#
# csi-kms-connection-details is an alternative option to configure KMS
# providers for encrypted volume support.
# This ConfigMap can be located in the Kubernetes Namespace where Ceph-CSI is
# deployed. In case the ceph-csi-encryption-kms-config which provides a
# `config.json` is not mapped into the csi-rbdplugin container, the
# csi-kms-connection-details ConfigMap will be used instead.
#
# The configuration values follow the common key/value contents. The key for
# each KMS provider should be used as the value for `encryptionKMSID` in the
# StorageClass.
#
---
apiVersion: v1
kind: ConfigMap
data:
  vault-test: |-
    {
      "encryptionKMSType": "vault",
      "vaultAddress": "http://vault.default.svc.cluster.local:8200",
      "vaultAuthPath": "/v1/auth/kubernetes/login",
      "vaultRole": "csi-kubernetes",
      "vaultPassphraseRoot": "/v1/secret",
      "vaultPassphrasePath": "ceph-csi/",
      "vaultCAVerify": "false"
    }
  vault-tokens-test: |-
    {
      "KMS_PROVIDER": "vaulttokens",
      "VAULT_ADDR": "http://vault.default.svc.cluster.local:8200",
      "VAULT_BACKEND_PATH": "secret",
      "VAULT_DESTROY_KEYS": "true",
      "VAULT_SKIP_VERIFY": "true"
    }
  vault-tenant-sa-test: |-
    {
      "KMS_PROVIDER": "vaulttenantsa",
      "VAULT_ADDR": "http://vault.default.svc.cluster.local:8200",
      "VAULT_BACKEND_PATH": "shared-secrets",
      "VAULT_SKIP_VERIFY": "true"
    }
  secrets-metadata-test: |-
    {
      "encryptionKMSType": "metadata"
    }
  user-ns-secrets-metadata-test: |-
    {
      "encryptionKMSType": "metadata",
      "secretName": "storage-encryption-secret",
      "secretNamespace": "default"
    }
  user-secrets-metadata-test: |-
    {
      "encryptionKMSType": "metadata",
      "secretName": "storage-encryption-secret"
    }
  aws-metadata-test: |-
    {
      "KMS_PROVIDER": "aws-metadata",
      "KMS_SECRET_NAME": "ceph-csi-aws-credentials",
      "AWS_REGION": "us-west-2"
    }
  ibmkeyprotect-test: |-
    {
      "KMS_PROVIDER": "ibmkeyprotect",
      "IBM_KP_SECRET_NAME": "ceph-csi-kp-credentials",
      "IBM_KP_SERVICE_INSTANCE_ID": "7abef064-01dd-4237-9ea5-8b3890970be3",
      "IBM_KP_BASE_URL": "https://us-south.kms.cloud.ibm.com",
      "IBM_KP_TOKEN_URL": "https://iam.cloud.ibm.com/oidc/token",
      "IBM_KP_REGION": "us-south-2"
    }
  aws-sts-metadata-test: |-
    {
      "encryptionKMSType": "aws-sts-metadata",
      "secretName": "ceph-csi-aws-credentials"
    }
  kmip-test: |-
    {
      "KMS_PROVIDER": "kmip",
      "KMIP_ENDPOINT": "kmip:5696",
      "KMIP_SECRET_NAME": "ceph-csi-kmip-credentials",
      "TLS_SERVER_NAME": "kmip.ciphertrustmanager.local",
      "READ_TIMEOUT": 10,
      "WRITE_TIMEOUT": 10
    }
metadata:
  name: csi-kms-connection-details