From aa3998ee3a145e4a3f4c282ddf66bc536e6b114c Mon Sep 17 00:00:00 2001 From: Shuo Wu Date: Mon, 12 Dec 2022 21:41:45 +0800 Subject: [PATCH] example: Update comments of encrypto storageclasses for online expansion Longhorn 1674 Signed-off-by: Shuo Wu --- examples/crypto/storageclass-crypto-global.yaml | 6 ++++++ .../storageclass-crypto-per-volume-dedicated-namespace.yaml | 6 ++++++ examples/crypto/storageclass-crypto-per-volume.yaml | 6 ++++++ 3 files changed, 18 insertions(+) diff --git a/examples/crypto/storageclass-crypto-global.yaml b/examples/crypto/storageclass-crypto-global.yaml index 361e4a7..7176c3a 100644 --- a/examples/crypto/storageclass-crypto-global.yaml +++ b/examples/crypto/storageclass-crypto-global.yaml @@ -18,6 +18,12 @@ parameters: csi.storage.k8s.io/node-publish-secret-namespace: "longhorn-system" csi.storage.k8s.io/node-stage-secret-name: "longhorn-crypto" csi.storage.k8s.io/node-stage-secret-namespace: "longhorn-system" + # These two are for online expansion of encrypto volumes. + # But you need to enable the CSINodeExpandSecret feature gate for + # the kube-apiserver and kubelet. For more details, see: + # https://kubernetes.io/blog/2022/09/21/kubernetes-1-25-use-secrets-while-expanding-csi-volumes-on-node-alpha/ + # csi.storage.k8s.io/node-expand-secret-name: "longhorn-crypto" + # csi.storage.k8s.io/node-expand-secret-namespace: "longhorn-system" # we only need crypto keys for node operations, I left these as examples # in case we implement external key vaults in the future # csi.storage.k8s.io/controller-publish-secret-name: "longhorn-crypto" diff --git a/examples/crypto/storageclass-crypto-per-volume-dedicated-namespace.yaml b/examples/crypto/storageclass-crypto-per-volume-dedicated-namespace.yaml index 38c4790..ee10173 100644 --- a/examples/crypto/storageclass-crypto-per-volume-dedicated-namespace.yaml +++ b/examples/crypto/storageclass-crypto-per-volume-dedicated-namespace.yaml @@ -18,6 +18,12 @@ parameters: csi.storage.k8s.io/node-publish-secret-namespace: "longhorn-system" csi.storage.k8s.io/node-stage-secret-name: ${pvc.name} csi.storage.k8s.io/node-stage-secret-namespace: "longhorn-system" + # These two are for online expansion of encrypto volumes. + # But you need to enable the CSINodeExpandSecret feature gate for + # the kube-apiserver and kubelet. For more details, see: + # https://kubernetes.io/blog/2022/09/21/kubernetes-1-25-use-secrets-while-expanding-csi-volumes-on-node-alpha/ + # csi.storage.k8s.io/node-expand-secret-name: ${pvc.name} + # csi.storage.k8s.io/node-expand-secret-namespace: "longhorn-system" # we only need crypto keys for node operations, I left these as examples # in case we implement external key vaults in the future # csi.storage.k8s.io/controller-publish-secret-name: ${pvc.name} diff --git a/examples/crypto/storageclass-crypto-per-volume.yaml b/examples/crypto/storageclass-crypto-per-volume.yaml index 0bf9a85..438df6d 100644 --- a/examples/crypto/storageclass-crypto-per-volume.yaml +++ b/examples/crypto/storageclass-crypto-per-volume.yaml @@ -18,6 +18,12 @@ parameters: csi.storage.k8s.io/node-publish-secret-namespace: ${pvc.namespace} csi.storage.k8s.io/node-stage-secret-name: ${pvc.name} csi.storage.k8s.io/node-stage-secret-namespace: ${pvc.namespace} + # These two are for online expansion of encrypto volumes. + # But you need to enable the CSINodeExpandSecret feature gate for + # the kube-apiserver and kubelet. For more details, see: + # https://kubernetes.io/blog/2022/09/21/kubernetes-1-25-use-secrets-while-expanding-csi-volumes-on-node-alpha/ + # csi.storage.k8s.io/node-expand-secret-name: ${pvc.name} + # csi.storage.k8s.io/node-expand-secret-namespace: ${pvc.namespace} # we only need crypto keys for node operations, I left these as examples # in case we implement external key vaults in the future # csi.storage.k8s.io/controller-publish-secret-name: ${pvc.name}