mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-09-19 23:19:52 +00:00
9200bc7a00
This commit adds the support for HPCS/Key Protect IBM KMS service to Ceph CSI service. EncryptDEK() and DecryptDEK() of RBD volumes are done with the help of key protect KMS server by wrapping and unwrapping the DEK and by using the DEKStoreMetadata. Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
72 lines
2.2 KiB
YAML
72 lines
2.2 KiB
YAML
#
|
|
# csi-kms-connection-details is an alternative option to configure KMS
|
|
# providers for encrypted volume support.
|
|
# This ConfigMap can be located in the Kubernetes Namespace where Ceph-CSI is
|
|
# deployed. In case the ceph-csi-encryption-kms-config which provides a
|
|
# `config.json` is not mapped into the csi-rbdplugin container, the
|
|
# csi-kms-connection-details ConfigMap will be used instead.
|
|
#
|
|
# The configuration values follow the common key/value contents. The key for
|
|
# each KMS provider should be used as the value for `encryptionKMSID` in the
|
|
# StorageClass.
|
|
#
|
|
---
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
data:
|
|
vault-test: |-
|
|
{
|
|
"encryptionKMSType": "vault",
|
|
"vaultAddress": "http://vault.default.svc.cluster.local:8200",
|
|
"vaultAuthPath": "/v1/auth/kubernetes/login",
|
|
"vaultRole": "csi-kubernetes",
|
|
"vaultPassphraseRoot": "/v1/secret",
|
|
"vaultPassphrasePath": "ceph-csi/",
|
|
"vaultCAVerify": "false"
|
|
}
|
|
vault-tokens-test: |-
|
|
{
|
|
"KMS_PROVIDER": "vaulttokens",
|
|
"VAULT_ADDR": "http://vault.default.svc.cluster.local:8200",
|
|
"VAULT_BACKEND_PATH": "secret",
|
|
"VAULT_DESTROY_KEYS": "true",
|
|
"VAULT_SKIP_VERIFY": "true"
|
|
}
|
|
vault-tenant-sa-test: |-
|
|
{
|
|
"KMS_PROVIDER": "vaulttenantsa",
|
|
"VAULT_ADDR": "http://vault.default.svc.cluster.local:8200",
|
|
"VAULT_BACKEND_PATH": "shared-secrets",
|
|
"VAULT_SKIP_VERIFY": "true"
|
|
}
|
|
secrets-metadata-test: |-
|
|
{
|
|
"encryptionKMSType": "metadata"
|
|
}
|
|
user-ns-secrets-metadata-test: |-
|
|
{
|
|
"encryptionKMSType": "metadata",
|
|
"secretName": "storage-encryption-secret",
|
|
"secretNamespace": "default"
|
|
}
|
|
user-secrets-metadata-test: |-
|
|
{
|
|
"encryptionKMSType": "metadata",
|
|
"secretName": "storage-encryption-secret"
|
|
}
|
|
aws-metadata-test: |-
|
|
{
|
|
"KMS_PROVIDER": "aws-metadata",
|
|
"KMS_SECRET_NAME": "ceph-csi-aws-credentials",
|
|
"AWS_REGION": "us-west-2"
|
|
}
|
|
kp-metadata-test: |-
|
|
{
|
|
"KMS_PROVIDER": "kp-metadata",
|
|
"KMS_SECRET_NAME": "ceph-csi-kp-credentials",
|
|
"KP_SERVICE_INSTANCE_ID": "7abef064-01dd-4237-9ea5-8b3890970be3",
|
|
"KP_REGION": "us-south-2",
|
|
}
|
|
metadata:
|
|
name: csi-kms-connection-details
|