Pular para o conteúdo principal

CipherVault 4.0 → 4.4 — K8s Operator, Multi-region, Confidential Computing

· 5 min para ler
Rafael Martinez
Rafael Martinez
CEO & Co-founder, CipherVault

24 horas após a v3.0, lançamos 5 releases consecutivas consolidando todo o milestone v4.0 (5 issues arquiteturais que estavam em design desde a v3). Hoje a plataforma cobre cenários antes deferidos: K8s Operator real, Multi-region active-active, Confidential Computing (TEE attestation), K8s Federation (pull-from-CV) e CRDTs para metadata cross-region.

v4.0.0 — Architectural scaffolding

5 projetos iniciados como scaffolds para serem promovidos ao longo do dia:

  • K8s Operator (#79) — Go module + 3 CRD types + controller skeletons
  • Multi-region routing (#77) — middleware + tabela tenant_regions
  • Confidential computing (#83) — lib/attestation.js provider abstraction (mock|nitro|sgx|sev-snp)
  • K8s federation (#72) — docs/design/K8S_FEDERATION.md com decisão pull-from-CV
  • CRDTs (#78) — GCounter funcional + 4 stubs

Todos promovidos para implementação real em v4.1/4.2/4.3 (vide abaixo).

v4.1.0 — K8s Operator real + AWS Nitro Enclaves

K8s Operator

Substitui o scaffold por implementação funcional:

  • Module Go com controller-runtime v0.20
  • 3 CRDs: CipherVaultSecret, CipherVaultLease, CipherVaultDynamicRole
  • Reconcilers:
    • Secret — fetch + SHA256 hash drift detect + ownerRef + requeue
    • Lease — request + auto-renew threshold% + Revoke via finalizer on delete
    • DynamicRole — idempotent POST/PUT + 1h drift check
  • Manager + leader election + healthz/readyz
  • Manifests: 3 CRDs YAML + ClusterRole + ServiceAccount + Deployment
  • Dockerfile multi-stage (golang:1.26 + distroless static, nonroot)

Documentação completa →

AWS Nitro Enclaves attestation

lib/attestationVerify.js (320 linhas) com verifier completo:

  • Decode COSE_Sign1 + payload CBOR via cbor-x
  • Cert chain walk até AWS Nitro Root CA (PEM embedded validated SHA-384)
  • ECDSA-P384/SHA-384 signature verify (raw → DER conversion)
  • Freshness ±5min + nonce timingSafeEqual (anti-replay)
  • PCR allowlist via loadExpectedPCRsFromEnv() (ATTESTATION_EXPECTED_PCR{0..N})

Endpoint: POST /attestation/verify.

v4.2.0 — CRDTs + Multi-region active-active

CRDTs (5 tipos completos)

lib/crdt/index.js:

TipoSemântica
GCounterGrow-only counter
PNCounterPar GCounter pos/neg
GSetGrow-only set
LWWRegisterLast-write-wins com timestamp + region tiebreak
ORSetObserved-Remove com tags únicas (suporta concurrent add+remove)

lib/crdt/store.js — persistence em crdt_states (race-safe SELECT FOR UPDATE merge-on-write). lib/crdt/syncer.js — background syncer push 5s para peers via CRDT_PEERS env.

Use case implementado: audit_count — cada audit() incrementa GCounter por tenant; total cross-region em < 10s.

Multi-region

Topologia active-active com Postgres logical replication (pub/sub):

  • Tabela tenant_regions (tenant_id PK + primary_region + replica_regions[])
  • lib/multiRegion.js — middleware requireRegionForwarding aplicado após auth
    • excludePaths: /auth, /admin/tenant-region, /attestation, /crdt/sync, /clusters, /health, /metrics
    • Loop detection via X-CV-Region-Origin header
    • Cache 60s TTL
  • infrastructure/multi-region/setup-replication.sql — 24 tabelas replicadas; excluídas: audit_logs (CRDT cobre), dynamic_leases (region-local), crdt_states (sync próprio)
  • Métricas: cv_cross_region_forwards_total, cv_replication_lag_seconds
  • Failover via POST /admin/tenant-region/:id/promote gated por dual-control (tenant_region_promote action)
  • Runbook completo em docs/runbooks/REGIONAL_FAILOVER.md

Documentação →

v4.3.0 — K8s Federation pull-from-CV

Múltiplos clusters K8s consomem secrets de um plano de controle único.

Backend (Phase 1)

  • 3 tabelas: clusters, cluster_secret_policies, cluster_apply_log
  • 9 endpoints REST em routes/clusters.js:
    • Admin (JWT): POST/GET/DELETE /clusters, POST/GET/DELETE /clusters/:id/policies
    • Operator (X-Cluster-Token): GET /clusters/:id/desired-state, POST /clusters/:id/status
    • Audit: GET /clusters/:id/audit
  • Excluído de region-forwarding middleware (region-local)

Operator (Phase 2)

  • kubernetes/operator/controllers/federation_controller.goFederationManager polling loop
  • Leader election (1 instância pula CV por vez)
  • Materializa policies como CipherVaultSecret CRDs locais → reconcilers existentes consomem
  • Auto-cria namespace, label propagation, idempotent upsert
  • Status report heartbeat + applied/errors back to CV
  • Opt-in via env CV_CLUSTER_ID + CV_CLUSTER_TOKEN

Documentação →

Phase 3+4 deferred

Air-gap caching incremental + kind cluster e2e tests.

v4.4.0 — Multi-TEE attestation completo

Atestação para 3 TEEs principais:

TEEProviderStatus
AWS Nitro EnclavesNitroProvider (v4.1)✅ Validação ECDSA completa contra Nitro Root CA
Intel SGX DCAPSgxDcapProvider⚠️ Parsing + measurements + nonce; assinatura ECDSA contra Intel root requer libsgx_dcap_quoteverify (Phase 2)
AMD SEV-SNPSevSnpProvider⚠️ Parsing 1184 bytes + measurement + nonce; assinatura contra AMD root requer libsnphost (Phase 2)

Multi-format dispatcher

lib/attestationVerifyMulti.js — dispatcher por format. POST /attestation/verify aceita:

  • aws-nitro-cose-sign1 (default, back-compat)
  • sgx-dcap-quote-v3
  • amd-sev-snp-report

Mocks pra dev sem hardware

  • SGX_MOCK_QUOTE_FILE — usa quote pré-gerado
  • SEV_SNP_MOCK_REPORT_FILE — idem para SEV

Limitação documentada

signature_validated: false em SGX/SEV — verifiers parseiam structure

  • measurements + nonce mas não validam ECDSA contra Intel/AMD root CA ainda. Phase 2 follow-up requer C bindings nativas.

AWS Nitro mantém validação completa.

Infrastructure

  • .github/workflows/docker-publish.yml6 imagens publicadas em ghcr.io/martinez1991/ciphervault-*
  • Tags: :vX.Y.Z, :X.Y, :X, :latest, :main, :sha-<short>
  • Multi-arch linux/amd64 + linux/arm64 (QEMU + buildx)
  • SBOM + provenance + Sigstore cosign keyless signing
  • infrastructure/docker-compose/docker-compose.prod.yml — overlay sem build:
  • kubernetes/operator/config/manager/deployment.yamlciphervault-k8s-operator:v4.4.0

Security fixes

28 Dependabot alerts fixados sem breaking changes:

path-to-regexp, flatted, picomatch, rollup, brace-expansion, dompurify, esbuild, vite, @tootallnate/once, golang.org/x/oauth2 (CVE-2025-22868), golang.org/x/net, golang.org/x/crypto.

CI Go bumped 1.25 → 1.26 — cobre 4 stdlib advisories (GO-2026-4866/4870/4946/4947).

Confidential Computing →

⚠️ Breaking changes

  • Multi-region middleware ativo após auth — endpoints com tenant_id mismatch agora retornam 307 com Location apontando para a região primária. Apps antigos podem ficar em loop se ignorarem redirect (ver excludePaths no docs).
  • K8s Operator substitui o scaffold v4.0 — quem clonou o scaffold precisa re-git pull.
  • Postgres logical replication exige wal_level=logical no primary (configurável via infrastructure/multi-region/setup-replication.sql).

Atualizando

# Self-hosted Helm
helm upgrade ciphervault ciphervault/ciphervault --version 4.4.0 \
  --reuse-values

# K8s Operator (novo)
kubectl apply -f https://raw.githubusercontent.com/Martinez1991/ciphervault/main/kubernetes/operator/config/crds/

# Docker images (multi-arch)
docker pull ghcr.io/martinez1991/ciphervault-backend:v4.4.0
docker pull ghcr.io/martinez1991/ciphervault-k8s-operator:v4.4.0

Verificar SBOM:

cosign verify-blob --bundle ciphervault-backend-v4.4.0.cdx.json.bundle \
  ciphervault-backend-v4.4.0.cdx.json

— Rafael Martinez, CEO