ceph-csi/examples/kms/vault/csi-kms-connection-details.yaml
Rakshith R b27d6319ca e2e: add e2e for user secret based metadata encryption
This commit adds e2e for user secret based metadata encryption,
adds user-secret.yaml and makes required changes in kms-connection-details,
kms-config yamls.

Signed-off-by: Rakshith R <rar@redhat.com>
2021-07-08 17:06:02 +00:00

57 lines
1.7 KiB
YAML

#
# csi-kms-connection-details is an alternative option to configure KMS
# providers for encrypted volume support.
# This ConfigMap can be located in the Kubernetes Namespace where Ceph-CSI is
# deployed. In case the ceph-csi-encryption-kms-config which provides a
# `config.json` is not mapped into the csi-rbdplugin container, the
# csi-kms-connection-details ConfigMap will be used instead.
#
# The configuration values follow the common key/value contents. The key for
# each KMS provider should be used as the value for `encryptionKMSID` in the
# StorageClass.
#
---
apiVersion: v1
kind: ConfigMap
data:
vault-test: |-
{
"encryptionKMSType": "vault",
"vaultAddress": "http://vault.default.svc.cluster.local:8200",
"vaultAuthPath": "/v1/auth/kubernetes/login",
"vaultRole": "csi-kubernetes",
"vaultPassphraseRoot": "/v1/secret",
"vaultPassphrasePath": "ceph-csi/",
"vaultCAVerify": "false"
}
vault-tokens-test: |-
{
"KMS_PROVIDER": "vaulttokens",
"VAULT_ADDR": "http://vault.default.svc.cluster.local:8200",
"VAULT_BACKEND_PATH": "secret",
"VAULT_SKIP_VERIFY": "true"
}
secrets-metadata-test: |-
{
"encryptionKMSType": "metadata"
}
user-ns-secrets-metadata-test: |-
{
"encryptionKMSType": "metadata",
"secretName": "storage-encryption-secret",
"secretNamespace": "default"
}
user-secrets-metadata-test: |-
{
"encryptionKMSType": "metadata",
"secretName": "storage-encryption-secret"
}
aws-metadata-test: |-
{
"KMS_PROVIDER": "aws-metadata",
"KMS_SECRET_NAME": "ceph-csi-aws-credentials",
"AWS_REGION": "us-west-2"
}
metadata:
name: csi-kms-connection-details