feat: add support for CSI volumes encryption and extraParams.

mlinares1998 · mlinares1998 · commit 9d6c1e993cc6 · 2025-04-23T03:34:46.000+02:00
Reference: https://github.com/hetznercloud/csi-driver/tree/main/docs/kubernetes#volumes-encrypted-with-luks https://github.com/hetznercloud/csi-driver/tree/main/docs/kubernetes#formatting-options
diff --git a/README.md b/README.md
@@ -349,6 +349,37 @@ cluster_autoscaler_helm_values = {
 ```
 </details>
 
+<!-- CSI Driver Storage Class -->
+<details>
+<summary><b>CSI Driver Storage Class</b></summary>
+
+The Hetzner Cloud Container Storage Interface (CSI) driver supports additional configuration options through the StorageClass resource:
+
+- **Volume encryption**: Enables automatic LUKS2 encryption using a passphrase stored within the Kubernetes cluster.
+- **Volume filesystem**: Specify the desired filesystem (e.g., `ext4` or `xfs`) via the `csi.storage.k8s.io/fstype` parameter.
+- **Additional format options**: Provide custom formatting options that will be passed directly to `mkfs.<FSTYPE>` during volume provisioning using the `fsFormatOption` parameter.
+
+For full documentation, refer to the [HCloud CSI Driver documentation](https://github.com/hetznercloud/csi-driver/tree/main/docs/kubernetes).
+
+**Example `kubernetes.tf` snippet:**
+```hcl
+# Enable the HCloud CSI driver
+hcloud_csi_enabled = true
+
+# Enable volume encryption; a 32-byte random passphrase is generated by default
+hcloud_csi_storage_class_encryption_enabled = true
+
+# Optionally, specify your own encryption key
+hcloud_csi_storage_class_encryption_key = "passphrase"
+
+# Define additional StorageClass parameters
+hcloud_csi_storage_class_extra_parameters = {
+  "csi.storage.k8s.io/fstype" = "xfs"
+  "fsFormatOption"            = "-i nrext64=1"
+}
+```
+</details>
+
 <!-- Egress Gateway -->
 <details>
 <summary><b>Egress Gateway</b></summary>
diff --git a/hcloud.tf b/hcloud.tf
@@ -16,6 +16,18 @@ locals {
       }
     })
   }
+  hcloud_csi_storage_class_encryption_key_manifest = var.hcloud_csi_enabled ? var.hcloud_csi_storage_class_encryption_enabled ? {
+    apiVersion = "v1"
+    kind       = "Secret"
+    type       = "Opaque"
+    metadata = {
+      name      = "hcloud-csi-secret"
+      namespace = "kube-system"
+    }
+    data = {
+      encryption-passphrase = var.hcloud_csi_storage_class_encryption_key != null ? base64encode(var.hcloud_csi_storage_class_encryption_key) : base64encode(random_bytes.hcloud_csi_encryption_key[0].hex)
+    }
+  } : null : null
 }
 
 # Hcloud CCM
@@ -54,6 +66,11 @@ locals {
 }
 
 # Hcloud CSI
+resource "random_bytes" "hcloud_csi_encryption_key" {
+  count  = var.hcloud_csi_enabled ? var.hcloud_csi_storage_class_encryption_enabled ? var.hcloud_csi_storage_class_encryption_key == null ? 1 : 0 : 0 : 0
+  length = 32
+}
+
 data "helm_template" "hcloud_csi" {
   count = var.hcloud_csi_enabled ? 1 : 0
 
@@ -92,6 +109,20 @@ data "helm_template" "hcloud_csi" {
           }
         ]
       }
+      storageClasses = [
+        {
+          name                = "hcloud-volumes",
+          defaultStorageClass = true,
+          reclaimPolicy       = "Delete",
+          extraParameters = merge(
+            var.hcloud_csi_storage_class_encryption_enabled ? {
+              "csi.storage.k8s.io/node-publish-secret-name"      = "hcloud-csi-secret",
+              "csi.storage.k8s.io/node-publish-secret-namespace" = "kube-system"
+            } : {},
+            var.hcloud_csi_storage_class_extra_parameters
+          )
+        }
+      ]
     }),
     yamlencode(var.hcloud_csi_helm_values)
   ]
@@ -100,6 +131,10 @@ data "helm_template" "hcloud_csi" {
 locals {
   hcloud_csi_manifest = var.hcloud_csi_enabled ? {
     name     = "hcloud-csi"
-    contents = data.helm_template.hcloud_csi[0].manifest
+    contents = <<-EOF
+      ${data.helm_template.hcloud_csi[0].manifest}
+      ---
+      ${var.hcloud_csi_storage_class_encryption_enabled ? yamlencode(local.hcloud_csi_storage_class_encryption_key_manifest) : yamlencode({})}
+    EOF
   } : null
 }
diff --git a/terraform.tf b/terraform.tf
@@ -26,6 +26,11 @@ terraform {
       source  = "hashicorp/tls"
       version = "~>4.0.0"
     }
+
+    random = {
+      source  = "hashicorp/random"
+      version = "~>3.7.2"
+    }
   }
 }
 
diff --git a/variables.tf b/variables.tf
@@ -888,6 +888,24 @@ variable "hcloud_csi_enabled" {
   description = "Enables the Hetzner Container Storage Interface (CSI)."
 }
 
+variable "hcloud_csi_storage_class_encryption_enabled" {
+  type        = bool
+  default     = false
+  description = "Enable Hcloud CSI storage class LUKS encryption."
+}
+
+variable "hcloud_csi_storage_class_encryption_key" {
+  type        = string
+  default     = null
+  description = "User defined Hcloud CSI storage class LUKS encryption key."
+  sensitive   = true
+}
+
+variable "hcloud_csi_storage_class_extra_parameters" {
+  type        = map(string)
+  default     = {}
+  description = "Hcloud CSI storage class extra parameters."
+}
 
 # Longhorn
 variable "longhorn_helm_repository" {

Original file line number	Diff line number	Diff line change
`@@ -26,6 +26,11 @@ terraform {`
`26`	`26`	`source = "hashicorp/tls"`
`27`	`27`	`version = "~>4.0.0"`
`28`	`28`	`}`
	`29`	`+`
	`30`	`+ random = {`
	`31`	`+ source = "hashicorp/random"`
	`32`	`+ version = "~>3.7.2"`
	`33`	`+ }`
`29`	`34`	`}`
`30`	`35`	`}`
`31`	`36`