mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-11-14 10:20:20 +00:00
rbd: add BaseURL and tokenURL configuration
This commit adds optional BaseURL and TokenURL configuration to key protect/hpcs configuration and client connections, if not provided default values are used. Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
This commit is contained in:
parent
0c109c5dec
commit
bc354b6fb5
@ -12,20 +12,26 @@ Below parameters/values can be used to establish the connection to the HPCS
|
|||||||
service from the CSI driver and to make use of the encryption operations:
|
service from the CSI driver and to make use of the encryption operations:
|
||||||
|
|
||||||
```text
|
```text
|
||||||
* KMS_SERVICE_NAME=[kms_service_name]
|
* IBM_KP_BASE_URL
|
||||||
|
The Key Protect/HPCS connection URL.
|
||||||
|
|
||||||
|
* IBM_KP_TOKEN_URL
|
||||||
|
The Token Authenticaltion URL of KeyProtect/HPCS service.
|
||||||
|
|
||||||
|
* KMS_SERVICE_NAME
|
||||||
A unique name for the key management service within the project.
|
A unique name for the key management service within the project.
|
||||||
|
|
||||||
* IBM_KP_SERVICE_INSTANCE_ID=[service_instance_id]
|
* IBM_KP_SERVICE_INSTANCE_ID
|
||||||
The Instance ID of the IBM HPCS service, ex: crn:v1:bluemix:public:hs-crypto:us-south:a/5d19cf8b82874c2dab37e397426fbc42:e2ae65ff-954b-453f-b0d7-fc5064c203ce::
|
The Instance ID of the IBM HPCS service, ex: crn:v1:bluemix:public:hs-crypto:us-south:a/5d19cf8b82874c2dab37e397426fbc42:e2ae65ff-954b-453f-b0d7-fc5064c203ce::
|
||||||
|
|
||||||
* IBM_KP_SERVICE_API_KEY=[service_api_key]
|
* IBM_KP_SERVICE_API_KEY
|
||||||
Ex: 06x6DbTkVQ-qCRmq9cK-p9xOQpU2UwJMcdjnIDdr0g2R
|
Ex: 06x6DbTkVQ-qCRmq9cK-p9xOQpU2UwJMcdjnIDdr0g2R
|
||||||
|
|
||||||
* IBM_KP_CUSTOMER_ROOT_KEY=[customer_root_key]
|
* IBM_KP_CUSTOMER_ROOT_KEY
|
||||||
Ex: c7a9aa91-5cb5-48da-a821-e85c27b99d92
|
Ex: c7a9aa91-5cb5-48da-a821-e85c27b99d92
|
||||||
|
|
||||||
* IBM_KP_REGION = [region of the key protect service]
|
* IBM_KP_REGION
|
||||||
Ex: us-south-2
|
Region of the key protect service, ex: us-south-2
|
||||||
```
|
```
|
||||||
|
|
||||||
### Values provided in the connection Secret
|
### Values provided in the connection Secret
|
||||||
|
@ -65,6 +65,8 @@ data:
|
|||||||
"KMS_PROVIDER": "kp-metadata",
|
"KMS_PROVIDER": "kp-metadata",
|
||||||
"IBM_KP_SECRET_NAME": "ceph-csi-kp-credentials",
|
"IBM_KP_SECRET_NAME": "ceph-csi-kp-credentials",
|
||||||
"IBM_KP_SERVICE_INSTANCE_ID": "7abef064-01dd-4237-9ea5-8b3890970be3",
|
"IBM_KP_SERVICE_INSTANCE_ID": "7abef064-01dd-4237-9ea5-8b3890970be3",
|
||||||
|
"IBM_KP_BASE_URL": "https://us-south.kms.cloud.ibm.com",
|
||||||
|
"IBM_KP_TOKEN_URL": ""https://iam.cloud.ibm.com/oidc/token",
|
||||||
"IBM_KP_REGION": "us-south-2",
|
"IBM_KP_REGION": "us-south-2",
|
||||||
}
|
}
|
||||||
metadata:
|
metadata:
|
||||||
|
@ -47,6 +47,8 @@ const (
|
|||||||
keyProtectRegionKey = "IBM_KP_REGION"
|
keyProtectRegionKey = "IBM_KP_REGION"
|
||||||
|
|
||||||
keyProtectServiceInstanceID = "IBM_KP_SERVICE_INSTANCE_ID"
|
keyProtectServiceInstanceID = "IBM_KP_SERVICE_INSTANCE_ID"
|
||||||
|
keyProtectServiceBaseURL = "IBM_KP_BASE_URL"
|
||||||
|
keyProtectServiceTokenURL = "IBM_KP_TOKEN_URL" //nolint:gosec // only configuration key
|
||||||
// The following options are part of the Kubernetes Secrets.
|
// The following options are part of the Kubernetes Secrets.
|
||||||
// #nosec:G101, no hardcoded secrets, only configuration keys.
|
// #nosec:G101, no hardcoded secrets, only configuration keys.
|
||||||
keyProtectServiceAPIKey = "IBM_KP_SERVICE_API_KEY"
|
keyProtectServiceAPIKey = "IBM_KP_SERVICE_API_KEY"
|
||||||
@ -71,6 +73,8 @@ type KeyProtectKMS struct {
|
|||||||
serviceAPIKey string
|
serviceAPIKey string
|
||||||
customerRootKey string
|
customerRootKey string
|
||||||
serviceInstanceID string
|
serviceInstanceID string
|
||||||
|
baseURL string
|
||||||
|
tokenURL string
|
||||||
region string
|
region string
|
||||||
sessionToken string
|
sessionToken string
|
||||||
crk string
|
crk string
|
||||||
@ -93,6 +97,20 @@ func initKeyProtectKMS(args ProviderInitArgs) (EncryptionKMS, error) {
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
err = setConfigString(&kms.baseURL, args.Config, keyProtectServiceBaseURL)
|
||||||
|
if errors.Is(err, errConfigOptionInvalid) {
|
||||||
|
return nil, err
|
||||||
|
} else if errors.Is(err, errConfigOptionMissing) {
|
||||||
|
kms.baseURL = kp.DefaultBaseURL
|
||||||
|
}
|
||||||
|
|
||||||
|
err = setConfigString(&kms.tokenURL, args.Config, keyProtectServiceTokenURL)
|
||||||
|
if errors.Is(err, errConfigOptionInvalid) {
|
||||||
|
return nil, err
|
||||||
|
} else if errors.Is(err, errConfigOptionMissing) {
|
||||||
|
kms.tokenURL = kp.DefaultTokenURL
|
||||||
|
}
|
||||||
|
|
||||||
// read the Kubernetes Secret with credentials
|
// read the Kubernetes Secret with credentials
|
||||||
secrets, err := kms.getSecrets()
|
secrets, err := kms.getSecrets()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -168,9 +186,10 @@ func (kms *KeyProtectKMS) RequiresDEKStore() DEKStoreType {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (kms *KeyProtectKMS) getService() error {
|
func (kms *KeyProtectKMS) getService() error {
|
||||||
// Use your Service API Key and your KeyProtect Service Instance ID to create a ClientConfig
|
// Use Service API Key and KeyProtect Service Instance ID to create a ClientConfig
|
||||||
cc := kp.ClientConfig{
|
cc := kp.ClientConfig{
|
||||||
BaseURL: kp.DefaultBaseURL,
|
BaseURL: kms.baseURL,
|
||||||
|
TokenURL: kms.tokenURL,
|
||||||
APIKey: kms.serviceAPIKey,
|
APIKey: kms.serviceAPIKey,
|
||||||
InstanceID: kms.serviceInstanceID,
|
InstanceID: kms.serviceInstanceID,
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user