Configuring access to KMS by using vaulttokens

Create a Vault token secret in the tenant namespace to configure access to the external key management system (KMS) and enable secure encryption operations for Fusion Data Foundation.

Before you begin

  • Ensure that the Fusion Data Foundation cluster is in the Ready state.

  • On the external key management system (KMS):

    • Ensure that a policy with a token exists and that the key value backend path in Vault is enabled.
    • Ensure that the Vault servers use signed certificates.

Procedure

  1. In the Red Hat® OpenShift® Container Platform web console, go to Workloads > Secrets.
  2. Click Create > Key/value secret.
  3. Enter Secret Name as ceph-csi-kms-token.
  4. Enter Key as token.
  5. Enter Value.

    It is the token from Vault. You can either click Browse to upload the file that contains the token, or enter the token directly in the text box.

  6. Click Create.
    Note: You can delete the token only after all the encrypted PVCs that use the ceph-csi-kms-token are deleted.