mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-11-09 16:00:22 +00:00
4f0bb2315b
With Amazon STS and kubernetes cluster is configured with OIDC identity provider, credentials to access Amazon KMS can be fetched using oidc-token(serviceaccount token). Each tenant/namespace needs to create a secret with aws region, role and CMK ARN. Ceph-CSI will assume the given role with oidc token and access aws KMS, with given CMK to encrypt/decrypt DEK which will stored in the image metdata. Refer: https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html Resolves: #2879 Signed-off-by: Rakshith R <rar@redhat.com>
14 lines
487 B
YAML
14 lines
487 B
YAML
---
|
|
# This is an example Kubernetes Secret that can be created in the Kubernetes
|
|
# Namespace where Ceph-CSI is deployed. The contents of this Secret will be
|
|
# used to fetch credentials from Amazon STS and use it connect to the
|
|
# Amazon KMS.
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: ceph-csi-aws-credentials
|
|
stringData:
|
|
awsRoleARN: "arn:aws:iam::111122223333:role/aws-sts-kms"
|
|
awsCMKARN: "arn:aws:kms:us-west-2:111123:key/1234cd-12ab-34cd-56ef-123590ab"
|
|
awsRegion: "us-west-2"
|