Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Deploy a CTE for Kubernetes Volume

Deploying CTE for Kubernetes Storage Classes

search

Deploying CTE for Kubernetes Storage Classes

For information on K8 storage classes, see Storage Classes for more information.

Note

All of the Kubernetes clients that you want to attach to a storage group must have the same Kubernetes Namespace and Kubernetes structureless pods.

To deploy a storage class for CTE for Kubernetes:

  1. Create and save a registration token in CM. See Tokens for more information.

    Note

    Select Base64 format for the registration token, if using CipherTrust Manager v2.10 and subsequent versions.

  2. Create a client group in CM. See Creating a Client Group for more information.

  3. If using CipherTrust Manager v2.9 or previous versions, encode the token in base64 format, type:

    echo -n <CM REGISTRATION TOKEN STRING> | base64 -w 0

  4. Copy the base64 encoding to create a Kubernetes secret YAML file, cte-csi-cmtoken.yaml:

    apiVersion: v1
kind: Secret
metadata:
  name: <CHANGE to name of the K8s secret. For example: cm-reg-token>
type: Opaque
data:
  # This is a base64 encoded registration token.  To generate:
  # echo <CM REGISTRATION TOKEN STRING> | base64 -w 0
  registration_token: bWlEaUJlZ08xNkNsbndqZmc4a1dvcU1SUG9uaVpnNkVtUjVYSGFLUVZVTHRhbGRrb0M5T1ZwTEpvTXp4UldmSQ==

  5. The name of the K8s secret must be embedded in the registration_token_secret parameter in the storage class YAML file. Use the YAML file, cte-storageclass.yaml and fill in the appropriate values.

    apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: <CHANGE to name of the Kubernetes Storage Class. For example: csi-test-sc>
provisioner: csi.cte.cpl.thalesgroup.com
reclaimPolicy: Delete
volumeBindingMode: Immediate
allowVolumeExpansion: true
parameters:

  # Domain name or IP address of the CipherTrust Manager (Required)
  key_manager_addr: <CHANGE_ME to your CM IP ADDR>

  # Name of the CipherTrust Manager K8s Storage Group. (Required)
  k8_storage_group: <CHANGE to the name of the Kubernetes Storage Group. For example: test-group>

  # Kubernetes Secret with CM registration token (Required)
  registration_token_secret: <CHANGE to the K8s secret. For example: cm-reg-token>

  # Time in minutes to wait before unregistering from the CipherTrust Manager
  # once all of the volumes have been unguarded. Parameter must be added as a string
  # integer value. Default is 10 minutes. (Optional)
  registration_period: "10"

  6. Record the storage class name, for further use. Deploy by typing:

    kubectl apply -f cte-csi-cmtoken.yaml
kubectl apply -f cte-storageclass.yaml

On this page