Documentation Index

Fetch the complete documentation index at: https://kb.vastdata.com/llms.txt

Use this file to discover all available pages before exploring further.

Configuring SSL Encryption for VAST CSI Driver

Prev Next

Overview

You can secure the connection between VAST CSI Driver and the VAST cluster with SSL encryption as follows:

  1. Enable SSL encryption.

  2. Do one of the following to install an SSL certificate:

    • If you want to use a Certified Authority-signed SSL certificate, upload it to the VAST cluster. Follow the SSL certificate upload procedure provided in the VAST Cluster Administrator's Guide.

    • If you want to use a self-signed SSL certificate, supply it to VAST CSI Driver.

Enabling SSL Encryption

By default, SSL encryption is disabled.

To enable SSL encryption:

  1. Add the verifySsl=true option to the VAST CSI Driver's Helm chart configuration file, for example:

    secretName: "vast-mgmt"
    endpoint: "my.endpoint"
    verifySsl: true
    <...>
  2. Install or upgrade the VAST CSI Driver Helm chart.

Uploading a CA-Signed SSL Certificate to VAST Cluster

Follow the guidelines provided in the VAST Cluster Administrator's Guide to upload a CA-signed SSL certificate to the VAST cluster.

Supplying a Self-Signed SSL Certificate to VAST CSI Driver

You can either point to a file that contains a self-signed SSL certificate file, or specify an existing Kubernetes secret that contains the certificate. These two methods are mutually exclusive.

Do either of the following:

  • Install or upgrade the VAST CSI Driver Helm chart with the --set-file sslCert=<path to certificate file> option specified, for example:

    helm install csi-driver vast/vastcsi -f values.yaml --set-file sslCert=<path to certificate file>

OR

  • Create a Kubernetes secret with the SSL certificate and specify the secret using the  sslCertsSecretName option in the VAST CSI Driver:

    1. Create a Kubernetes secret that contains the SSL certificate, for example:

      kubectl create secret generic vast-ca --from-file=ca-bundle.crt=<path to certificate file>
    2. Specify the newly created secret on the sslCertsSecretName option in the VAST CSI Driver chart configuration file, for example:

      secretName: "vast-mgmt"
      endpoint: "my.endpoint"
      verifySsl: true
      sslCertsSecretName: "vast-ca"
      <...>
    3. Install or upgrade the VAST CSI Driver Helm chart (without specifying --set-file sslCert).

Replacing a Self-Signed SSL Certificate for VAST CSI Driver

Choose either of the following, depending on how you supplied the old self-signed SSL certificate:

  • If you supplied the old SSL certificate using the --set-file sslCert option on the Helm chart install or upgrade command:

    • Upgrade the Helm chart with --set-file sslCert pointing to the new SSL certificate file. For example:

      helm upgrade csi-driver vast/vastcsi -f values.yaml --set-file sslCert=<path to new certificate>

OR

  • If the old SSL certificate was supplied via sslCertsSecretName  in the VAST CSI Driver chart configuration file:

    1. Create a new Kubernetes secret with the new SSL certificate:

      kubectl create secret generic vast-ca-new --from-file=ca-bundle.crt=<path to new certificate file>
    2. Ensure that the new SSL certificate is specified on the  sslCertsSecretName option in the VAST CSI Driver chart configuration file:

      secretName: "vast-mgmt"
      endpoint: "my.endpoint"
      verifySsl: true
      sslCertsSecretName: "vast-ca-new"
      <...>
    3. Upgrade the Helm chart, for example:

      helm upgrade csi-driver vast/vastcsi -f values.yaml

Removing a Self-Signed SSL Certificate from VAST CSI Driver

Choose either of the following, depending on how you supplied the self-signed SSL certificate:

  • If you used --set-file sslCert to supply the SSL certificate:

    • Upgrade the Helm chart without the --set-file sslCert option specified. For example:

      helm upgrade csi-driver vast/vastcsi -f values.yaml

OR

  • If the old SSL certificate was supplied via sslCertsSecretName:

    1. Remove the sslCertsSecretName option from the VAST CSI Driver chart configuration file.

    2. Upgrade the Helm chart (without specifying --set-file sslCert), for example:  

      helm upgrade csi-driver vast/vastcsi -f values.yaml