ceph-csi/charts/ceph-csi-rbd/templates/encryptionkms-configmap.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  name: {{ .Values.kmsConfigMapName | quote }}
  namespace: {{ .Release.Namespace }}
  labels:
    app: {{ include "ceph-csi-rbd.name" . }}
    chart: {{ include "ceph-csi-rbd.chart" . }}
    component: {{ .Values.nodeplugin.name }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
data:
  config.json: |-
{{ toJson .Values.encryptionKMSConfig | indent 4 -}}
Adds per volume encryption with Vault integration - adds proposal document for PVC encryption from PR448 - adds per-volume encription by generating encryption passphrase for each volume and storing it in a KMS - adds HashiCorp Vault integration as a KMS for encryption passphrases - avoids encrypting volume second time if it was already encrypted but no file system created - avoids unnecessary checks if volume is a mapped device when encryption was not requested - prevents resizing encrypted volumes (it is not currently supported) - prevents creating snapshots from encrypted volumes to prevent attack on encryption key (security guard until re-encryption of volumes implemented) Signed-off-by: Vasyl Purchel vasyl.purchel@workday.com Signed-off-by: Andrea Baglioni andrea.baglioni@workday.com Fixes #420 Fixes #744 2020-01-29 11:44:45 +00:00			`apiVersion: v1`
			`kind: ConfigMap`
			`metadata:`
			`name: {{ .Values.kmsConfigMapName \| quote }}`
			`namespace: {{ .Release.Namespace }}`
			`labels:`
			`app: {{ include "ceph-csi-rbd.name" . }}`
			`chart: {{ include "ceph-csi-rbd.chart" . }}`
			`component: {{ .Values.nodeplugin.name }}`
			`release: {{ .Release.Name }}`
			`heritage: {{ .Release.Service }}`
			`data:`
			`config.json: \|-`
			`{{ toJson .Values.encryptionKMSConfig \| indent 4 -}}`