#
# csi-kms-connection-details is an alternative option to configure KMS
# providers for encrypted volume support.
# This ConfigMap can be located in the Kubernetes Namespace where Ceph-CSI is
# deployed. In case the ceph-csi-encryption-kms-config which provides a
# `config.json` is not mapped into the csi-rbdplugin container, the
# csi-kms-connection-details ConfigMap will be used instead.
#
# The configuration values follow the common key/value contents. The key for
# each KMS provider should be used as the value for `encryptionKMSID` in the
# StorageClass.
#
---
apiVersion: v1
kind: ConfigMap
data:
  vault-test: |-
    {
      "encryptionKMSType": "vault",
      "vaultAddress": "http://vault.default.svc.cluster.local:8200",
      "vaultAuthPath": "/v1/auth/kubernetes/login",
      "vaultRole": "csi-kubernetes",
      "vaultPassphraseRoot": "/v1/secret",
      "vaultPassphrasePath": "ceph-csi/",
      "vaultCAVerify": "false"
    }
  vault-tokens-test: |-
    {
      "KMS_PROVIDER": "vaulttokens",
      "VAULT_ADDR": "http://vault.default.svc.cluster.local:8200",
      "VAULT_BACKEND_PATH": "secret",
      "VAULT_SKIP_VERIFY": "true"
    }
  vault-tenant-sa-test: |-
    {
      "KMS_PROVIDER": "vaulttenantsa",
      "VAULT_ADDR": "http://vault.default.svc.cluster.local:8200",
      "VAULT_BACKEND_PATH": "shared-secrets",
      "VAULT_SKIP_VERIFY": "true"
    }
  secrets-metadata-test: |-
    {
      "encryptionKMSType": "metadata"
    }
  user-ns-secrets-metadata-test: |-
    {
      "encryptionKMSType": "metadata",
      "secretName": "storage-encryption-secret",
      "secretNamespace": "default"
    }
  user-secrets-metadata-test: |-
    {
      "encryptionKMSType": "metadata",
      "secretName": "storage-encryption-secret"
    }
  aws-metadata-test: |-
    {
      "KMS_PROVIDER": "aws-metadata",
      "KMS_SECRET_NAME": "ceph-csi-aws-credentials",
      "AWS_REGION": "us-west-2"
    }
metadata:
  name: csi-kms-connection-details