rbd: add aws-sts-metdata encryption type

With Amazon STS and kubernetes cluster is configured with OIDC identity provider, credentials to access Amazon KMS can be fetched using oidc-token(serviceaccount token). Each tenant/namespace needs to create a secret with aws region, role and CMK ARN. Ceph-CSI will assume the given role with oidc token and access aws KMS, with given CMK to encrypt/decrypt DEK which will stored in the image metdata. Refer: https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html Resolves: #2879 Signed-off-by: Rakshith R <rar@redhat.com>
2025-06-13 18:43:34 +00:00 · 2022-03-02 16:00:48 +05:30
parent 13dcc89ac8
commit 4f0bb2315b
217 changed files with 24757 additions and 72 deletions
--- a/charts/ceph-csi-rbd/templates/nodeplugin-daemonset.yaml
+++ b/charts/ceph-csi-rbd/templates/nodeplugin-daemonset.yaml
@ -133,6 +133,9 @@ spec:
              mountPath: /tmp/csi/keys
            - name: ceph-logdir
              mountPath: /var/log/ceph
+            - name: oidc-token
+              mountPath: /var/run/secrets/tokens
+              readOnly: true
          resources:
 {{ toYaml .Values.nodeplugin.plugin.resources | indent 12 }}
 {{- if .Values.nodeplugin.httpMetrics.enabled }}
@ -221,6 +224,13 @@ spec:
          emptyDir: {
            medium: "Memory"
          }
+        - name: oidc-token
+          projected:
+            sources:
+              - serviceAccountToken:
+                  path: oidc-token
+                  expirationSeconds: 3600
+                  audience: ceph-csi-kms
 {{- if .Values.nodeplugin.affinity }}
      affinity:
 {{ toYaml .Values.nodeplugin.affinity | indent 8 -}}
--- a/charts/ceph-csi-rbd/templates/provisioner-deployment.yaml
+++ b/charts/ceph-csi-rbd/templates/provisioner-deployment.yaml
@ -183,6 +183,9 @@ spec:
              mountPath: /etc/ceph-csi-encryption-kms-config/
            - name: keys-tmp-dir
              mountPath: /tmp/csi/keys
+            - name: oidc-token
+              mountPath: /var/run/secrets/tokens
+              readOnly: true
          resources:
 {{ toYaml .Values.nodeplugin.plugin.resources | indent 12 }}
 {{- if .Values.provisioner.deployController }}
@ -271,6 +274,13 @@ spec:
          emptyDir: {
            medium: "Memory"
          }
+        - name: oidc-token
+          projected:
+            sources:
+              - serviceAccountToken:
+                  path: oidc-token
+                  expirationSeconds: 3600
+                  audience: ceph-csi-kms
 {{- if .Values.provisioner.affinity }}
      affinity:
 {{ toYaml .Values.provisioner.affinity | indent 8 -}}