util: add support for GKLM KMS over KMIP by black-dragon74 · Pull Request #6048 · ceph/ceph-csi

black-dragon74 · 2026-02-10T13:44:20Z

Describe what this PR does

This patch adds support for GKLM KMS using the KMIP protocol.

Details specific to GKLM:

Get RPC to encrypt and decrypt the KEK for LUKS.
KMS' USE_CRYPTO_RPC is used to distinguish between which RPC to
call.
- If USE_CRYPTO_RPC is true, Encrypt/Decrypt RPCs are called.
- If USE_CRYPTO_RPC is false, Get RPC is called to fetch the key
  by its UUID and encryption/decryption is done locally.

black-dragon74 · 2026-02-10T13:49:47Z

Testing

Setup the KMS

❯ oc get secrets gklm-kms -oyaml
apiVersion: v1
data:
  CA_CERT: XXXX
  CLIENT_CERT: XXXX
  CLIENT_KEY: XXXX
  UNIQUE_IDENTIFIER: S0VZ....MWE2NGVkMmNm <== This is UID of the key in KMS, set by ODF console
kind: Secret
metadata:
  name: gklm-kms
  namespace: openshift-storage
type: Opaque

❯ oc get cm csi-kms-connection-details -oyaml
apiVersion: v1
data:
  gklm: '{
  "KMS_PROVIDER": "kmip",
  "KMS_SERVICE_NAME": "gklm", 
  "KMIP_ENDPOINT": "sklmapp.sklm.svc.cluster.local:5696",
  "KMIP_SECRET_NAME": "gklm-kms",
  "USE_CRYPTO_RPC": "false", <== UI/Docs will ensure its consistency, MUST be "false" for GKLM
  "TLS_SERVER_NAME": "sklmapp.sklm.svc.cluster.local"
}'
kind: ConfigMap
metadata:
  name: csi-kms-connection-details
  namespace: openshift-storage

Check PVC and Pods are running:

❯ oc -n sklm get po
NAME                       READY   STATUS    RESTARTS   AGE
sklmapp-6456fcd4c9-qzpjn   1/1     Running   0          22h
ubuntu-pod                 1/1     Running   0          42s

Check image metadata, before and after

// Before
❯ oc exec -it po/rook-ceph-tools-689bfdf6d7-x6hjf -- rbd image-meta ls csi-vol-92c21a8d-73f2-465b-a584-f850a53c75d1 -p ocs-storagecluster-cephblockpool
There are 7 metadata on this image:

Key                               Value
csi.ceph.com/cluster/name         939a690f-4997-4952-90ee-7bac0156cadd
csi.storage.k8s.io/pv/name        pvc-2f367d4e-4887-4c35-bb61-89128e36a2d0
csi.storage.k8s.io/pvc/name       gklm-pvc
csi.storage.k8s.io/pvc/namespace  sklm
rbd.csi.ceph.com/dek              {"dek":"S19PUFFfT0JKLTVkMDI5MWEtY2UyMGM4NWEtMWI3Mi00YWU0LTk4MmQtNDJiMmQ1N2JhNzgz","nonce":"TkE="}
rbd.csi.ceph.com/encrypted        encryptionPrepared
rbd.csi.ceph.com/luks2HeaderSize  16777216

// After
❯ oc exec -it po/rook-ceph-tools-689bfdf6d7-x6hjf -- rbd image-meta ls csi-vol-92c21a8d-73f2-465b-a584-f850a53c75d1 -p ocs-storagecluster-cephblockpool
There are 8 metadata on this image:

Key                                                                                                                                 Value                                                                 
.rbd.csi.ceph.com/userid/0001-0011-openshift-storage-0000000000000003-92c21a8d-73f2-465b-a584-f850a53c75d1/perf7-vd2vw-ocs-0-49z42  csi-rbd-node-ceph-user-g1-7b3ce12c-6b61-4edf-8964-336786573717        
csi.ceph.com/cluster/name                                                                                                           939a690f-4997-4952-90ee-7bac0156cadd                                  
csi.storage.k8s.io/pv/name                                                                                                          pvc-2f367d4e-4887-4c35-bb61-89128e36a2d0                              
csi.storage.k8s.io/pvc/name                                                                                                         gklm-pvc                                                              
csi.storage.k8s.io/pvc/namespace                                                                                                    sklm                                                                  
rbd.csi.ceph.com/dek                                                                                                                {"dek":"S19PUFFfT0JKLTVkMDI5MWEtY2UyMGM4NWEtMWI3Mi00YWU0LTk4MmQtNDJiMmQ1N2JhNzgz","nonce":"TkE="}
rbd.csi.ceph.com/encrypted                                                                                                          encrypted                                                             
rbd.csi.ceph.com/luks2HeaderSize                                                                                                    16777216

nixpanic · 2026-02-10T13:50:57Z

What is GKLM? Is that a particular Open Source project, or a product from some vendor? Any documentation/example updates that would benefit users?

Rakshith-R · 2026-02-19T07:39:53Z

What is GKLM? Is that a particular Open Source project, or a product from some vendor? Any documentation/example updates that would benefit users?

@nixpanic this change will support all kms that supports kmip but do not support the encrypt decrypt rpcs (one of them being GKLM).

mergify · 2026-02-24T11:16:16Z

This pull request now has conflicts with the target branch. Could you please resolve conflicts and force push the corrected changes? 🙏

Rakshith-R

Thanks !

nixpanic · 2026-03-06T08:05:11Z

@Mergifyio rebase

This patch adds support for GKLM KMS using the KMIP protocol. Details specific to GKLM: - Get RPC to encrypt and decrypt the KEK for LUKS. - KMS' `USE_CRYPTO_RPC` is used to distinguish between which RPC to call. - If `USE_CRYPTO_RPC` is true, `Encrypt/Decrypt` RPCs are called. - If `USE_CRYPTO_RPC` is false, `Get` RPC is called to fetch the key by its UUID and encryption/decryption is done locally. - Increase the key size to 256bits to be RSA compatible. Signed-off-by: Niraj Yadav <niryadav@redhat.com>

Signed-off-by: Niraj Yadav <niryadav@redhat.com>

This patch modifies the secrets KMS to use the helpers for local symmetric encryption/decryption. Signed-off-by: Niraj Yadav <niryadav@redhat.com>

Signed-off-by: Niraj Yadav <niryadav@redhat.com>

mergify · 2026-03-06T08:05:38Z

rebase

✅ Branch has been successfully rebased

ceph-csi-bot · 2026-03-06T08:05:49Z

/test ci/centos/upgrade-tests-cephfs

ceph-csi-bot · 2026-03-06T08:05:50Z

/test ci/centos/k8s-e2e-external-storage/1.34

ceph-csi-bot · 2026-03-06T08:05:50Z

/test ci/centos/k8s-e2e-external-storage/1.35

ceph-csi-bot · 2026-03-06T08:05:50Z

/test ci/centos/k8s-e2e-external-storage/1.33

ceph-csi-bot · 2026-03-06T08:05:50Z

/test ci/centos/upgrade-tests-rbd

ceph-csi-bot · 2026-03-06T08:05:51Z

/test ci/centos/mini-e2e-helm/k8s-1.34

ceph-csi-bot · 2026-03-06T08:05:51Z

/test ci/centos/mini-e2e-helm/k8s-1.33

ceph-csi-bot · 2026-03-06T08:05:51Z

/test ci/centos/mini-e2e-helm/k8s-1.35

ceph-csi-bot · 2026-03-06T08:05:51Z

/test ci/centos/mini-e2e/k8s-1.34

ceph-csi-bot · 2026-03-06T08:05:51Z

/test ci/centos/mini-e2e/k8s-1.33

ceph-csi-bot · 2026-03-06T08:05:52Z

/test ci/centos/mini-e2e/k8s-1.35

nixpanic · 2026-03-06T11:34:11Z

@Mergifyio refresh

nixpanic · 2026-03-06T14:25:40Z

@Mergifyio queue

mergify · 2026-03-06T14:25:46Z

Merge Queue Status

🛑 Queue command has been cancelled

nixpanic · 2026-03-06T16:05:48Z

@Mergifyio refresh

multi-arch-build has passed?

mergify · 2026-03-06T16:06:05Z

refresh

✅ Pull request refreshed

mergify · 2026-03-06T16:06:54Z

Merge Queue Status

Rule: default

✅ Entered queue — 2026-03-06 16:06 UTC
✅ Checks passed · in-place
✅ Merged — 2026-03-06 16:06 UTC · at 01e052eeb4699e2ab6baa29c4d779948ed686dd2

This pull request spent 10 seconds in the queue, with no time running CI.

Required conditions to merge

#approved-reviews-by >= 2 [🛡 GitHub branch protection]
- util: add support for GKLM KMS over KMIP #6048
#changes-requested-reviews-by = 0 [🛡 GitHub branch protection]
- util: add support for GKLM KMS over KMIP #6048

black-dragon74 marked this pull request as draft February 10, 2026 13:56

black-dragon74 force-pushed the gklm-kmip branch from 82df2a5 to 7807521 Compare February 10, 2026 13:58

black-dragon74 changed the title ~~kms: add support for GKLM KMS over KMIP~~ util: add support for GKLM KMS over KMIP Feb 10, 2026

black-dragon74 force-pushed the gklm-kmip branch 3 times, most recently from 8637705 to 706774a Compare February 17, 2026 08:44

Rakshith-R reviewed Feb 19, 2026

View reviewed changes

Comment thread internal/kms/kmip.go Outdated

Rakshith-R reviewed Feb 19, 2026

View reviewed changes

Comment thread internal/kms/kmip.go Outdated

black-dragon74 marked this pull request as ready for review February 19, 2026 10:28

black-dragon74 force-pushed the gklm-kmip branch from f3baff9 to 97275f8 Compare February 19, 2026 10:46

nixpanic reviewed Feb 20, 2026

View reviewed changes

Comment thread docs/design/proposals/encryption-with-gklm.md Outdated

Comment thread docs/design/proposals/encryption-with-gklm.md Outdated

iPraveenParihar reviewed Feb 23, 2026

View reviewed changes

black-dragon74 force-pushed the gklm-kmip branch 5 times, most recently from e509442 to eba6c52 Compare February 23, 2026 14:48

Rakshith-R requested changes Feb 24, 2026

View reviewed changes

Comment thread docs/design/proposals/encryption-with-gklm.md

Comment thread internal/rbd/encryption.go Outdated

Comment thread internal/kms/kmip.go Outdated

black-dragon74 force-pushed the gklm-kmip branch 2 times, most recently from af7986d to b9b5ca3 Compare February 24, 2026 11:50

Rakshith-R reviewed Feb 26, 2026

View reviewed changes

Comment thread internal/kms/vault.go

black-dragon74 force-pushed the gklm-kmip branch from b9b5ca3 to 902b94e Compare February 26, 2026 11:13

Rakshith-R previously approved these changes Mar 2, 2026

View reviewed changes

Rakshith-R requested review from a team, iPraveenParihar and nixpanic March 2, 2026 06:48

black-dragon74 added 4 commits March 6, 2026 08:05

doc: add documentation for GKLM KMS

e051994

Signed-off-by: Niraj Yadav <niryadav@redhat.com>

util: use helpers for local crypto in secretskms

68283de

This patch modifies the secrets KMS to use the helpers for local symmetric encryption/decryption. Signed-off-by: Niraj Yadav <niryadav@redhat.com>

doc: update pendingreleasenotes for gklm

01e052e

Signed-off-by: Niraj Yadav <niryadav@redhat.com>

ceph-csi-bot force-pushed the gklm-kmip branch from e652555 to 01e052e Compare March 6, 2026 08:05

nixpanic added the ok-to-test Label to trigger E2E tests label Mar 6, 2026

ceph-csi-bot removed the ok-to-test Label to trigger E2E tests label Mar 6, 2026

nixpanic mentioned this pull request Mar 6, 2026

rebase: bump golang.org/x/net from 0.50.0 to 0.51.0 in the golang-dependencies group #6151

Closed

mergify Bot added the queued label Mar 6, 2026

mergify Bot merged commit 6fda146 into ceph:devel Mar 6, 2026
39 checks passed

mergify Bot removed the queued label Mar 6, 2026

Conversation

black-dragon74 commented Feb 10, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Describe what this PR does

Uh oh!

black-dragon74 commented Feb 10, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Testing

Setup the KMS

Check PVC and Pods are running:

Check image metadata, before and after

Uh oh!

nixpanic commented Feb 10, 2026

Uh oh!

Uh oh!

Rakshith-R commented Feb 19, 2026

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

mergify Bot commented Feb 24, 2026

Uh oh!

Uh oh!

Rakshith-R left a comment

Choose a reason for hiding this comment

Uh oh!

nixpanic commented Mar 6, 2026

Uh oh!

mergify Bot commented Mar 6, 2026

✅ Branch has been successfully rebased

Uh oh!

ceph-csi-bot commented Mar 6, 2026

Uh oh!

ceph-csi-bot commented Mar 6, 2026

Uh oh!

ceph-csi-bot commented Mar 6, 2026

Uh oh!

ceph-csi-bot commented Mar 6, 2026

Uh oh!

ceph-csi-bot commented Mar 6, 2026

Uh oh!

ceph-csi-bot commented Mar 6, 2026

Uh oh!

ceph-csi-bot commented Mar 6, 2026

Uh oh!

ceph-csi-bot commented Mar 6, 2026

Uh oh!

ceph-csi-bot commented Mar 6, 2026

Uh oh!

ceph-csi-bot commented Mar 6, 2026

Uh oh!

ceph-csi-bot commented Mar 6, 2026

Uh oh!

nixpanic commented Mar 6, 2026

Uh oh!

nixpanic commented Mar 6, 2026

Uh oh!

mergify Bot commented Mar 6, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Merge Queue Status

Uh oh!

nixpanic commented Mar 6, 2026

Uh oh!

mergify Bot commented Mar 6, 2026

✅ Pull request refreshed

Uh oh!

Uh oh!

mergify Bot commented Mar 6, 2026

Merge Queue Status

Uh oh!

Reviewers

black-dragon74 commented Feb 10, 2026 •

edited

Loading

black-dragon74 commented Feb 10, 2026 •

edited

Loading

mergify Bot commented Mar 6, 2026 •

edited

Loading