forked from ceph/ceph-csi
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Praveen M <[email protected]>
- Loading branch information
1 parent
8901b45
commit b2087e4
Showing
3 changed files
with
87 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
# Encrypted volumes with Azure Key Vault | ||
|
||
Azure Key Vault is a cloud service for securely storing and accessing secrets. | ||
A secret is anything that you want to tightly control access to, such as API | ||
keys, passwords, certificates, or cryptographic keys. | ||
|
||
## Connection to Azure Key Vault | ||
|
||
Below values are used to establish the connection to the Key Vault | ||
service from the CSI driver and to make use of the secrets | ||
`GetSecret`/`SetSecret`/`DeleteSecret` operations: | ||
|
||
```text | ||
* AZURE_VAULT_URL | ||
The URL used to access the Azure Key Vault service. | ||
* AZURE_CLIENT_ID | ||
The Client ID of the Azure application object (also known as the service principal). | ||
This ID serves as the username. | ||
* AZURE_TENANT_ID | ||
The Tenant ID associated with the service principal. | ||
* CLIENT_CERT | ||
The client certificate (which includes the private key and is not password protected) | ||
used for authentication with Azure Key Vault. | ||
``` | ||
|
||
### Values provided in the connection secret | ||
|
||
Considering `AZURE_CLIENT_CERTIFICATE` is sensitive information, | ||
it will be provided as a Kubernetes secret to the Ceph-CSI driver. The Ceph-CSI | ||
KMS plugin interface for the Azure key vault will read the secret name from the | ||
kms configMap and fetch the certificate. | ||
|
||
### Values provided in the config map | ||
|
||
`AZURE_VAULT_URL`, `AZURE_CLIENT_ID`, `AZURE_TENANT_ID` are part of the | ||
KMS ConfigMap. | ||
|
||
### Storage class values or configuration | ||
|
||
The Storage class has to be enabled for encryption and `encryptionKMSID` has | ||
to be provided which is the matching value in the kms config map. | ||
|
||
## Volume Encrypt or Decrypt Operation | ||
|
||
Ceph-CSI generate's unique passphrase for each volume to be used to | ||
encrypt/decrypt. The passphrase is securely store in Azure key vault | ||
using the `SetSecret` operation. At time of decrypt the passphrase is | ||
retrieved from the key vault using the `GetSecret`operation. | ||
|
||
## Volume Delete Operation | ||
|
||
When the corresponding volume is deleted, the stored secret in the Azure Key | ||
Vault will be deleted. | ||
|
||
> Note: Ceph-CSI solely deletes the secret without permanent removal (purging). |