From e1f8b1d44a8c9d1718f169eb3c0537546fe3c6ed Mon Sep 17 00:00:00 2001 From: Niels de Vos Date: Wed, 24 Mar 2021 13:51:11 +0100 Subject: [PATCH] doc: add example for csi-kms-connection-details ConfigMap Updates: #1793 Signed-off-by: Niels de Vos --- .../kms/vault/csi-kms-connection-details.yaml | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 examples/kms/vault/csi-kms-connection-details.yaml diff --git a/examples/kms/vault/csi-kms-connection-details.yaml b/examples/kms/vault/csi-kms-connection-details.yaml new file mode 100644 index 000000000..32e2c4513 --- /dev/null +++ b/examples/kms/vault/csi-kms-connection-details.yaml @@ -0,0 +1,39 @@ +# +# csi-kms-connection-details is an alternative option to configure KMS +# providers for encrypted volume support. +# This ConfigMap can be located in the Kubernetes Namespace where Ceph-CSI is +# deployed. In case the ceph-csi-encryption-kms-config which provides a +# `config.json` is not mapped into the csi-rbdplugin container, the +# csi-kms-connection-details ConfigMap will be used instead. +# +# The configuration values follow the common key/value contents. The key for +# each KMS provider should be used as the value for `encryptionKMSID` in the +# StorageClass. +# +--- +apiVersion: v1 +kind: ConfigMap +data: + vault-test: |- + { + "encryptionKMSType": "vault", + "vaultAddress": "http://vault.default.svc.cluster.local:8200", + "vaultAuthPath": "/v1/auth/kubernetes/login", + "vaultRole": "csi-kubernetes", + "vaultPassphraseRoot": "/v1/secret", + "vaultPassphrasePath": "ceph-csi/", + "vaultCAVerify": "false" + } + vault-tokens-test: |- + { + "KMS_PROVIDER": "vaulttokens", + "VAULT_ADDR": "http://vault.default.svc.cluster.local:8200", + "VAULT_BACKEND_PATH": "secret", + "VAULT_SKIP_VERIFY": "true" + } + secrets-metadata-test: |- + { + "encryptionKMSType": "metadata" + } +metadata: + name: csi-kms-connection-details