mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-12-23 13:30:23 +00:00
4f0bb2315b
With Amazon STS and kubernetes cluster is configured with OIDC identity provider, credentials to access Amazon KMS can be fetched using oidc-token(serviceaccount token). Each tenant/namespace needs to create a secret with aws region, role and CMK ARN. Ceph-CSI will assume the given role with oidc token and access aws KMS, with given CMK to encrypt/decrypt DEK which will stored in the image metdata. Refer: https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html Resolves: #2879 Signed-off-by: Rakshith R <rar@redhat.com>
107 lines
3.8 KiB
YAML
107 lines
3.8 KiB
YAML
---
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
data:
|
|
config.json: |-
|
|
{
|
|
"vault-test": {
|
|
"encryptionKMSType": "vault",
|
|
"vaultAddress": "http://vault.default.svc.cluster.local:8200",
|
|
"vaultAuthPath": "/v1/auth/kubernetes/login",
|
|
"vaultRole": "csi-kubernetes",
|
|
"vaultBackend": "kv-v2",
|
|
"vaultDestroyKeys": "true",
|
|
"vaultPassphraseRoot": "/v1/secret",
|
|
"vaultPassphrasePath": "ceph-csi/",
|
|
"vaultCAVerify": "false"
|
|
},
|
|
"vault-tokens-test": {
|
|
"encryptionKMSType": "vaulttokens",
|
|
"vaultAddress": "http://vault.default.svc.cluster.local:8200",
|
|
"vaultBackend": "kv-v2",
|
|
"vaultBackendPath": "secret/",
|
|
"vaultTLSServerName": "vault.default.svc.cluster.local",
|
|
"vaultCAVerify": "false",
|
|
"tenantConfigName": "ceph-csi-kms-config",
|
|
"tenantTokenName": "ceph-csi-kms-token",
|
|
"tenants": {
|
|
"my-app": {
|
|
"vaultAddress": "https://vault.example.com",
|
|
"vaultCAVerify": "true"
|
|
},
|
|
"an-other-app": {
|
|
"tenantTokenName": "storage-encryption-token",
|
|
"vaultDestroyKeys": "false"
|
|
}
|
|
}
|
|
},
|
|
"vault-tenant-sa-test": {
|
|
"encryptionKMSType": "vaulttenantsa",
|
|
"vaultAddress": "http://vault.default.svc.cluster.local:8200",
|
|
"vaultBackend": "kv-v2",
|
|
"vaultBackendPath": "shared-secrets",
|
|
"vaultDestroyKeys": "false",
|
|
"vaultTLSServerName": "vault.default.svc.cluster.local",
|
|
"vaultCAVerify": "false",
|
|
"tenantConfigName": "ceph-csi-kms-config",
|
|
"tenantSAName": "ceph-csi-vault-sa",
|
|
"tenants": {
|
|
"my-app": {
|
|
"vaultAddress": "https://vault.example.com",
|
|
"vaultCAVerify": "true"
|
|
},
|
|
"an-other-app": {
|
|
"tenantSAName": "storage-encryption-sa"
|
|
}
|
|
}
|
|
},
|
|
"vault-tenant-sa-ns-test": {
|
|
"encryptionKMSType": "vaulttenantsa",
|
|
"vaultAddress": "http://vault.default.svc.cluster.local:8200",
|
|
"vaultBackend": "kv-v2",
|
|
"vaultBackendPath": "shared-secrets",
|
|
"vaultAuthNamespace": "devops",
|
|
"vaultNamespace": "devops/homepage",
|
|
"vaultTLSServerName": "vault.default.svc.cluster.local",
|
|
"vaultCAVerify": "false",
|
|
"tenantConfigName": "ceph-csi-kms-config",
|
|
"tenantSAName": "ceph-csi-vault-sa",
|
|
"tenants": {
|
|
"webservers": {
|
|
"vaultAddress": "https://vault.example.com",
|
|
"vaultAuthNamespace": "webservers",
|
|
"vaultNamespace": "webservers/homepage",
|
|
"vaultCAVerify": "true"
|
|
},
|
|
"homepage-db": {
|
|
"vaultNamespace": "devops/homepage/database",
|
|
"tenantSAName": "storage-encryption-sa"
|
|
}
|
|
}
|
|
},
|
|
"secrets-metadata-test": {
|
|
"encryptionKMSType": "metadata"
|
|
},
|
|
"user-ns-secrets-metadata-test": {
|
|
"encryptionKMSType": "metadata",
|
|
"secretName": "storage-encryption-secret",
|
|
"secretNamespace": "default"
|
|
},
|
|
"user-secrets-metadata-test": {
|
|
"encryptionKMSType": "metadata",
|
|
"secretName": "storage-encryption-secret"
|
|
},
|
|
"ibmkeyprotect-test": {
|
|
"encryptionKMSType": "ibmkeyprotect",
|
|
"secretName": "ceph-csi-kp-credentials",
|
|
"keyProtectRegionKey": "us-south-2",
|
|
"keyProtectServiceInstanceID": "7abef064-01dd-4237-9ea5-8b3890970be3"
|
|
},
|
|
"aws-sts-metadata-test": {
|
|
"encryptionKMSType": "aws-sts-metadata",
|
|
"secretName": "ceph-csi-aws-credentials"
|
|
}
|
|
}
|
|
metadata:
|
|
name: ceph-csi-encryption-kms-config
|