Channels
extensions
rancher-extensions
supermicro-sixsq
ozt
os
one-point-x
rio
onlinemeetup
v16-v21-migration
events
onlinetraining
training-1220
training-0110
training-0124
k3s-contributor
submariner
storage
k3os
windows
ci-cd
theranchcast
rfed_ara
nederlands
ukranian
danish
training-0131
masterclass
training-0207
training-0214
terraform-controller
epinio
phillydotnet
swarm
rancher-wrangler
deutsch
russian
chinese
mesos
français
japanese
arm
longhorn-dev
terraform-provider-rke
service-mesh
azure
gcp
academy
random
elemental
espanol
lima
harvester-dev
portugues
kubernetes
kim
hypper
kubewarden
opni
logging
neuvector-security
rancher-setup
developer
office-hours
mexico
cabpr
rke
vsphere
longhorn-storage
k3s
k3d
terraform-provider-rancher2
fleet
amazon
harvester
rke2
s3gw
hobbyfarm
rancher-desktop
general
Title
p
proud-salesmen-12221
09/29/2022, 11:32 PMDoes anyone have experience with encrypted volumes? I'm setting up a StorageClass and PersistentVolumeClaim with encrypted: true and per-volume secrets with the yamls below. There are no errors when creating them, however , the Longhorn UI shows the volume as not encrypted. Any ideas why?
---
apiVersion: <http://storage.k8s.io/v1|storage.k8s.io/v1>
kind: StorageClass
metadata:
name: longhorn-crypto-v1-volume
provisioner: <http://driver.longhorn.io|driver.longhorn.io>
allowVolumeExpansion: true
parameters:
numberOfReplicas: "3"
staleReplicaTimeout: "2880" # 48 hours in minutes
fromBackup: ""
encrypted: "true"
<http://csi.storage.k8s.io/provisioner-secret-name|csi.storage.k8s.io/provisioner-secret-name>: ${pvc.name}
<http://csi.storage.k8s.io/provisioner-secret-namespace|csi.storage.k8s.io/provisioner-secret-namespace>: ${pvc.namespace}
<http://csi.storage.k8s.io/node-publish-secret-name|csi.storage.k8s.io/node-publish-secret-name>: ${pvc.name}
<http://csi.storage.k8s.io/node-publish-secret-namespace|csi.storage.k8s.io/node-publish-secret-namespace>: ${pvc.namespace}
<http://csi.storage.k8s.io/node-stage-secret-name|csi.storage.k8s.io/node-stage-secret-name>: ${pvc.name}
<http://csi.storage.k8s.io/node-stage-secret-namespace|csi.storage.k8s.io/node-stage-secret-namespace>: ${pvc.namespace}
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nginx-v1-pvc
namespace: v1-ns
spec:
accessModes:
- ReadWriteOnce
storageClassName: longhorn
resources:
requests:
storage: 2Gi✅ 1
I'm using RKE2 and Longhorn v1.3.1
$ kubectl version --short
Client Version: v1.25.0
Kustomize Version: v4.5.7
Server Version: v1.24.4+rke2r1c
creamy-pencil-82913
09/30/2022, 12:29 AMYou’re using per-volume keys, but I don’t see that you created a secret matching the pvc name/namespace. Did you do so?
all you showed was the storageclass and pvc
p
proud-salesmen-12221
09/30/2022, 12:34 AMThis is what I have for my secret
---
apiVersion: v1
kind: Secret
metadata:
name: nginx-v1-pvc
namespace: v1-ns
stringData:
CRYPTO_KEY_VALUE: "Your encryption passphrase"
CRYPTO_KEY_PROVIDER: "secret"Someone else figured it out. The storage class in the pvc was wrong.
c
creamy-pencil-82913
09/30/2022, 6:23 AMah indeed, that too!