Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Preparing a CTE for Kubernetes Volume for Deployment

Deploying CTE for Kubernetes Storage Classes

search

Deploying CTE for Kubernetes Storage Classes

For information on K8 storage classes, see Storage Classes for more information.

Note

All of the Kubernetes clients that you want to attach to a storage group must have the same Kubernetes Namespace and Kubernetes structureless pods.

To deploy a storage class for CTE for Kubernetes:

  1. Create and save a registration token in CipherTrust Manager. See Tokens for more information.

    Note

    Select Base64 format for the registration token, if using CipherTrust Manager v2.10 and subsequent versions.

  2. Create a K8s Storage Group in CipherTrust Manager. See Creating a K8s Storage Group for more information.

  3. If using CipherTrust Manager v2.9 or previous versions, encode the token in base64 format, type:

    echo -n <CM REGISTRATION TOKEN STRING> | base64 -w 0

  4. Copy the base64 encoding to create a Kubernetes secret YAML file, cte-csi-cmtoken.yaml:

    apiVersion: v1
kind: Secret
metadata:
    name: <CHANGE to name of the K8s secret. For example: cm-reg-token>
type: Opaque
data:
    # This is a base64 encoded registration token.  To generate:
    # echo <CM REGISTRATION TOKEN STRING> | base64 -w 0
    registration_token: bWlEaUJlZ08xNkNsbndqZmc4a1dvcU1SUG9uaVpnNkVtUjVYSGFLUVZVTHRhbGRrb0M5T1ZwTEpvTXp4UldmSQ==

  5. The name of the K8s secret must be embedded in the registration_token_secret parameter in the storage class YAML file. Use the YAML file, cte-storageclass.yaml and fill in the appropriate values.

    apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: <CHANGE to name of the Kubernetes Storage Class. For example: csi-test-sc>
provisioner: csi.cte.cpl.thalesgroup.com
reclaimPolicy: Delete
volumeBindingMode: Immediate
allowVolumeExpansion: true
parameters:

  # Domain name or IP address of the CipherTrust Manager (Required)
  key_manager_addr: <CHANGE_ME to your CM IP ADDR>

  # Name of the CipherTrust Manager K8s Storage Group. (Required)
  k8_storage_group: <CHANGE to the name of the Kubernetes Storage Group. For example: test-group>

  # Kubernetes Secret with CM registration token (Required)
  registration_token_secret: <CHANGE to the K8s secret. For example: cm-reg-token>

  # Time in minutes to wait before unregistering from the CipherTrust Manager
  # once all of the volumes have been unguarded. Parameter must be added as a string
  # integer value. Default is 10 minutes. (Required)
  registration_period: "10"

  6. Record the storage class name, for further use. Deploy by typing:

    kubectl apply -f cte-csi-cmtoken.yaml
kubectl apply -f cte-storageclass.yaml

Registering to Multiple CipherTrust Manager Servers for failover in an HA Cluster

For a cluster for CipherTrust Manager servers, you can configure multiple IP addresses with cte-storageclass.yaml to allow for seamless failover to the next available CipherTrust Manager if a CipherTrust Manager server fails.

  1. CipherTrust Manager IP addresses must be comma separated. For example:

    key_manager_addr: <CM_1_IP_ADDR>, <CM_2_IP_ADDR>, <CM_3_IP_ADDR>

  2. You can provide one CM IP address, or multiple CM IP addresses. Thales recommends using more than one IP address.

Note

When providing multiple IP addresses, the IP addresses must be part of same CipherTrust Manager cluster.

On this page