





















HashiCorp Vault is the most widely used KMS backend for Rook-Ceph encryption. Token authentication is the simplest Vault auth method - a long-lived Vault token is stored as a Kubernetes Secret, and Rook uses it to read and write encryption keys. This approach is suitable for environments where Vault is not running in Kubernetes.
Enable the KV secrets engine and create a policy for Rook:
# Enable KV secrets engine at path secret/
vault secrets enable -path=secret kv-v2
# Create a Vault policy for Rook encryption keys
vault policy write rook-ceph-encryption - <<EOF
path "secret/data/rook-ceph/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
path "secret/metadata/rook-ceph/*" {
capabilities = ["list", "delete"]
}
EOF
# Create a token with the policy
vault token create -policy=rook-ceph-encryption -ttl=0 -orphankubectl create secret generic rook-vault-token \
--from-literal=token="<vault-token>" \
-n rook-cephapiVersion: v1
kind: ConfigMap
metadata:
name: rook-ceph-csi-kms-config
namespace: rook-ceph
data:
config.json: |-
{
"vault-token-kms": {
"encryptionKMSType": "vault",
"vaultAddress": "https://vault.example.com:8200",
"vaultBackend": "v2",
"vaultBackendPath": "secret/",
"vaultDestroyKeys": "true",
"vaultCAFromSecret": "vault-ca-cert",
"vaultTokenSecretName": "rook-vault-token"
}
}kubectl apply -f kms-config.yamlapiVersion: ceph.rook.io/v1
kind: CephCluster
metadata:
name: rook-ceph
namespace: rook-ceph
spec:
security:
kms:
connectionDetails:
KMS_PROVIDER: vault
VAULT_ADDR: https://vault.example.com:8200
VAULT_BACKEND_PATH: secret
VAULT_AUTH_METHOD: token
tokenSecretName: rook-vault-tokenCreate an encrypted StorageClass that references the KMS:
parameters:
encrypted: "true"
encryptionKMSID: vault-token-kmsCreate a test PVC and check Vault for the created key:
vault kv list secret/rook-ceph/You should see key entries for each encrypted volume.
Vault tokens expire unless configured as non-expiring (-ttl=0). For tokens with TTLs, implement a renewal CronJob:
vault token renew <token>Or switch to Kubernetes auth (covered in a separate guide) which handles renewal automatically.
Vault token authentication is the fastest way to integrate HashiCorp Vault with Rook-Ceph encryption. A Vault token stored as a Kubernetes Secret provides Rook access to the KV secrets engine for storing and retrieving per-volume encryption keys. For production environments, consider migrating to Kubernetes auth method for automatic token renewal.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。