diff --git a/docs/design/proposals/encryped-with-keyprotect.md b/docs/design/proposals/encryped-with-keyprotect.md index 0df189beb..900a443ac 100644 --- a/docs/design/proposals/encryped-with-keyprotect.md +++ b/docs/design/proposals/encryped-with-keyprotect.md @@ -12,20 +12,26 @@ Below parameters/values can be used to establish the connection to the HPCS service from the CSI driver and to make use of the encryption operations: ```text -* KMS_SERVICE_NAME=[kms_service_name] +* IBM_KP_BASE_URL +The Key Protect/HPCS connection URL. + +* IBM_KP_TOKEN_URL +The Token Authenticaltion URL of KeyProtect/HPCS service. + +* KMS_SERVICE_NAME A unique name for the key management service within the project. -* IBM_KP_SERVICE_INSTANCE_ID=[service_instance_id] +* IBM_KP_SERVICE_INSTANCE_ID The Instance ID of the IBM HPCS service, ex: crn:v1:bluemix:public:hs-crypto:us-south:a/5d19cf8b82874c2dab37e397426fbc42:e2ae65ff-954b-453f-b0d7-fc5064c203ce:: -* IBM_KP_SERVICE_API_KEY=[service_api_key] +* IBM_KP_SERVICE_API_KEY Ex: 06x6DbTkVQ-qCRmq9cK-p9xOQpU2UwJMcdjnIDdr0g2R -* IBM_KP_CUSTOMER_ROOT_KEY=[customer_root_key] +* IBM_KP_CUSTOMER_ROOT_KEY Ex: c7a9aa91-5cb5-48da-a821-e85c27b99d92 -* IBM_KP_REGION = [region of the key protect service] -Ex: us-south-2 +* IBM_KP_REGION +Region of the key protect service, ex: us-south-2 ``` ### Values provided in the connection Secret diff --git a/examples/kms/vault/csi-kms-connection-details.yaml b/examples/kms/vault/csi-kms-connection-details.yaml index 23a6bf37d..8a1a60d4b 100644 --- a/examples/kms/vault/csi-kms-connection-details.yaml +++ b/examples/kms/vault/csi-kms-connection-details.yaml @@ -65,6 +65,8 @@ data: "KMS_PROVIDER": "kp-metadata", "IBM_KP_SECRET_NAME": "ceph-csi-kp-credentials", "IBM_KP_SERVICE_INSTANCE_ID": "7abef064-01dd-4237-9ea5-8b3890970be3", + "IBM_KP_BASE_URL": "https://us-south.kms.cloud.ibm.com", + "IBM_KP_TOKEN_URL": ""https://iam.cloud.ibm.com/oidc/token", "IBM_KP_REGION": "us-south-2", } metadata: diff --git a/internal/kms/keyprotect.go b/internal/kms/keyprotect.go index b7c043988..20d0637ea 100644 --- a/internal/kms/keyprotect.go +++ b/internal/kms/keyprotect.go @@ -47,6 +47,8 @@ const ( keyProtectRegionKey = "IBM_KP_REGION" keyProtectServiceInstanceID = "IBM_KP_SERVICE_INSTANCE_ID" + keyProtectServiceBaseURL = "IBM_KP_BASE_URL" + keyProtectServiceTokenURL = "IBM_KP_TOKEN_URL" //nolint:gosec // only configuration key // The following options are part of the Kubernetes Secrets. // #nosec:G101, no hardcoded secrets, only configuration keys. keyProtectServiceAPIKey = "IBM_KP_SERVICE_API_KEY" @@ -71,6 +73,8 @@ type KeyProtectKMS struct { serviceAPIKey string customerRootKey string serviceInstanceID string + baseURL string + tokenURL string region string sessionToken string crk string @@ -93,6 +97,20 @@ func initKeyProtectKMS(args ProviderInitArgs) (EncryptionKMS, error) { return nil, err } + err = setConfigString(&kms.baseURL, args.Config, keyProtectServiceBaseURL) + if errors.Is(err, errConfigOptionInvalid) { + return nil, err + } else if errors.Is(err, errConfigOptionMissing) { + kms.baseURL = kp.DefaultBaseURL + } + + err = setConfigString(&kms.tokenURL, args.Config, keyProtectServiceTokenURL) + if errors.Is(err, errConfigOptionInvalid) { + return nil, err + } else if errors.Is(err, errConfigOptionMissing) { + kms.tokenURL = kp.DefaultTokenURL + } + // read the Kubernetes Secret with credentials secrets, err := kms.getSecrets() if err != nil { @@ -168,9 +186,10 @@ func (kms *KeyProtectKMS) RequiresDEKStore() DEKStoreType { } func (kms *KeyProtectKMS) getService() error { - // Use your Service API Key and your KeyProtect Service Instance ID to create a ClientConfig + // Use Service API Key and KeyProtect Service Instance ID to create a ClientConfig cc := kp.ClientConfig{ - BaseURL: kp.DefaultBaseURL, + BaseURL: kms.baseURL, + TokenURL: kms.tokenURL, APIKey: kms.serviceAPIKey, InstanceID: kms.serviceInstanceID, }