kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
  name: longhorn-crypto-global
provisioner: driver.longhorn.io
allowVolumeExpansion: true
parameters:
  numberOfReplicas: "3"
  staleReplicaTimeout: "2880" # 48 hours in minutes
  fromBackup: ""
  encrypted: "true"
  # we currently don't need secrets for volume creation
  # but it allows for failing the CreateVolume call early
  # if the required secret has not been setup yet.
  csi.storage.k8s.io/provisioner-secret-name: "longhorn-crypto"
  csi.storage.k8s.io/provisioner-secret-namespace: "longhorn-system"
  csi.storage.k8s.io/node-publish-secret-name: "longhorn-crypto"
  csi.storage.k8s.io/node-publish-secret-namespace: "longhorn-system"
  csi.storage.k8s.io/node-stage-secret-name: "longhorn-crypto"
  csi.storage.k8s.io/node-stage-secret-namespace: "longhorn-system"
  # These two are for online expansion of encrypto volumes.
  # But you need to enable the CSINodeExpandSecret feature gate for
  # the kube-apiserver and kubelet. For more details, see:
  # https://kubernetes.io/blog/2022/09/21/kubernetes-1-25-use-secrets-while-expanding-csi-volumes-on-node-alpha/
  # csi.storage.k8s.io/node-expand-secret-name: "longhorn-crypto"
  # csi.storage.k8s.io/node-expand-secret-namespace: "longhorn-system"
  # we only need crypto keys for node operations, I left these as examples
  # in case we implement external key vaults in the future
  # csi.storage.k8s.io/controller-publish-secret-name: "longhorn-crypto"
  # csi.storage.k8s.io/controller-publish-secret-namespace: "longhorn-system"
  # csi.storage.k8s.io/controller-expand-secret-name: "longhorn-crypto"
  # csi.storage.k8s.io/controller-expand-secret-namespace: "longhorn-system"