Configuring SSL Encryption for VAST CSI Driver

Overview

You can secure the connection between VAST CSI Driver and the VAST cluster with SSL encryption as follows:

Enable SSL encryption.
Do one of the following to install an SSL certificate:
- If you want to use a Certified Authority-signed SSL certificate, upload it to the VAST cluster. Follow the SSL certificate upload procedure provided in the VAST Cluster Administrator's Guide.
- If you want to use a self-signed SSL certificate, supply it to VAST CSI Driver.

Enabling SSL Encryption

By default, SSL encryption is disabled.

To enable SSL encryption:

Add the verifySsl=true option to the VAST CSI Driver's Helm chart configuration file, for example:
```
secretName: "vast-mgmt"
endpoint: "my.endpoint"
verifySsl: true
<...>
```
Install or upgrade the VAST CSI Driver Helm chart.

Uploading a CA-Signed SSL Certificate to VAST Cluster

Follow the guidelines provided in the VAST Cluster Administrator's Guide to upload a CA-signed SSL certificate to the VAST cluster.

Supplying a Self-Signed SSL Certificate to VAST CSI Driver

You can either point to a file that contains a self-signed SSL certificate file, or specify an existing Kubernetes secret that contains the certificate. These two methods are mutually exclusive.

Do either of the following:

Install or upgrade the VAST CSI Driver Helm chart with the --set-file sslCert=<path to certificate file> option specified, for example:
```
helm install csi-driver vast/vastcsi -f values.yaml --set-file sslCert=<path to certificate file>
```

Create a Kubernetes secret with the SSL certificate and specify the secret using the sslCertsSecretName option in the VAST CSI Driver Helm chart configuration file:
1. Create a Kubernetes secret that contains the SSL certificate, for example:
```
kubectl create secret generic vast-ca --from-file=ca-bundle.crt=<path to certificate file>
```
2. Specify the newly created secret on the sslCertsSecretName option in the VAST CSI Driver chart configuration file, for example:
```
secretName: "vast-mgmt"
endpoint: "my.endpoint"
verifySsl: true
sslCertsSecretName: "vast-ca"
<...>
```
3. Install or upgrade the VAST CSI Driver Helm chart (without specifying --set-file sslCert).

Replacing a Self-Signed SSL Certificate for VAST CSI Driver

Choose either of the following, depending on how you supplied the old self-signed SSL certificate:

If you supplied the old SSL certificate using the --set-file sslCert option on the Helm chart install or upgrade command:
- Upgrade the Helm chart with --set-file sslCert pointing to the new SSL certificate file. For example:
```
helm upgrade csi-driver vast/vastcsi -f values.yaml --set-file sslCert=<path to new certificate>
```

If the old SSL certificate was supplied via sslCertsSecretName in the VAST CSI Driver chart configuration file:
1. Create a new Kubernetes secret with the new SSL certificate:
```
kubectl create secret generic vast-ca-new --from-file=ca-bundle.crt=<path to new certificate file>
```
2. Ensure that the new SSL certificate is specified on the sslCertsSecretName option in the VAST CSI Driver chart configuration file:
```
secretName: "vast-mgmt"
endpoint: "my.endpoint"
verifySsl: true
sslCertsSecretName: "vast-ca-new"
<...>
```
3. Upgrade the Helm chart, for example:
```
helm upgrade csi-driver vast/vastcsi -f values.yaml
```

Removing a Self-Signed SSL Certificate from VAST CSI Driver

Choose either of the following, depending on how you supplied the self-signed SSL certificate:

If you used --set-file sslCert to supply the SSL certificate:
- Upgrade the Helm chart without the --set-file sslCert option specified. For example:
```
helm upgrade csi-driver vast/vastcsi -f values.yaml
```

If the old SSL certificate was supplied via sslCertsSecretName:
1. Remove the sslCertsSecretName option from the VAST CSI Driver chart configuration file.
2. Upgrade the Helm chart (without specifying --set-file sslCert), for example:
```
helm upgrade csi-driver vast/vastcsi -f values.yaml
```