mirrors/ceph-csi
1
0
Fork 0
mirror of https://github.com/ceph/ceph-csi.git synced 2025-06-13 10:33:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

helm: support encryption config in ceph-csi-cephfs chart

Browse Source 
this chart currently lack the ability to properly configure encryption,
as well as granting sufficent permission to allow controllers to access
secret when needed.

Signed-off-by: Antoine C <hi@acolombier.dev>
This commit is contained in:
Antoine C
2024-04-01 23:49:57 +01:00
committed by mergify[bot]
parent dc4ca2015e
commit cc407d157e
8 changed files with 120 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
charts/ceph-csi-cephfs/README.md
View File

@ -66,6 +66,23 @@ version.
We recommend not to use `--reuse-values` in case there are new defaults AND
compare your currently used values with the new default values.
### Enabling encryption support
To enable FSCrypt support, you will need to include the KMS configuration in
`encryptionKMSConfig`.
Here is a `values.yaml` example using a Kubernetes secret (`kubernetes` KMS)
```yaml
encryptionKMSConfig:
encryptionKMSType: "metadata"
secretName: "cephfs-encryption-passphrase" # This secret needs to contain the passphrase as the key `encryptionPassphrase`
secretNamespace: "my-namespace"
storageClass:
encrypted: true
encryptionKMSID: kubernetes
```
#### Known Issues Upgrading
- When upgrading to version >=3.7.0, you might encounter an error that the
@ -115,6 +132,7 @@ charts and their default values.
| `serviceAccounts.provisioner.create` | Specifies whether a provisioner ServiceAccount should be created | `true` |
| `serviceAccounts.provisioner.name` | The name of the provisioner ServiceAccount of provisioner to use. If not set and create is true, a name is generated using the fullname | "" |
| `csiConfig` | Configuration for the CSI to connect to the cluster | [] |
| `encryptionKMSConfig` | Configuration for the encryption KMS | `{}` |
| `commonLabels` | Labels to apply to all resources | `{}` |
| `logLevel` | Set logging level for csi containers. Supported values from 0 to 5. 0 for general useful logs, 5 for trace level verbosity. | `5` |
| `sidecarLogLevel` | Set logging level for csi sidecar containers. Supported values from 0 to 5. 0 for general useful logs, 5 for trace level verbosity. | `1` |
@ -184,6 +202,8 @@ charts and their default values.
| `storageClass.name` | Specifies the cephFS StorageClass name | `csi-cephfs-sc` |
| `storageClass.annotations` | Specifies the annotations for the cephFS storageClass | `[]` |
| `storageClass.clusterID` | String representing a Ceph cluster to provision storage from | `<cluster-ID>` |
| `storageClass.encrypted` | Specifies whether volume should be encrypted. Set it to true if you want to enable encryption | `""` |
| `storageClass.encryptionKMSID` | Specifies the encryption kms id | `""` |
| `storageClass.fsName` | CephFS filesystem name into which the volume shall be created | `myfs` |
| `storageClass.pool` | Ceph pool into which volume data shall be stored | `""` |
| `storageClass.fuseMountOptions` | Comma separated string of Ceph-fuse mount options | `""` |