mirrors/ceph-csi
1
0
Fork 0
mirror of https://github.com/ceph/ceph-csi.git synced 2025-06-13 02:33:34 +00:00
Code Issues Packages Projects Releases Wiki Activity

rbd: add aws-sts-metdata encryption type

Browse Source 
With Amazon STS and kubernetes cluster is configured with
OIDC identity provider, credentials to access Amazon KMS
can be fetched using oidc-token(serviceaccount token).
Each tenant/namespace needs to create a secret with aws region,
role and CMK ARN.
Ceph-CSI will assume the given role with oidc token and access
aws KMS, with given CMK to encrypt/decrypt DEK which will stored
in the image metdata.

Refer: https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html
Resolves: #2879

Signed-off-by: Rakshith R <rar@redhat.com>
This commit is contained in:
Rakshith R
2022-03-02 16:00:48 +05:30
committed by mergify[bot]
parent 13dcc89ac8
commit 4f0bb2315b
217 changed files with 24757 additions and 72 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
docs/deploy-rbd.md
View File

@ -382,6 +382,34 @@ the AWS KMS is expected to contain:
This Secret is expected to be created by the administrator who deployed
Ceph-CSI.
#### Configuring Amazon KMS with Amazon STS
Ceph-CSI can be configured to use
[Amazon STS](https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html),
when kubernetes cluster is configured with OIDC identity provider to fetch
credentials to access Amazon KMS. Other functionalities is the same as
[Amazon KMS encryption](#configuring-amazon-kms).
There are a few settings that need to be included in the [KMS configuration
file](../examples/kms/vault/kms-config.yaml):
1. `encryptionKMSType`: should be set to `aws-sts-metadata`.
1. `secretName`: name of the Kubernetes Secret (in the Namespace where
PVC is created) which contains the credentials for communicating with
AWS. This defaults to `ceph-csi-aws-credentials`.
The [Secret with credentials](../examples/kms/vault/aws-sts-credentials.yaml) for
the AWS KMS is expected to contain:
1. `awsRoleARN`: Role which will be used access credentials from AWS STS
and access AWS KMS for encryption.
1. `awsCMKARN`: Custom Master Key, ARN for the key used to encrypt the
passphrase
1. `awsRegion`: the region where the AWS STS and KMS service is available.
This Secret is expected to be created by the tenant/user in each namespace where
Ceph-CSI is used to create encrypted rbd volumes.
### Encryption prerequisites
In order for encryption to work you need to make sure that `dm-crypt` kernel