Merge pull request #2491 from sp98/add-azure-kms-support

add support for Azure key vault
red-hat-storage · Mar 14, 2024 · c65c08c · c65c08c
2 parents 73ae0f2 + af8524a
commit c65c08c
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 0 deletions.
diff --git a/controllers/storagecluster/cephcluster.go b/controllers/storagecluster/cephcluster.go
@@ -185,6 +185,8 @@ func (obj *ocsCephCluster) ensureCreated(r *StorageClusterReconciler, sc *ocsv1.
 				sc.Status.KMSServerConnection.KMSServerConnectionError = ""
 				if kmsConfigMap.Data["KMS_PROVIDER"] == "vault" {
 					sc.Status.KMSServerConnection.KMSServerAddress = kmsConfigMap.Data["VAULT_ADDR"]
+				} else if kmsConfigMap.Data["KMS_PROVIDER"] == AzureKSMProvider {
+					sc.Status.KMSServerConnection.KMSServerAddress = kmsConfigMap.Data["AZURE_VAULT_URL"]
 				}
 				if err = reachKMSProvider(kmsConfigMap); err != nil {
 					sc.Status.KMSServerConnection.KMSServerConnectionError = err.Error()

diff --git a/controllers/storagecluster/cephcluster_test.go b/controllers/storagecluster/cephcluster_test.go
@@ -704,7 +704,13 @@ func createDummyKMSConfigMap(kmsProvider, kmsAddr string, kmsAuthMethod string)
 		cm.Data["IBM_KP_SECRET_NAME"] = "my-kms-key"
 		cm.Data["IBM_KP_BASE_URL"] = "my-base-url"
 		cm.Data["IBM_KP_TOKEN_URL"] = "my-token-url"
+	case AzureKSMProvider:
+		cm.Data["AZURE_CLIENT_ID"] = "azure-client-id"
+		cm.Data["AZURE_TENANT_ID"] = "azure-tenant-id"
+		cm.Data["AZURE_VAULT_URL"] = kmsAddr
+		cm.Data["AZURE_CERT_SECRET_NAME"] = "cert-secret"
 	}
+
 	return cm
 }
 
@@ -737,6 +743,8 @@ func TestKMSConfigChanges(t *testing.T) {
 			enabled: true, kmsAddress: "http://localhost:5678", authMethod: VaultSAAuthMethod},
 		{testLabel: "case 8", kmsProvider: ThalesKMSProvider,
 			clusterWideEncryption: true, kmsAddress: "http://localhost:5671"},
+		{testLabel: "case 9", kmsProvider: AzureKSMProvider,
+			clusterWideEncryption: true, kmsAddress: "http://localhost:5671"},
 	}
 	for _, kmsArgs := range validKMSArgs {
 		t.Run(kmsArgs.testLabel, func(t *testing.T) {

diff --git a/controllers/storagecluster/kms_resources.go b/controllers/storagecluster/kms_resources.go
@@ -35,6 +35,8 @@ const (
 	IbmKeyProtectKMSProvider = "ibmkeyprotect"
 	// ThalesKMSProvider a constant to represent Thales (using KMIP) KMS provider
 	ThalesKMSProvider = "kmip"
+	// AzureKSMProvider represents the Azure Key vault.
+	AzureKSMProvider = "azure-kv"
 )
 
 var (