example: add an example for encrypted volume in block mode

Longhorn 4883 Signed-off-by: Derek Su <derek.su@suse.com>
2023-09-19 19:25:35 +08:00 · 2023-09-19 19:25:35 +08:00 · a04760a08b
commit a04760a08b
parent 78fee8e05b
4 changed files with 84 additions and 0 deletions
--- a/examples/block/block_volume.yaml
+++ b/examples/block/block_volume.yaml
--- a/examples/block/crypto/deployment_with_pvc.yaml
+++ b/examples/block/crypto/deployment_with_pvc.yaml
@ -0,0 +1,44 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: longhorn-block-pvc
+  namespace: default
+spec:
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Block
+  storageClassName: longhorn-crypto-global
+  resources:
+    requests:
+      storage: 2Gi
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: volume-test
+  labels:
+    app: volume-test
+  namespace: default
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: volume-test
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: volume-test
+    spec:
+      restartPolicy: Always
+      containers:
+      - image: nginx:stable-alpine
+        name: volume-test
+        volumeDevices:
+          - devicePath: /dev/longhorn/testblk
+            name: block-vol
+      volumes:
+      - name: block-vol
+        persistentVolumeClaim:
+          claimName: longhorn-block-pvc
--- a/examples/block/crypto/secret-crypto-global.yaml
+++ b/examples/block/crypto/secret-crypto-global.yaml
@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: longhorn-crypto
+  namespace: longhorn-system
+stringData:
+  CRYPTO_KEY_VALUE: "Simple passphrase"
+  CRYPTO_KEY_PROVIDER: "secret" # this is optional we currently only support direct keys via secrets
--- a/examples/block/crypto/storageclass-crypto-global.yaml
+++ b/examples/block/crypto/storageclass-crypto-global.yaml
@ -0,0 +1,32 @@
+kind: StorageClass
+apiVersion: storage.k8s.io/v1
+metadata:
+  name: longhorn-crypto-global
+provisioner: driver.longhorn.io
+allowVolumeExpansion: true
+parameters:
+  numberOfReplicas: "3"
+  staleReplicaTimeout: "2880" # 48 hours in minutes
+  fromBackup: ""
+  encrypted: "true"
+  # we currently don't need secrets for volume creation
+  # but it allows for failing the CreateVolume call early
+  # if the required secret has not been setup yet.
+  csi.storage.k8s.io/provisioner-secret-name: "longhorn-crypto"
+  csi.storage.k8s.io/provisioner-secret-namespace: "longhorn-system"
+  csi.storage.k8s.io/node-publish-secret-name: "longhorn-crypto"
+  csi.storage.k8s.io/node-publish-secret-namespace: "longhorn-system"
+  csi.storage.k8s.io/node-stage-secret-name: "longhorn-crypto"
+  csi.storage.k8s.io/node-stage-secret-namespace: "longhorn-system"
+  # These two are for online expansion of encrypto volumes.
+  # But you need to enable the CSINodeExpandSecret feature gate for
+  # the kube-apiserver and kubelet. For more details, see:
+  # https://kubernetes.io/blog/2022/09/21/kubernetes-1-25-use-secrets-while-expanding-csi-volumes-on-node-alpha/
+  # csi.storage.k8s.io/node-expand-secret-name: "longhorn-crypto"
+  # csi.storage.k8s.io/node-expand-secret-namespace: "longhorn-system"
+  # we only need crypto keys for node operations, I left these as examples
+  # in case we implement external key vaults in the future
+  # csi.storage.k8s.io/controller-publish-secret-name: "longhorn-crypto"
+  # csi.storage.k8s.io/controller-publish-secret-namespace: "longhorn-system"
+  # csi.storage.k8s.io/controller-expand-secret-name: "longhorn-crypto"
+  # csi.storage.k8s.io/controller-expand-secret-namespace: "longhorn-system"