Configuring access using vaulttokens

Configure Key Management System (KMS) using vaulttokens, to authenticate using a token.

Before you begin

  • The Fusion Data Foundation cluster is in Ready state.
  • On the external key management system (KMS):
    • Ensure that a policy with a token exists and the key value backend path in Vault is enabled.
    • Ensure that you are using signed certificates on your Vault servers.

Procedure

Create a secret in the tenant’s namespace.

  1. From the OpenShift Container Platform web console, go to Workloads > Secrets > Create > Key/value secret.
  2. Enter Secret Name as ceph-csi-kms-token.
  3. Enter Key as token.
  4. Fill in the Value.
    Value is the token from Vault. You can either click Browse to select and upload the file containing the token or enter the token directly in the text box.
    Important: Only delete the token after all the encrypted PVCs using the ceph-csi-kms-token have been deleted.
  5. Click Create.