rbd: add aws-sts-metdata encryption type

With Amazon STS and kubernetes cluster is configured with OIDC identity provider, credentials to access Amazon KMS can be fetched using oidc-token(serviceaccount token). Each tenant/namespace needs to create a secret with aws region, role and CMK ARN. Ceph-CSI will assume the given role with oidc token and access aws KMS, with given CMK to encrypt/decrypt DEK which will stored in the image metdata. Refer: https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html Resolves: #2879 Signed-off-by: Rakshith R <rar@redhat.com>
2025-06-13 10:33:35 +00:00 · 2022-03-02 16:00:48 +05:30
parent 13dcc89ac8
commit 4f0bb2315b
217 changed files with 24757 additions and 72 deletions
--- a/vendor/github.com/aws/smithy-go/local-mod-replace.sh
+++ b/vendor/github.com/aws/smithy-go/local-mod-replace.sh
@ -0,0 +1,39 @@
+#1/usr/bin/env bash
+
+PROJECT_DIR=""
+SMITHY_SOURCE_DIR=$(cd `dirname $0` && pwd)
+
+usage() {
+  echo "Usage: $0 [-s SMITHY_SOURCE_DIR] [-d PROJECT_DIR]" 1>&2
+  exit 1
+}
+
+while getopts "hs:d:" options; do
+  case "${options}" in
+  s)
+    SMITHY_SOURCE_DIR=${OPTARG}
+    if [ "$SMITHY_SOURCE_DIR" == "" ]; then
+      echo "path to smithy-go source directory is required" || exit
+      usage
+    fi
+    ;;
+  d)
+    PROJECT_DIR=${OPTARG}
+    ;;
+  h)
+    usage
+    ;;
+  *)
+    usage
+    ;;
+  esac
+done
+
+if [ "$PROJECT_DIR" != "" ]; then
+  cd $PROJECT_DIR || exit
+fi
+
+go mod graph | awk '{print $1}' | cut -d '@' -f 1 | sort | uniq | grep "github.com/aws/smithy-go" | while read x; do
+  repPath=${x/github.com\/aws\/smithy-go/${SMITHY_SOURCE_DIR}}
+  echo -replace $x=$repPath
+done | xargs go mod edit