https://rancher.com/ logo
Title
p

proud-salesmen-12221

09/29/2022, 11:32 PM
Does anyone have experience with encrypted volumes? I'm setting up a StorageClass and PersistentVolumeClaim with encrypted: true and per-volume secrets with the yamls below. There are no errors when creating them, however , the Longhorn UI shows the volume as not encrypted. Any ideas why?
---
apiVersion: <http://storage.k8s.io/v1|storage.k8s.io/v1>
kind: StorageClass
metadata:
  name: longhorn-crypto-v1-volume
provisioner: <http://driver.longhorn.io|driver.longhorn.io>
allowVolumeExpansion: true
parameters:
  numberOfReplicas: "3"
  staleReplicaTimeout: "2880" # 48 hours in minutes
  fromBackup: ""
  encrypted: "true"
  <http://csi.storage.k8s.io/provisioner-secret-name|csi.storage.k8s.io/provisioner-secret-name>: ${pvc.name}
  <http://csi.storage.k8s.io/provisioner-secret-namespace|csi.storage.k8s.io/provisioner-secret-namespace>: ${pvc.namespace}
  <http://csi.storage.k8s.io/node-publish-secret-name|csi.storage.k8s.io/node-publish-secret-name>: ${pvc.name}
  <http://csi.storage.k8s.io/node-publish-secret-namespace|csi.storage.k8s.io/node-publish-secret-namespace>: ${pvc.namespace}
  <http://csi.storage.k8s.io/node-stage-secret-name|csi.storage.k8s.io/node-stage-secret-name>: ${pvc.name}
  <http://csi.storage.k8s.io/node-stage-secret-namespace|csi.storage.k8s.io/node-stage-secret-namespace>: ${pvc.namespace}
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: nginx-v1-pvc
  namespace: v1-ns
spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: longhorn
  resources:
    requests:
      storage: 2Gi
1
I'm using RKE2 and Longhorn v1.3.1
$ kubectl version --short
Client Version: v1.25.0
Kustomize Version: v4.5.7
Server Version: v1.24.4+rke2r1
c

creamy-pencil-82913

09/30/2022, 12:29 AM
You’re using per-volume keys, but I don’t see that you created a secret matching the pvc name/namespace. Did you do so?
all you showed was the storageclass and pvc
p

proud-salesmen-12221

09/30/2022, 12:34 AM
This is what I have for my secret
---
apiVersion: v1
kind: Secret
metadata:
  name: nginx-v1-pvc
  namespace: v1-ns
stringData:
  CRYPTO_KEY_VALUE: "Your encryption passphrase"
  CRYPTO_KEY_PROVIDER: "secret"
Someone else figured it out. The storage class in the pvc was wrong.
c

creamy-pencil-82913

09/30/2022, 6:23 AM
ah indeed, that too!