mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-11-26 08:10:20 +00:00
doc: add usage for Vault Tokens KMS support
In addition to the Vault KMS support (uses Kubernetes ServiceAccount), there is the new Vault Tokens KMS feature. Signed-off-by: Niels de Vos <ndevos@redhat.com>
This commit is contained in:
parent
24a17094a2
commit
db40c06e84
@ -229,21 +229,36 @@ To further improve security robustness it is possible to use unique passphrases
|
|||||||
generated for each volume and stored in a Key Management System (KMS). Currently
|
generated for each volume and stored in a Key Management System (KMS). Currently
|
||||||
HashiCorp Vault is the only KMS supported.
|
HashiCorp Vault is the only KMS supported.
|
||||||
|
|
||||||
|
There are two options to use Hashicorp Vault as a KMS:
|
||||||
|
|
||||||
|
1. with Kubernetes ServiceAccount
|
||||||
|
1. with a Vault Token per Tenant (a Kubernetes Namespace)
|
||||||
|
|
||||||
To use Vault as KMS set `encryptionKMSID` to a unique identifier for Vault
|
To use Vault as KMS set `encryptionKMSID` to a unique identifier for Vault
|
||||||
configuration. You will also need to create vault configuration similar to the
|
configuration. You will also need to create vault configuration similar to the
|
||||||
[example](../examples/rbd/kms-config.yaml) and use same `encryptionKMSID`.
|
[example](../examples/rbd/kms-config.yaml) and use same `encryptionKMSID`.
|
||||||
Configuration must include `encryptionKMSType: "vault"`. In order for ceph-csi
|
|
||||||
to be able to access the configuration you will need to have it mounted to
|
To use the Kubernetes ServiceAccount to access Vault, the configuration must
|
||||||
csi-rbdplugin containers in both daemonset (so kms client can be instantiated to
|
include `encryptionKMSType: "vault"`. If Tenants are expected to place their
|
||||||
encrypt/decrypt volumes) and deployment pods (so kms client can be instantiated
|
Vault Token in a Kubernetes Secret in their Namespace, set `encryptionKMSType:
|
||||||
to delete passphrase on volume delete) `ceph-csi-encryption-kms-config`
|
"vaulttokens"`.
|
||||||
configmap.
|
|
||||||
|
In order for ceph-csi to be able to access the configuration you will need to
|
||||||
|
have it mounted to csi-rbdplugin containers in both daemonset (so kms client
|
||||||
|
can be instantiated to encrypt/decrypt volumes) and deployment pods (so kms
|
||||||
|
client can be instantiated to delete passphrase on volume delete)
|
||||||
|
`ceph-csi-encryption-kms-config` configmap.
|
||||||
|
|
||||||
> Note: kms configuration must be a map of string values only
|
> Note: kms configuration must be a map of string values only
|
||||||
> (`map[string]string`) so for numerical and boolean values make sure to put
|
> (`map[string]string`) so for numerical and boolean values make sure to put
|
||||||
> quotes around.
|
> quotes around.
|
||||||
|
|
||||||
#### Configuring HashiCorp Vault
|
When the Tenants need to provide their own Vault Token, they will need to place
|
||||||
|
it in a Kubernetes Secret (by default) called `ceph-csi-kms-token`, where the
|
||||||
|
Vault Token is stored in the `token` key as shown in [the
|
||||||
|
example](../examples/kms/vault/tenant-token.yaml).
|
||||||
|
|
||||||
|
#### Configuring HashiCorp Vault with Kubernetes ServiceAccount
|
||||||
|
|
||||||
Using Vault as KMS you need to configure Kubernetes authentication method as
|
Using Vault as KMS you need to configure Kubernetes authentication method as
|
||||||
described in [official
|
described in [official
|
||||||
|
Loading…
Reference in New Issue
Block a user