Configuring access using vaulttenantsa
Configure Key Management System (KMS) using vaulttenantsa
, allowing
users to use serviceaccounts to authenticate with
Vault
.
Before you begin
- The Fusion Data Foundation cluster is in Ready state.
- On the external key management system (KMS):
- Ensure that a policy exists and the key value backend path in Vault is enabled.
- Ensure that you are using signed certificates on your Vault servers.
- Create the following serviceaccount in the tenant namespace as shown
below:
$ cat <<EOF | oc create -f - apiVersion: v1 kind: ServiceAccount metadata: name: ceph-csi-vault-sa EOF
About this task
Configure the Kubernetes authentication method before Fusion Data Foundation can authenticate with and start using
Vault
. These instructions create and configure serviceAccount
,
ClusterRole
, and ClusterRoleBinding
required to allow Fusion Data Foundation to authenticate with
Vault
.
Procedure
Example
Use this sample YAML to update or create the csi-kms-connection-detail
ConfigMap, using Table 1 to configure the file.
To create a StorageClass that uses the
vaulttenantsa
method for PV encryption,
you must either edit the existing ConfigMap or create a ConfigMap named
csi-kms-connection-details
that will hold all the information needed to establish
the connection with Vault.apiVersion: v1
data:
vault-tenant-sa: |-
{
"encryptionKMSType": "vaulttenantsa",
"vaultAddress": "<https://hostname_or_ip_of_vault_server:port>",
"vaultTLSServerName": "<vault TLS server name>",
"vaultAuthPath": "/v1/auth/kubernetes/login",
"vaultAuthNamespace": "<vault auth namespace name>"
"vaultNamespace": "<vault namespace name>",
"vaultBackendPath": "<vault backend path name>",
"vaultCAFromSecret": "<secret containing CA cert>",
"vaultClientCertFromSecret": "<secret containing client cert>",
"vaultClientCertKeyFromSecret": "<secret containing client private key>",
"tenantSAName": "<service account name in the tenant namespace>"
}
metadata:
name: csi-kms-connection-details
Value | Description |
---|---|
encryptionKMSType
|
Set to vaulttenantsa to use service accounts for
authentication with vault. |
vaultAddress
|
The hostname or IP address of the vault server with the port number. |
vaultTLSServerName
|
(Optional) The vault TLS server name. |
vaultAuthPath
|
(Optional) The path where Kubernetes auth method is enabled in Vault. The default path is kubernetes. If the auth method is enabled in a different path other than kubernetes, this variable needs to be set as "/v1/auth/<path>/login". |
vaultAuthNamespace
|
(Optional) The Vault namespace where Kubernetes auth method is enabled. |
vaultNamespace
|
(Optional) The Vault namespace where the backend path being used to store the keys exists. |
vaultBackendPath
|
The backend path in Vault where the encryption keys will be stored. |
vaultCAFromSecret
|
The secret in the Fusion Data Foundation cluster containing the CA certificate from Vault. |
vaultClientCertFromSecret
|
The secret in the Fusion Data Foundation cluster containing the client certificate from Vault. |
vaultClientCertKeyFromSecret
|
The secret in the Fusion Data Foundation cluster containing the client private key from Vault. |
tenantSAName
|
(Optional) The service account name in the tenant namespace. The
default value is ceph-csi-vault-sa . If a different name is to be used, this
variable has to be set accordingly. |