kms

package
v1.6.11 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 18, 2021 License: Apache-2.0 Imports: 19 Imported by: 5

Documentation

Index

Constants

View Source
const (
	// OsdEncryptionSecretNameKeyName is the key name of the Secret that contains the OSD encryption key
	// #nosec G101 since this is not leaking any hardcoded credentials, it's just the secret key name
	OsdEncryptionSecretNameKeyName = "dmcrypt-key"

	// KMSTokenSecretNameKey is the key name of the Secret that contains the KMS authentication token
	KMSTokenSecretNameKey = "token"
)
View Source
const (
	// EtcVaultDir is vault config dir
	EtcVaultDir = "/etc/vault"
	// VaultSecretEngineKey is the type of secret engine used (kv, transit)
	VaultSecretEngineKey = "VAULT_SECRET_ENGINE"
	// VaultKVSecretEngineKey is a kv secret engine type
	VaultKVSecretEngineKey = "kv"
	// VaultTransitSecretEngineKey is a transit secret engine type
	VaultTransitSecretEngineKey = "transit"
)
View Source
const (
	// Provider is the config name for the KMS provider type
	Provider = "KMS_PROVIDER"
)
View Source
const (

	// File name for token file
	VaultFileName = "vault.token"
)

Variables

This section is empty.

Functions

func ConfigEnvsToMapString

func ConfigEnvsToMapString() map[string]string

ConfigEnvsToMapString returns all the env variables in map from a known KMS

func GenerateOSDEncryptionSecretName

func GenerateOSDEncryptionSecretName(pvcName string) string

GenerateOSDEncryptionSecretName generate the Kubernetes Secret name of the encrypted key

func GetParam

func GetParam(kmsConfig map[string]string, param string) string

GetParam returns the value of the KMS config option

func InitVault

func InitVault(context *clusterd.Context, namespace string, config map[string]string) (secrets.Secrets, error)

InitVault inits the secret store

func SetTokenToEnvVar

func SetTokenToEnvVar(clusterdContext *clusterd.Context, tokenSecretName, provider, namespace string) error

SetTokenToEnvVar sets a KMS token as an env variable

func TLSSecretVolumeAndMount

func TLSSecretVolumeAndMount(config map[string]string) []v1.VolumeProjection

TLSSecretVolumeAndMount return the volume and matching volume mount for mounting the secrets into /etc/vault

func ValidateConnectionDetails

func ValidateConnectionDetails(clusterdContext *clusterd.Context, securitySpec cephv1.SecuritySpec, ns string) error

ValidateConnectionDetails validates mandatory KMS connection details

func VaultConfigToEnvVar

func VaultConfigToEnvVar(spec cephv1.ClusterSpec) []v1.EnvVar

VaultConfigToEnvVar populates the kms config as env variables

func VaultTokenFileVolume added in v1.6.0

func VaultTokenFileVolume(tokenSecretName string) v1.Volume

VaultTokenFileVolume save token from secret as volume mount

func VaultVolumeAndMount

func VaultVolumeAndMount(config map[string]string) (v1.Volume, v1.VolumeMount)

VaultVolumeAndMount returns Vault volume and volume mount

Types

type Config

type Config struct {
	Provider string
	// contains filtered or unexported fields
}

Config is the generic configuration for the KMS

func NewConfig

func NewConfig(context *clusterd.Context, clusterSpec *cephv1.ClusterSpec, clusterInfo *cephclient.ClusterInfo) *Config

NewConfig returns the selected KMS

func (*Config) DeleteSecret

func (c *Config) DeleteSecret(secretName string) error

DeleteSecret deletes an encrypted key from a KMS

func (*Config) GetSecret

func (c *Config) GetSecret(secretName string) (string, error)

GetSecret returns an encrypted key from a KMS

func (*Config) IsK8s

func (c *Config) IsK8s() bool

IsK8s determines whether the configured KMS is Kubernetes

func (*Config) IsVault

func (c *Config) IsVault() bool

IsVault determines whether the configured KMS is Vault

func (*Config) PutSecret

func (c *Config) PutSecret(secretName, secretValue string) error

PutSecret writes an encrypted key in a KMS

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL