mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-10-18 21:29:50 +00:00
47b202554e
This commit adds the Azure SDK for Azure key vault KMS integration to the Ceph CSI driver. Signed-off-by: Praveen M <m.praveen@ibm.com>
331 lines
12 KiB
JSON
331 lines
12 KiB
JSON
{
|
|
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
|
"contentVersion": "1.0.0.0",
|
|
"parameters": {
|
|
"baseName": {
|
|
"type": "string",
|
|
"defaultValue": "[resourceGroup().name]",
|
|
"metadata": {
|
|
"description": "The base resource name."
|
|
}
|
|
},
|
|
"tenantId": {
|
|
"type": "string",
|
|
"defaultValue": "72f988bf-86f1-41af-91ab-2d7cd011db47",
|
|
"metadata": {
|
|
"description": "The tenant ID to which the application and resources belong."
|
|
}
|
|
},
|
|
"testApplicationOid": {
|
|
"type": "string",
|
|
"metadata": {
|
|
"description": "The client OID to grant access to test resources."
|
|
}
|
|
},
|
|
"provisionerApplicationOid": {
|
|
"type": "string",
|
|
"metadata": {
|
|
"description": "The provisioner OID to grant access to test resources."
|
|
}
|
|
},
|
|
"location": {
|
|
"type": "string",
|
|
"defaultValue": "[resourceGroup().location]",
|
|
"metadata": {
|
|
"description": "The location of the resource. By default, this is the same as the resource group."
|
|
}
|
|
},
|
|
"hsmLocation": {
|
|
"type": "string",
|
|
"defaultValue": "southcentralus",
|
|
"allowedValues": [
|
|
"australiacentral",
|
|
"canadacentral",
|
|
"centralus",
|
|
"eastasia",
|
|
"eastus2",
|
|
"koreacentral",
|
|
"northeurope",
|
|
"southafricanorth",
|
|
"southcentralus",
|
|
"southeastasia",
|
|
"switzerlandnorth",
|
|
"uksouth",
|
|
"westeurope",
|
|
"westus"
|
|
],
|
|
"metadata": {
|
|
"description": "The location of the Managed HSM. By default, this is 'southcentralus'."
|
|
}
|
|
},
|
|
"enableHsm": {
|
|
"type": "bool",
|
|
"defaultValue": false,
|
|
"metadata": {
|
|
"description": "Whether to enable deployment of Managed HSM. The default is false."
|
|
}
|
|
},
|
|
"keyVaultSku": {
|
|
"type": "string",
|
|
"defaultValue": "premium",
|
|
"metadata": {
|
|
"description": "Key Vault SKU to deploy. The default is 'premium'"
|
|
}
|
|
},
|
|
"attestationImage": {
|
|
"type": "string",
|
|
"defaultValue": "keyvault-mock-attestation:latest",
|
|
"metadata": {
|
|
"description": "The container image name and tag to use for the attestation mock service."
|
|
}
|
|
}
|
|
},
|
|
"variables": {
|
|
"attestationFarm": "[concat(parameters('baseName'), 'farm')]",
|
|
"attestationSite": "[concat(parameters('baseName'), 'site')]",
|
|
"attestationUri": "[concat('DOCKER|azsdkengsys.azurecr.io/', parameters('attestationImage'))]",
|
|
"kvApiVersion": "2019-09-01",
|
|
"kvName": "[parameters('baseName')]",
|
|
"hsmApiVersion": "2021-04-01-preview",
|
|
"hsmName": "[concat(parameters('baseName'), 'hsm')]",
|
|
"mgmtApiVersion": "2019-04-01",
|
|
"blobContainerName": "backup",
|
|
"primaryAccountName": "[concat(parameters('baseName'), 'prim')]",
|
|
"encryption": {
|
|
"services": {
|
|
"blob": {
|
|
"enabled": true
|
|
}
|
|
},
|
|
"keySource": "Microsoft.Storage"
|
|
},
|
|
"networkAcls": {
|
|
"bypass": "AzureServices",
|
|
"virtualNetworkRules": [],
|
|
"ipRules": [],
|
|
"defaultAction": "Allow"
|
|
}
|
|
},
|
|
"resources": [
|
|
{
|
|
"type": "Microsoft.KeyVault/vaults",
|
|
"apiVersion": "[variables('kvApiVersion')]",
|
|
"name": "[variables('kvName')]",
|
|
"location": "[parameters('location')]",
|
|
"properties": {
|
|
"sku": {
|
|
"family": "A",
|
|
"name": "[parameters('keyVaultSku')]"
|
|
},
|
|
"tenantId": "[parameters('tenantId')]",
|
|
"accessPolicies": [
|
|
{
|
|
"tenantId": "[parameters('tenantId')]",
|
|
"objectId": "[parameters('testApplicationOid')]",
|
|
"permissions": {
|
|
"keys": [
|
|
"backup",
|
|
"create",
|
|
"decrypt",
|
|
"delete",
|
|
"encrypt",
|
|
"get",
|
|
"import",
|
|
"list",
|
|
"purge",
|
|
"recover",
|
|
"release",
|
|
"restore",
|
|
"rotate",
|
|
"sign",
|
|
"unwrapKey",
|
|
"update",
|
|
"verify",
|
|
"wrapKey"
|
|
],
|
|
"secrets": [
|
|
"backup",
|
|
"delete",
|
|
"get",
|
|
"list",
|
|
"purge",
|
|
"recover",
|
|
"restore",
|
|
"set"
|
|
],
|
|
"certificates": [
|
|
"backup",
|
|
"create",
|
|
"delete",
|
|
"deleteissuers",
|
|
"get",
|
|
"getissuers",
|
|
"import",
|
|
"list",
|
|
"listissuers",
|
|
"managecontacts",
|
|
"manageissuers",
|
|
"purge",
|
|
"recover",
|
|
"restore",
|
|
"setissuers",
|
|
"update"
|
|
]
|
|
}
|
|
}
|
|
],
|
|
"enabledForDeployment": false,
|
|
"enabledForDiskEncryption": false,
|
|
"enabledForTemplateDeployment": false,
|
|
"enableSoftDelete": true,
|
|
"softDeleteRetentionInDays": 7
|
|
}
|
|
},
|
|
{
|
|
"type": "Microsoft.KeyVault/managedHSMs",
|
|
"apiVersion": "[variables('hsmApiVersion')]",
|
|
"name": "[variables('hsmName')]",
|
|
"condition": "[parameters('enableHsm')]",
|
|
"location": "[parameters('hsmLocation')]",
|
|
"sku": {
|
|
"family": "B",
|
|
"name": "Standard_B1"
|
|
},
|
|
"properties": {
|
|
"tenantId": "[parameters('tenantId')]",
|
|
"initialAdminObjectIds": "[union(array(parameters('testApplicationOid')), array(parameters('provisionerApplicationOid')))]",
|
|
"enablePurgeProtection": false,
|
|
"enableSoftDelete": true,
|
|
"softDeleteRetentionInDays": 7,
|
|
"publicNetworkAccess": "Enabled",
|
|
"networkAcls": "[variables('networkAcls')]"
|
|
}
|
|
},
|
|
{
|
|
"type": "Microsoft.Storage/storageAccounts",
|
|
"apiVersion": "[variables('mgmtApiVersion')]",
|
|
"name": "[variables('primaryAccountName')]",
|
|
"location": "[parameters('location')]",
|
|
"sku": {
|
|
"name": "Standard_RAGRS",
|
|
"tier": "Standard"
|
|
},
|
|
"kind": "StorageV2",
|
|
"properties": {
|
|
"networkAcls": "[variables('networkAcls')]",
|
|
"supportsHttpsTrafficOnly": true,
|
|
"encryption": "[variables('encryption')]",
|
|
"accessTier": "Hot"
|
|
}
|
|
},
|
|
{
|
|
"type": "Microsoft.Storage/storageAccounts/blobServices",
|
|
"apiVersion": "2019-06-01",
|
|
"name": "[concat(variables('primaryAccountName'), '/default')]",
|
|
"dependsOn": [
|
|
"[resourceId('Microsoft.Storage/storageAccounts', variables('primaryAccountName'))]"
|
|
],
|
|
"sku": {
|
|
"name": "Standard_RAGRS",
|
|
"tier": "Standard"
|
|
},
|
|
"properties": {
|
|
"cors": {
|
|
"corsRules": []
|
|
},
|
|
"deleteRetentionPolicy": {
|
|
"enabled": false
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
|
|
"apiVersion": "2019-06-01",
|
|
"name": "[concat(variables('primaryAccountName'), '/default/', variables('blobContainerName'))]",
|
|
"dependsOn": [
|
|
"[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('primaryAccountName'), 'default')]",
|
|
"[resourceId('Microsoft.Storage/storageAccounts', variables('primaryAccountName'))]"
|
|
],
|
|
"properties": {
|
|
"publicAccess": "None"
|
|
}
|
|
},
|
|
{
|
|
|
|
"type": "Microsoft.Web/serverfarms",
|
|
"apiVersion": "2020-12-01",
|
|
"name": "[variables('attestationFarm')]",
|
|
"condition": "[parameters('enableHsm')]",
|
|
"location": "[parameters('location')]",
|
|
"kind": "linux",
|
|
"sku": {
|
|
"name": "B1"
|
|
},
|
|
"properties": {
|
|
"reserved": true
|
|
}
|
|
},
|
|
{
|
|
|
|
"type": "Microsoft.Web/sites",
|
|
"apiVersion": "2020-12-01",
|
|
"name": "[variables('attestationSite')]",
|
|
"condition": "[parameters('enableHsm')]",
|
|
"dependsOn": [
|
|
"[resourceId('Microsoft.Web/serverfarms', variables('attestationFarm'))]"
|
|
],
|
|
"location": "[parameters('location')]",
|
|
"properties": {
|
|
"httpsOnly": true,
|
|
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('attestationFarm'))]",
|
|
"siteConfig": {
|
|
"name": "[variables('attestationSite')]",
|
|
"alwaysOn": true,
|
|
"linuxFxVersion": "[variables('attestationUri')]",
|
|
"appSettings": [
|
|
{
|
|
"name": "WEBSITES_ENABLE_APP_SERVICE_STORAGE",
|
|
"value": "false"
|
|
}
|
|
]
|
|
}
|
|
}
|
|
}
|
|
],
|
|
"outputs": {
|
|
"AZURE_KEYVAULT_URL": {
|
|
"type": "string",
|
|
"value": "[reference(variables('kvName')).vaultUri]"
|
|
},
|
|
"AZURE_MANAGEDHSM_URL": {
|
|
"type": "string",
|
|
"condition": "[parameters('enableHsm')]",
|
|
"value": "[reference(variables('hsmName')).hsmUri]"
|
|
},
|
|
"KEYVAULT_SKU": {
|
|
"type": "string",
|
|
"value": "[reference(parameters('baseName')).sku.name]"
|
|
},
|
|
"CLIENT_OBJECTID": {
|
|
"type": "string",
|
|
"value": "[parameters('testApplicationOid')]"
|
|
},
|
|
"BLOB_STORAGE_ACCOUNT_NAME": {
|
|
"type": "string",
|
|
"value": "[variables('primaryAccountName')]"
|
|
},
|
|
"BLOB_PRIMARY_STORAGE_ACCOUNT_KEY": {
|
|
"type": "string",
|
|
"value": "[listKeys(variables('primaryAccountName'), variables('mgmtApiVersion')).keys[0].value]"
|
|
},
|
|
"BLOB_CONTAINER_NAME" : {
|
|
"type": "string",
|
|
"value": "[variables('blobContainerName')]"
|
|
},
|
|
"AZURE_KEYVAULT_ATTESTATION_URL": {
|
|
"type": "string",
|
|
"condition": "[parameters('enableHsm')]",
|
|
"value": "[format('https://{0}/', reference(variables('attestationSite')).defaultHostName)]"
|
|
}
|
|
}
|
|
} |