ceph-csi/examples/kms/vault/kms-config.yaml

---
apiVersion: v1
kind: ConfigMap
data:
  config.json: |-
    {
      "vault-test": {
        "encryptionKMSType": "vault",
        "vaultAddress": "http://vault.default.svc.cluster.local:8200",
        "vaultAuthPath": "/v1/auth/kubernetes/login",
        "vaultRole": "csi-kubernetes",
        "vaultBackend": "kv-v2",
        "vaultPassphraseRoot": "/v1/secret",
        "vaultPassphrasePath": "ceph-csi/",
        "vaultCAVerify": "false"
      },
      "vault-tokens-test": {
          "encryptionKMSType": "vaulttokens",
          "vaultAddress": "http://vault.default.svc.cluster.local:8200",
          "vaultBackend": "kv-v2",
          "vaultBackendPath": "secret/",
          "vaultTLSServerName": "vault.default.svc.cluster.local",
          "vaultCAVerify": "false",
          "tenantConfigName": "ceph-csi-kms-config",
          "tenantTokenName": "ceph-csi-kms-token",
          "tenants": {
              "my-app": {
                  "vaultAddress": "https://vault.example.com",
                  "vaultCAVerify": "true"
              },
              "an-other-app": {
                  "tenantTokenName": "storage-encryption-token"
              }
          }
      },
      "vault-tenant-sa-test": {
          "encryptionKMSType": "vaulttenantsa",
          "vaultAddress": "http://vault.default.svc.cluster.local:8200",
          "vaultBackend": "kv-v2",
          "vaultBackendPath": "shared-secrets",
          "vaultTLSServerName": "vault.default.svc.cluster.local",
          "vaultCAVerify": "false",
          "tenantConfigName": "ceph-csi-kms-config",
          "tenantSAName": "ceph-csi-vault-sa",
          "tenants": {
              "my-app": {
                  "vaultAddress": "https://vault.example.com",
                  "vaultCAVerify": "true"
              },
              "an-other-app": {
                  "tenantSAName": "storage-encryption-sa"
              }
          }
      },
      "vault-tenant-sa-ns-test": {
          "encryptionKMSType": "vaulttenantsa",
          "vaultAddress": "http://vault.default.svc.cluster.local:8200",
          "vaultBackend": "kv-v2",
          "vaultBackendPath": "shared-secrets",
          "vaultAuthNamespace": "devops",
          "vaultNamespace": "devops/homepage",
          "vaultTLSServerName": "vault.default.svc.cluster.local",
          "vaultCAVerify": "false",
          "tenantConfigName": "ceph-csi-kms-config",
          "tenantSAName": "ceph-csi-vault-sa",
          "tenants": {
              "webservers": {
                  "vaultAddress": "https://vault.example.com",
                  "vaultAuthNamespace": "webservers",
                  "vaultNamespace": "webservers/homepage",
                  "vaultCAVerify": "true"
              },
              "homepage-db": {
                  "vaultNamespace": "devops/homepage/database",
                  "tenantSAName": "storage-encryption-sa"
              }
          }
      },
      "secrets-metadata-test": {
          "encryptionKMSType": "metadata"
      },
      "user-ns-secrets-metadata-test": {
        "encryptionKMSType": "metadata",
        "secretName": "storage-encryption-secret",
        "secretNamespace": "default"
      },
      "user-secrets-metadata-test": {
        "encryptionKMSType": "metadata",
        "secretName": "storage-encryption-secret"
      }
    }    
metadata:
  name: ceph-csi-encryption-kms-config