Save the certificate used for TLS communication between KMIP server in Secret or ConfigMap.
The Secret or ConfigMap you created gives the FEPCluster custom resource a resource name and mounts it in the FEP container.
Create a Secret to store the client certificate and private key for connecting to KMIP server.
Also, optionally create a ConfigMap to store the root certificate.
An example of registering credentials using the credentials file below is explained.
kmip.pem # Client certificate for connecting to KMIP server kmip.key # Private key myca.pem # Root certificate
Create a Secret to store the client certificate and private key.
Specify tls.crt and tls.key as file names when mounting the client certificate and private key, respectively.
$ oc create secret generic kmip-cert --from-file=tls.crt=kmip.pem --from-file=tls.key=kmip.key -n kmip-demo
Optionally create a ConfigMap to store your root certificates.
Specify ca.crt as the file name to be mounted.
$ oc create configmap kmip-cacert --from-file=ca.crt=myca.pem -n my-namespace
Save credentials and other settings required to connect to AWS key management services in Secrets and ConfigMaps.
Prepare two files, credentials and config, which describe credentials and other settings according to the format specified by the AWS client interface. Specifying access_key_id and secret_access_key in the credentials file is mandatory.
An example of registering authentication information using the following configuration file is explained.
credentials # credentials file config # config file
Create a ConfigMap to store config files. Specify config for the key name. The name of the ConfigMap is arbitrary (here aws-kms-config).
$ oc create configmap aws-kms-config --from-file=config=config -n my-namespace
Create a secret to save the credentials file. Specify credentials for the key name. The name of the Secret is arbitrary (here aws-kms-credentials).
$ oc create secret generic aws-kms-credentials --from-file=credentials=credentials -n my-namespace
See
Refer to below for AWS client interface configuration files.
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html
Save the credentials required to connect to Azure's key management service in Secret.
The available authentication methods are either authentication using passwords or authentication using client certificates.
For password-based authentication, create a YAML format file that defines a secret like the one below. The secret name is arbitrary (here azure-key-vault-passphrase). data.clientsecret contains a base64-encoded password.
kind: Secret apiVersion: v1 metadata: name: azure-key-vault-passphrase namespace: my-namespace data: clientsecret: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX= type: Opaque
Create a secret based on the created YAML file. Here we are using a YAML file named azure-client-secret.yaml.
$ kubectl apply -f azure-client-secret.yaml -n my-namespace
For authentication using a client certificate, store the client certificate file and private key in Secret.
Here is an example of creating a Secret using the certificate file below.
azuremycert.pem # PEM file containing client certificate and private key
Create a secret to store the client certificate. Specify azure-key-vault.crt for the key name. The secret name is arbitrary (here azure-key-vault-secret).
$ oc create secret generic azure-key-vault-secret --from-file=azure-key-vault.crt=azuremycert.pem -n my-namespace
