Reduce encryption KMS configuration SC parameters

* moves KMS type from StorageClass into KMS configuration itself * updates omapval used to identify KMS to only it's ID without the type why? 1. when using multiple KMS configurations (not currently supported) automated parsing of kms configuration will be failing because some entries in configs won't comply with the requested type 2. less options are needed in the StorageClass and less data used to identify the KMS Signed-off-by: Vasyl Purchel vasyl.purchel@workday.com Signed-off-by: Andrea Baglioni andrea.baglioni@workday.com
2025-06-13 02:33:34 +00:00 · 2020-02-06 16:23:14 +00:00
parent 1695c6965d
commit 669dc4536f
11 changed files with 175 additions and 153 deletions
--- a/docs/deploy-rbd.md
+++ b/docs/deploy-rbd.md
@ -54,8 +54,7 @@ make image-cephcsi
 | `csi.storage.k8s.io/provisioner-secret-namespace`, `csi.storage.k8s.io/node-stage-secret-namespace` | yes (for Kubernetes) | namespaces of the above Secret objects                                                                                                                                                                                  |
 | `mounter`                                                                                           | no                   | if set to `rbd-nbd`, use `rbd-nbd` on nodes that have `rbd-nbd` and `nbd` kernel modules to map rbd images                                                                                                              |
 | `encrypted`                                                                                         | no                   | disabled by default, use `"true"` to enable LUKS encryption on pvc and `"false"` to disable it. **Do not change for existing storageclasses**                                                                           |
-| `encryptionKMS`                                                                                     | no                   | specifies key management system for encrypytion. Currently supports `vault`                                                                                                                                             |
-| `encryptionKMSID`                                                                                   | no                   | required if `encryptionKMS` is set to `vault` to specify a unique identifier for vault configuration                                                                                                                    |
+| `encryptionKMSID`                                                                                   | no                   | required if encryption is enabled and a kms is used to store passphrases                                                                                                                                                |

 **NOTE:** An accompanying CSI configuration file, needs to be provided to the
 running pods. Refer to [Creating CSI configuration](../examples/README.md#creating-csi-configuration)
@ -223,14 +222,19 @@ To further improve security robustness it is possible to use unique passphrases
 generated for each volume and stored in a Key Management System (KMS). Currently
 HashiCorp Vault is the only KMS supported.

-To use Vault as KMS set `encryptionKMS` to `vault` and `encryptionKMSID` to a
-unique identifier for Vault configuration. You will also need to create vault
-configuration similar to the [example](../examples/rbd/kms-config.yaml)
-and use same `encryptionKMSID`. In order for ceph-csi to be able to access the
-configuration you will need to have it mounted to csi-rbdplugin containers in
-both daemonset (so kms client can be instantiated to encrypt/decrypt volumes)
-and deployment pods (so kms client can be instantiated to delete passphrase on
-volume delete) `ceph-csi-encryption-kms-config` config map.
+To use Vault as KMS set `encryptionKMSID` to a unique identifier for Vault
+configuration. You will also need to create vault configuration similar to the
+[example](../examples/rbd/kms-config.yaml) and use same `encryptionKMSID`.
+Configuration must include `encryptionKMSType: "vault"`. In order for ceph-csi
+to be able to access the configuration you will need to have it mounted to
+csi-rbdplugin containers in both daemonset (so kms client can be instantiated to
+encrypt/decrypt volumes) and deployment pods (so kms client can be instantiated
+to delete passphrase on volume delete) `ceph-csi-encryption-kms-config` config
+map.
+
+> Note: kms configuration must be a map of string values only
+> (`map[string]string`) so for numerical and boolean values make sure to put
+> quotes around.

 #### Configuring HashiCorp Vault

--- a/docs/design/proposals/encrypted-pvc.md
+++ b/docs/design/proposals/encrypted-pvc.md
@ -63,10 +63,9 @@ requirement by using dm-crypt module through cryptsetup cli interface.

 * StorageClass extended with following parameters:
  1. `encrypted` ("true" or "false")
-  1. `encryptionKMS` (string representing kms of choice)
+  1. `encryptionKMSID` (string representing kms configuration of choice)
  ceph-csi plugin may support different kms vendors with different type of
  authentication
-  1. `encryptionKMSID` (string representing kms configuration)

 * New KMS Configuration created.

@ -103,10 +102,9 @@ parameters:
   # Encrypt volumes
   encrypted: "true"

-   # The type of kms we want to connect to: Barbican, aws kms or others can be
-   # supported
-   encryptionKMS: vault
-   # String representing a KMS configuration
+   # Use external key management system for encryption passphrases by specifying
+   # a unique ID matching KMS ConfigMap. The ID is only used for correlation to
+   # config map entry.
   encryptionKMSID: <kms-id>

 reclaimPolicy: Delete
@ -120,12 +118,12 @@ apiVersion: v1
 kind: ConfigMap
 data:
  config.json: |-
-    [
-      {
-        "kmsID": "<kms-id>",
+    {
+      "<kms-id>": {
+        "encryptionKMSType": "kmsType",
        kms specific config...
      }
-    ]
+    }
 metadata:
  name: ceph-csi-encryption-kms-config
 ```