rbd: Implement Key Protect KMS integration for Ceph CSI

This commit adds the support for HPCS/Key Protect IBM KMS service
to Ceph CSI service. EncryptDEK() and DecryptDEK() of RBD volumes are
done with the help of key protect KMS server by wrapping and unwrapping
the DEK and by using the DEKStoreMetadata.

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>

examples/kms/vault/csi-kms-connection-details.yaml

@@ -60,5 +60,12 @@ data:
       "KMS_SECRET_NAME": "ceph-csi-aws-credentials",
       "AWS_REGION": "us-west-2"
     }
+  kp-metadata-test: |-
+    {
+      "KMS_PROVIDER": "kp-metadata",
+      "KMS_SECRET_NAME": "ceph-csi-kp-credentials",
+      "KP_SERVICE_INSTANCE_ID": "7abef064-01dd-4237-9ea5-8b3890970be3",
+      "KP_REGION": "us-south-2",
+    }
 metadata:
   name: csi-kms-connection-details

examples/kms/vault/kms-config.yaml

@@ -90,6 +90,12 @@ data:
       "user-secrets-metadata-test": {
         "encryptionKMSType": "metadata",
         "secretName": "storage-encryption-secret"
+      },
+      "kp-metadata-test": {
+        "encryptionKMSType": "kp-metadata",
+        "secretName": "ceph-csi-kp-credentials",
+        "keyProtectRegionKey": "us-south-2",
+        "keyProtectServiceInstanceID": "7abef064-01dd-4237-9ea5-8b3890970be3"
       }
     }
 metadata:

examples/kms/vault/kp-credentials.yaml

@@ -0,0 +1,13 @@
+---
+# This is an example Kubernetes Secret that can be created in the Kubernetes
+# Namespace where Ceph-CSI is deployed. The contents of this Secret will be
+# used to connect to the Key Protect KMS.
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ceph-csi-kp-credentials
+stringData:
+  KP_SERVICE_API_KEY: "UhMN3Jko1pCpDPpFV65N8dYANBv5vF97QuNHqXVHmKa0"
+  KP_CUSTOMER_ROOT_KEY: "c7a9aa91-5cb5-48da-a821-e85c27b99d92"
+  KP_SESSION_TOKEN: ""
+  KP_CRK_ARN: ""