mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-09-19 23:19:52 +00:00
166eaf700f
Adds encryption in StorageClass as a parameter. Encryption passphrase is stored in kubernetes secrets per StorageClass. Implements rbd volume encryption relying on dm-crypt and cryptsetup using LUKS extension The change is related to proposal made earlier. This is a first part of the full feature that adds encryption with passphrase stored in secrets. Signed-off-by: Vasyl Purchel vasyl.purchel@workday.com Signed-off-by: Andrea Baglioni andrea.baglioni@workday.com Signed-off-by: Ioannis Papaioannou ioannis.papaioannou@workday.com Signed-off-by: Paul Mc Auley paul.mcauley@workday.com Signed-off-by: Sergio de Carvalho sergio.carvalho@workday.com
50 lines
2.1 KiB
YAML
50 lines
2.1 KiB
YAML
---
|
|
apiVersion: storage.k8s.io/v1
|
|
kind: StorageClass
|
|
metadata:
|
|
name: csi-rbd-sc
|
|
provisioner: rbd.csi.ceph.com
|
|
parameters:
|
|
# String representing a Ceph cluster to provision storage from.
|
|
# Should be unique across all Ceph clusters in use for provisioning,
|
|
# cannot be greater than 36 bytes in length, and should remain immutable for
|
|
# the lifetime of the StorageClass in use.
|
|
# Ensure to create an entry in the config map named ceph-csi-config, based on
|
|
# csi-config-map-sample.yaml, to accompany the string chosen to
|
|
# represent the Ceph cluster in clusterID below
|
|
clusterID: <cluster-id>
|
|
# If you want to use erasure coded pool with RBD, you need to create
|
|
# two pools. one erasure coded and one replicated.
|
|
# You need to specify the replicated pool here in the `pool` parameter, it is
|
|
# used for the metadata of the images.
|
|
# The erasure coded pool must be set as the `dataPool` parameter below.
|
|
# dataPool: ec-data-pool
|
|
pool: rbd
|
|
|
|
# RBD image features, CSI creates image with image-format 2
|
|
# CSI RBD currently supports only `layering` feature.
|
|
imageFeatures: layering
|
|
|
|
# The secrets have to contain Ceph credentials with required access
|
|
# to the 'pool'.
|
|
csi.storage.k8s.io/provisioner-secret-name: csi-rbd-secret
|
|
csi.storage.k8s.io/provisioner-secret-namespace: default
|
|
csi.storage.k8s.io/controller-expand-secret-name: csi-rbd-secret
|
|
csi.storage.k8s.io/controller-expand-secret-namespace: default
|
|
csi.storage.k8s.io/node-stage-secret-name: csi-rbd-secret
|
|
csi.storage.k8s.io/node-stage-secret-namespace: default
|
|
# Specify the filesystem type of the volume. If not specified,
|
|
# csi-provisioner will set default as `ext4`.
|
|
csi.storage.k8s.io/fstype: ext4
|
|
# uncomment the following to use rbd-nbd as mounter on supported nodes
|
|
# mounter: rbd-nbd
|
|
|
|
# Instruct the plugin it has to encrypt the volume
|
|
# By default it is disabled. Valid values are “true” or “false”.
|
|
# A string is expected here, i.e. “true”, not true.
|
|
# encrypted: "true"
|
|
reclaimPolicy: Delete
|
|
allowVolumeExpansion: true
|
|
mountOptions:
|
|
- discard
|