs.kmsKeyRing

googleKmsGcs.kmsKeyRing is a required field that specifies the name of the keyring.

spec:
  unsealer:
    mode:
      googleKmsGcs:
        kmsKeyRing: "key-ring"

googleKmsGcs.kmsCryptoKey

googleKmsGcs.kmsCryptoKey is a required field that specifies the name of the crypto key.

spec:
  unsealer:
    mode:
      googleKmsGcs:
        kmsCryptoKey: "key"

googleKmsGcs.credentialSecret

googleKmsGcs.credentialSecret is an optional field that specifies the name of the secret containing google credentials. If this is not specified, then the instance service account will be used (if it is running on google cloud). The secret contains the following field:

  • sa.json
spec:
  unsealer:
    mode:
      googleKmsGcs:
        credentialSecret: "google-cred"