add:

docs/secrets/ENCRYPTION.md

@@ -0,0 +1,129 @@
+# ETCD Encryption Configuration for Kubernetes
+
+To enable static encryption at rest for Kubernetes secrets in ETCD, you need to configure the API Server with an EncryptionConfiguration.
+
+## 1. Generate an Encryption Key
+
+```bash
+# Generate a 32-byte base64-encoded key
+head -c 32 /dev/urandom | base64
+# Example output: sxFdbKYquCe3EbRWVV+pFe2lS8K8hbiv3V8ExQZ0fD4=
+```
+
+## 2. Create EncryptionConfiguration File
+
+Create `/etc/kubernetes/encryption-config.yaml` on the control plane node:
+
+```yaml
+apiVersion: apiserver.config.k8s.io/v1
+kind: EncryptionConfiguration
+resources:
+  - resources:
+      - secrets
+    providers:
+      - aescbc:
+          keys:
+            - name: key1
+              secret: sxFdbKYquCe3EbRWVV+pFe2lS8K8hbiv3V8ExQZ0fD4=
+      - identity: {}
+```
+
+## 3. Update kube-apiserver Static Pod Manifest
+
+Edit `/etc/kubernetes/manifests/kube-apiserver.yaml` on the control plane node:
+
+```yaml
+spec:
+  containers:
+  - name: kube-apiserver
+    command:
+    - kube-apiserver
+    # ... existing flags ...
+    - --encryption-provider-config=/etc/kubernetes/encryption-config.yaml
+    volumeMounts:
+    - name: encryption-config
+      mountPath: /etc/kubernetes
+      readOnly: true
+  volumes:
+  - name: encryption-config
+    hostPath:
+      path: /etc/kubernetes
+      type: DirectoryOrCreate
+```
+
+## 4. Verify Encryption is Working
+
+```bash
+# After restarting the API server, create a secret and verify it's encrypted
+kubectl create secret generic test-secret --from-literal=key=value -n juwan
+
+# Check if the secret is encrypted in etcd
+kubectl get secret test-secret -o yaml
+
+# You can also check raw etcd data (requires etcd access):
+# etcdctl --endpoints=https://127.0.0.1:2379 get /kubernetes.io/secrets/juwan/test-secret
+# The data should be encrypted (not human-readable)
+```
+
+## 5. Important Notes
+
+- **Backup your encryption key** in a secure location
+- **Never commit encryption keys** to version control
+- If you lose the key, all encrypted secrets will be unrecoverable
+- After enabling encryption, existing unencrypted secrets will not be automatically encrypted
+  - To encrypt existing secrets, you can use: `kubectl delete secret <name> && kubectl create secret ...`
+  - Or use: `kubectl patch secret <name> -p '{}' --type=merge` (triggers re-encryption)
+
+## 6. RBAC Configuration for JWT Secret
+
+The `jwt-secret.yaml` includes RBAC rules that:
+- Create a `jwt-secret` Secret in the `juwan` namespace
+- Create ServiceAccounts for `user-rpc` and `envoy-gateway`
+- Create a Role `jwt-secret-reader` that allows reading only the `jwt-secret` Secret
+- Bind this Role to both ServiceAccounts via RoleBindings
+
+This ensures:
+- Only `user-rpc` and `envoy-gateway` Pods can read the JWT secret
+- Other services and users cannot access the JWT secret
+- Least privilege access principle is enforced
+
+## 7. Update Deployment to Use ServiceAccount
+
+Make sure your Deployment references the ServiceAccount:
+
+```yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: user-rpc
+  namespace: juwan
+spec:
+  template:
+    spec:
+      serviceAccountName: user-rpc  # This is important!
+      containers:
+      - name: user-rpc
+        env:
+        - name: JWT_SECRET_KEY
+          valueFrom:
+            secretKeyRef:
+              name: jwt-secret
+              key: secret-key
+```
+
+## 8. For Minikube Users
+
+If using Minikube, you can enable encryption with:
+
+```bash
+minikube config set apiserver.encryption-provider-config /path/to/encryption-config.yaml
+minikube start
+```
+
+Or manually edit the kube-apiserver manifest after starting Minikube:
+
+```bash
+minikube ssh
+sudo vi /etc/kubernetes/manifests/kube-apiserver.yaml
+# Add the flags and volume mounts as shown above
+```