Deploying CTE for Kubernetes Storage Classes
For information on K8 storage classes, see Storage Classes for more information.
Note
All of the Kubernetes clients that you want to attach to a storage group must have the same Kubernetes Namespace and Kubernetes structureless pods.
To deploy a storage class for CTE for Kubernetes:
- 
Create and save a registration token in CipherTrust Manager. See Tokens for more information. Note Select Base64 format for the registration token, if using CipherTrust Manager v2.10 and subsequent versions. 
- 
Create a K8s Storage Group in CipherTrust Manager. See Creating a K8s Storage Group for more information. 
- 
If using CipherTrust Manager v2.9 or previous versions, encode the token in base64 format, type: echo -n <CM REGISTRATION TOKEN STRING> | base64 -w 0
- 
Copy the base64 encoding to create a Kubernetes secret YAML file, cte-csi-cmtoken.yaml: apiVersion: v1 kind: Secret metadata: name: <CHANGE to name of the K8s secret. For example: cm-reg-token> type: Opaque data: # This is a base64 encoded registration token. To generate: # echo <CM REGISTRATION TOKEN STRING> | base64 -w 0 registration_token: bWlEaUJlZ08xNkNsbndqZmc4a1dvcU1SUG9uaVpnNkVtUjVYSGFLUVZVTHRhbGRrb0M5T1ZwTEpvTXp4UldmSQ==
- 
The name of the K8s secret must be embedded in the registration_token_secretparameter in the storage class YAML file. Use the YAML file, cte-storageclass.yaml and fill in the appropriate values.apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: <CHANGE to name of the Kubernetes Storage Class. For example: csi-test-sc> provisioner: csi.cte.cpl.thalesgroup.com reclaimPolicy: Delete volumeBindingMode: Immediate allowVolumeExpansion: true parameters: # Domain name or IP address of the CipherTrust Manager (Required) key_manager_addr: <CHANGE_ME to your CM IP ADDR> # Name of the CipherTrust Manager K8s Storage Group. (Required) k8_storage_group: <CHANGE to the name of the Kubernetes Storage Group. For example: test-group> # Kubernetes Secret with CM registration token (Required) registration_token_secret: <CHANGE to the K8s secret. For example: cm-reg-token> # Time in minutes to wait before unregistering from the CipherTrust Manager # once all of the volumes have been unguarded. Parameter must be added as a string # integer value. Default is 10 minutes. (Optional) registration_period: "10"
6 Record the storage class name, for further use. Deploy by typing:
    :::yaml
    kubectl apply -f cte-csi-cmtoken.yaml
    kubectl apply -f cte-storageclass.yaml