doc: add example for Tenant ServiceAccount

The ServiceAccount "ceph-csi-vault-sa" is expected to be placed in the Namespace "tenant" so that the provisioner and node-plugin fetch the ServiceAccount from a Namespace where Ceph-CSI is not deployed. Signed-off-by: Niels de Vos <ndevos@redhat.com>
2025-06-13 10:33:35 +00:00 · 2021-07-06 10:32:12 +02:00
parent 8662e01d2c
commit b700fa43e6
4 changed files with 144 additions and 0 deletions
--- a/examples/kms/vault/kms-config.yaml
+++ b/examples/kms/vault/kms-config.yaml
@ -31,6 +31,24 @@ data:
              }
          }
      },
+      "vault-tenant-sa-test": {
+          "encryptionKMSType": "vaulttenantsa",
+          "vaultAddress": "http://vault.default.svc.cluster.local:8200",
+          "vaultBackendPath": "shared-secrets",
+          "vaultTLSServerName": "vault.default.svc.cluster.local",
+          "vaultCAVerify": "false",
+          "tenantConfigName": "ceph-csi-kms-config",
+          "tenantSAName": "ceph-csi-vault-sa",
+          "tenants": {
+              "my-app": {
+                  "vaultAddress": "https://vault.example.com",
+                  "vaultCAVerify": "true"
+              },
+              "an-other-app": {
+                  "tenantSAName": "storage-encryption-sa"
+              }
+          }
+      },
      "secrets-metadata-test": {
          "encryptionKMSType": "metadata"
      },