ceph-csi/examples/kms/vault/csi-kms-connection-details.yaml

65 lines
2.0 KiB
YAML
Raw Normal View History

#
# csi-kms-connection-details is an alternative option to configure KMS
# providers for encrypted volume support.
# This ConfigMap can be located in the Kubernetes Namespace where Ceph-CSI is
# deployed. In case the ceph-csi-encryption-kms-config which provides a
# `config.json` is not mapped into the csi-rbdplugin container, the
# csi-kms-connection-details ConfigMap will be used instead.
#
# The configuration values follow the common key/value contents. The key for
# each KMS provider should be used as the value for `encryptionKMSID` in the
# StorageClass.
#
---
apiVersion: v1
kind: ConfigMap
data:
vault-test: |-
{
"encryptionKMSType": "vault",
"vaultAddress": "http://vault.default.svc.cluster.local:8200",
"vaultAuthPath": "/v1/auth/kubernetes/login",
"vaultRole": "csi-kubernetes",
"vaultPassphraseRoot": "/v1/secret",
"vaultPassphrasePath": "ceph-csi/",
"vaultCAVerify": "false"
}
vault-tokens-test: |-
{
"KMS_PROVIDER": "vaulttokens",
"VAULT_ADDR": "http://vault.default.svc.cluster.local:8200",
"VAULT_BACKEND_PATH": "secret",
"VAULT_DESTROY_KEYS": "true",
"VAULT_SKIP_VERIFY": "true"
}
vault-tenant-sa-test: |-
{
"KMS_PROVIDER": "vaulttenantsa",
"VAULT_ADDR": "http://vault.default.svc.cluster.local:8200",
"VAULT_BACKEND_PATH": "shared-secrets",
"VAULT_SKIP_VERIFY": "true"
}
secrets-metadata-test: |-
{
"encryptionKMSType": "metadata"
}
user-ns-secrets-metadata-test: |-
{
"encryptionKMSType": "metadata",
"secretName": "storage-encryption-secret",
"secretNamespace": "default"
}
user-secrets-metadata-test: |-
{
"encryptionKMSType": "metadata",
"secretName": "storage-encryption-secret"
}
aws-metadata-test: |-
{
"KMS_PROVIDER": "aws-metadata",
"KMS_SECRET_NAME": "ceph-csi-aws-credentials",
"AWS_REGION": "us-west-2"
}
metadata:
name: csi-kms-connection-details