Ceph OSD Charm

Doc update: state that Vault is preferred to keys over ceph-mon

Bug #1950182 reported by Ponnuvel Palaniyappan
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ceph OSD Charm
New
Undecided
Unassigned

Bug Description

In recent discussions, it's been recommended that Vault should be used instead of ceph-mon for storing the keys.

However, the documentation [0] suggests either could be used:
```
The ceph-osd charm supports encryption for OSD volumes that are backed by block devices. To use Ceph's native key management framework, available since Ceph Jewel, set option osd-encrypt for the ceph-osd charm:

    ceph-osd:
      options:
        osd-encrypt: True
Here, dm-crypt keys are stored in the MON sub-cluster.

Alternatively, since Ceph Luminous, encryption keys can be stored in Vault, which is deployed and initialised via the vault charm. Set options osd-encrypt and osd-encrypt-keymanager for the ceph-osd charm:

    ceph-osd:
      options:
        osd-encrypt: True
        osd-encrypt-keymanager: vault
```

So this needs to properly documented with relevant caveats: what's preferred, what should be done for existing/old deployments that use ceph-mon, how to handle upgrades, etc.

[0] https://jaas.ai/ceph-osd

Ponnuvel Palaniyappan (pponnuvel)
tags: added: documentation
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.