rbd: add aws-sts-metdata encryption type

With Amazon STS and kubernetes cluster is configured with OIDC identity provider, credentials to access Amazon KMS can be fetched using oidc-token(serviceaccount token). Each tenant/namespace needs to create a secret with aws region, role and CMK ARN. Ceph-CSI will assume the given role with oidc token and access aws KMS, with given CMK to encrypt/decrypt DEK which will stored in the image metdata. Refer: https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html Resolves: #2879 Signed-off-by: Rakshith R <rar@redhat.com>
2025-06-14 10:53:34 +00:00 · 2022-03-02 16:00:48 +05:30
parent 13dcc89ac8
commit 4f0bb2315b
217 changed files with 24757 additions and 72 deletions
--- a/examples/kms/vault/kms-config.yaml
+++ b/examples/kms/vault/kms-config.yaml
@ -96,6 +96,10 @@ data:
        "secretName": "ceph-csi-kp-credentials",
        "keyProtectRegionKey": "us-south-2",
        "keyProtectServiceInstanceID": "7abef064-01dd-4237-9ea5-8b3890970be3"
+      },
+      "aws-sts-metadata-test": {
+        "encryptionKMSType": "aws-sts-metadata",
+        "secretName": "ceph-csi-aws-credentials"
      }
    }
 metadata: