mirror of
https://github.com/ceph/ceph-csi.git
synced 2025-06-13 02:33:34 +00:00
rbd: add aws-sts-metdata encryption type
With Amazon STS and kubernetes cluster is configured with OIDC identity provider, credentials to access Amazon KMS can be fetched using oidc-token(serviceaccount token). Each tenant/namespace needs to create a secret with aws region, role and CMK ARN. Ceph-CSI will assume the given role with oidc token and access aws KMS, with given CMK to encrypt/decrypt DEK which will stored in the image metdata. Refer: https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html Resolves: #2879 Signed-off-by: Rakshith R <rar@redhat.com>
This commit is contained in:
Rakshith R
mergify[bot]
@ -163,6 +163,9 @@ spec:
|
||||
mountPath: /tmp/csi/keys
|
||||
- name: ceph-config
|
||||
mountPath: /etc/ceph/
|
||||
- name: oidc-token
|
||||
mountPath: /var/run/secrets/tokens
|
||||
readOnly: true
|
||||
- name: csi-rbdplugin-controller
|
||||
# for stable functionality replace canary with latest release version
|
||||
image: quay.io/cephcsi/cephcsi:canary
|
||||
@ -231,3 +234,10 @@ spec:
|
||||
emptyDir: {
|
||||
medium: "Memory"
|
||||
}
|
||||
- name: oidc-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: oidc-token
|
||||
expirationSeconds: 3600
|
||||
audience: ceph-csi-kms
|
||||
|
||||
@ -118,6 +118,9 @@ spec:
|
||||
mountPath: /var/log/ceph
|
||||
- name: ceph-config
|
||||
mountPath: /etc/ceph/
|
||||
- name: oidc-token
|
||||
mountPath: /var/run/secrets/tokens
|
||||
readOnly: true
|
||||
- name: liveness-prometheus
|
||||
securityContext:
|
||||
privileged: true
|
||||
@ -189,6 +192,13 @@ spec:
|
||||
emptyDir: {
|
||||
medium: "Memory"
|
||||
}
|
||||
- name: oidc-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: oidc-token
|
||||
expirationSeconds: 3600
|
||||
audience: ceph-csi-kms
|
||||
---
|
||||
# This is a service to expose the liveness metrics
|
||||
apiVersion: v1
|
||||
|
||||
Reference in New Issue
Block a user