---
apiVersion: v1
kind: ConfigMap
data:
  config.json: |-
    {
      "vault-test": {
        "encryptionKMSType": "vault",
        "vaultAddress": "http://vault.default.svc.cluster.local:8200",
        "vaultAuthPath": "/v1/auth/kubernetes/login",
        "vaultRole": "csi-kubernetes",
        "vaultBackend": "kv-v2",
        "vaultDestroyKeys": "true",
        "vaultPassphraseRoot": "/v1/secret",
        "vaultPassphrasePath": "ceph-csi/",
        "vaultCAVerify": "false"
      },
      "vault-tokens-test": {
          "encryptionKMSType": "vaulttokens",
          "vaultAddress": "http://vault.default.svc.cluster.local:8200",
          "vaultBackend": "kv-v2",
          "vaultBackendPath": "secret/",
          "vaultTLSServerName": "vault.default.svc.cluster.local",
          "vaultCAVerify": "false",
          "tenantConfigName": "ceph-csi-kms-config",
          "tenantTokenName": "ceph-csi-kms-token",
          "tenants": {
              "my-app": {
                  "vaultAddress": "https://vault.example.com",
                  "vaultCAVerify": "true"
              },
              "an-other-app": {
                  "tenantTokenName": "storage-encryption-token",
                  "vaultDestroyKeys": "false"
              }
          }
      },
      "vault-tenant-sa-test": {
          "encryptionKMSType": "vaulttenantsa",
          "vaultAddress": "http://vault.default.svc.cluster.local:8200",
          "vaultBackend": "kv-v2",
          "vaultBackendPath": "shared-secrets",
          "vaultDestroyKeys": "false",
          "vaultTLSServerName": "vault.default.svc.cluster.local",
          "vaultCAVerify": "false",
          "tenantConfigName": "ceph-csi-kms-config",
          "tenantSAName": "ceph-csi-vault-sa",
          "tenants": {
              "my-app": {
                  "vaultAddress": "https://vault.example.com",
                  "vaultCAVerify": "true"
              },
              "an-other-app": {
                  "tenantSAName": "storage-encryption-sa"
              }
          }
      },
      "vault-tenant-sa-ns-test": {
          "encryptionKMSType": "vaulttenantsa",
          "vaultAddress": "http://vault.default.svc.cluster.local:8200",
          "vaultBackend": "kv-v2",
          "vaultBackendPath": "shared-secrets",
          "vaultAuthNamespace": "devops",
          "vaultNamespace": "devops/homepage",
          "vaultTLSServerName": "vault.default.svc.cluster.local",
          "vaultCAVerify": "false",
          "tenantConfigName": "ceph-csi-kms-config",
          "tenantSAName": "ceph-csi-vault-sa",
          "tenants": {
              "webservers": {
                  "vaultAddress": "https://vault.example.com",
                  "vaultAuthNamespace": "webservers",
                  "vaultNamespace": "webservers/homepage",
                  "vaultCAVerify": "true"
              },
              "homepage-db": {
                  "vaultNamespace": "devops/homepage/database",
                  "tenantSAName": "storage-encryption-sa"
              }
          }
      },
      "secrets-metadata-test": {
          "encryptionKMSType": "metadata"
      },
      "user-ns-secrets-metadata-test": {
        "encryptionKMSType": "metadata",
        "secretName": "storage-encryption-secret",
        "secretNamespace": "default"
      },
      "user-secrets-metadata-test": {
        "encryptionKMSType": "metadata",
        "secretName": "storage-encryption-secret"
      },
      "ibmkeyprotect-test": {
        "encryptionKMSType": "ibmkeyprotect",
        "secretName": "ceph-csi-kp-credentials",
        "keyProtectRegionKey": "us-south-2",
        "keyProtectServiceInstanceID": "7abef064-01dd-4237-9ea5-8b3890970be3"
      },
      "aws-sts-metadata-test": {
        "encryptionKMSType": "aws-sts-metadata",
        "secretName": "ceph-csi-aws-credentials"
      },
     "kmip-test": {
        "KMS_PROVIDER": "kmip",
        "KMIP_ENDPOINT": "kmip:5696",
        "KMIP_SECRET_NAME": "ceph-csi-kmip-credentials",
        "TLS_SERVER_NAME": "kmip.ciphertrustmanager.local",
        "READ_TIMEOUT": 10,
        "WRITE_TIMEOUT": 10
      },
      "azure-test": {
        "KMS_PROVIDER": "azure-kv",
        "AZURE_CERT_SECRET_NAME": "ceph-csi-azure-credentials",
        "AZURE_VAULT_URL": "https://vault-name.vault.azure.net/",
        "AZURE_CLIENT_ID": "__CLIENT_ID__",
        "AZURE_TENANT_ID": "__TENANT_ID__"
      }
    }
metadata:
  name: ceph-csi-encryption-kms-config