Deploying CTE for Kubernetes Storage Classes
For information on K8 storage classes, see Storage Classes for more information.
Note
All of the Kubernetes clients that you want to attach to a storage group must have the same Kubernetes Namespace and Kubernetes structureless pods.
To deploy a storage class for CTE for Kubernetes:
- Create and save a registration token in CM. See Tokens for more information.
!!! note
Select **Base64** format for the registration token, if using ${cm} v2.10 and subsequent versions.
-
Create a client group in CM. See Creating a Client Group for more information.
-
If using CipherTrust Manager v2.9 or previous versions, encode the token in base64 format, type:
echo -n <CM REGISTRATION TOKEN STRING> | base64 -w 0
-
Copy the base64 encoding to create a Kubernetes secret YAML file, cte-csi-cmtoken.yaml:
apiVersion: v1 kind: Secret metadata: name: <CHANGE to name of the K8s secret. For example: cm-reg-token> type: Opaque data: # This is a base64 encoded registration token. To generate: # echo <CM REGISTRATION TOKEN STRING> | base64 -w 0 registration_token: bWlEaUJlZ08xNkNsbndqZmc4a1dvcU1SUG9uaVpnNkVtUjVYSGFLUVZVTHRhbGRrb0M5T1ZwTEpvTXp4UldmSQ==
-
The name of the K8s secret must be embedded in the
registration_token_secret
parameter in the storage class YAML file. Use the YAML file, cte-storageclass.yaml and fill in the appropriate values.apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: <CHANGE to name of the Kubernetes Storage Class. For example: csi-test-sc> provisioner: csi.cte.cpl.thalesgroup.com reclaimPolicy: Delete volumeBindingMode: Immediate allowVolumeExpansion: true parameters: # Domain name or IP address of the CipherTrust Manager (Required) key_manager_addr: <CHANGE_ME to your CM IP ADDR> # Name of the CipherTrust Manager K8s Storage Group. (Required) k8_storage_group: <CHANGE to the name of the Kubernetes Storage Group. For example: test-group> # Kubernetes Secret with CM registration token (Required) registration_token_secret: <CHANGE to the K8s secret. For example: cm-reg-token> # Time in minutes to wait before unregistering from the CipherTrust Manager # once all of the volumes have been unguarded. Parameter must be added as a string # integer value. Default is 10 minutes. (Optional) registration_period: "10"
6 Record the storage class name, for further use. Deploy by typing:
:::yaml
kubectl apply -f cte-csi-cmtoken.yaml
kubectl apply -f cte-storageclass.yaml