examples: Ceph FS fscrypt / KMS additions

Add encryption configuration to Ceph FS examples Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
nixpanic · Nov 23, 2022 · cd42ad6 · cd42ad6
1 parent 0e66c32
commit cd42ad6
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 1 deletion.
diff --git a/examples/cephfs/secret.yaml b/examples/cephfs/secret.yaml
@@ -12,3 +12,6 @@ stringData:
   # Required for dynamically provisioned volumes
   adminID: <plaintext ID>
   adminKey: <Ceph auth key corresponding to ID above>
+
+  # Encryption passphrase
+  encryptionPassphrase: test_passphrase
diff --git a/examples/cephfs/storageclass.yaml b/examples/cephfs/storageclass.yaml
@@ -52,6 +52,17 @@ parameters:
   # (defaults to `false`)
   # backingSnapshot: "true"
 
+  # (optional) Instruct the plugin it has to encrypt the volume
+  # By default it is disabled. Valid values are "true" or "false".
+  # A string is expected here, i.e. "true", not true.
+  # encrypted: "true"
+
+  # (optional) Use external key management system for encryption passphrases by
+  # specifying a unique ID matching KMS ConfigMap. The ID is only used for
+  # correlation to configmap entry.
+  # encryptionKMSID: <kms-config-id>
+
+
 reclaimPolicy: Delete
 allowVolumeExpansion: true
 mountOptions:

diff --git a/examples/kms/vault/vault.yaml b/examples/kms/vault/vault.yaml
@@ -169,7 +169,7 @@ spec:
             - name: PLUGIN_ROLE
               value: csi-kubernetes
             - name: SERVICE_ACCOUNTS
-              value: rbd-csi-nodeplugin,rbd-csi-provisioner,csi-rbdplugin,csi-rbdplugin-provisioner
+              value: rbd-csi-nodeplugin,rbd-csi-provisioner,csi-rbdplugin,csi-rbdplugin-provisioner,cephfs-csi-nodeplugin,cephfs-csi-provisioner,csi-cephfsplugin,csi-cephfsplugin-provisioner
             - name: SERVICE_ACCOUNTS_NAMESPACE
               value: default
             - name: VAULT_ADDR