Skip to content

feat: add support for CSI volumes encryption and extraParams. #100

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat: add support for CSI volumes encryption and extraParams. #100

wants to merge 3 commits into from

Conversation

mlinares1998
Copy link
Contributor

@mlinares1998 mlinares1998 commented Apr 23, 2025
edited
Loading

Hi! 👋

I'm currently using the module to evaluate a potential production cluster, and it's been working fantastically so far!
Great job to everyone involved!

Given the module’s emphasis on encryption by default, I believe it's important to also support encryption at the storage level for block volumes.

This PR introduces support for enabling CSI volume encryption during cluster provisioning, using either a randomly generated or a fixed LUKS2 passphrase.

Additionally, it introduces the ability to define extra parameters in the default StorageClass, in line with the Hetzner CSI driver documentation.

Example kubernetes.tf snippet:

# Enable the HCloud CSI driver
hcloud_csi_enabled = true

# Enable volume encryption; a 32-byte random passphrase is generated by default
hcloud_csi_storage_class_encryption_enabled = true

# Optionally, specify your own encryption key
hcloud_csi_storage_class_encryption_key = "passphrase"

# Define additional StorageClass parameters
hcloud_csi_storage_class_extra_parameters = {
  "csi.storage.k8s.io/fstype" = "xfs"
  "fsFormatOption"            = "-i nrext64=1"
}

This is my first contribution to the module, i hope it aligns with the project's standards.
Looking forward to your feedback!

Best regards,

Reference:
https://github.com/hetznercloud/csi-driver/tree/main/docs/kubernetes#volumes-encrypted-with-luks https://github.com/hetznercloud/csi-driver/tree/main/docs/kubernetes#formatting-options

@mlinares1998 mlinares1998 force-pushed the feature/csi-configuration branch from c192052 to 9d6c1e9 Compare April 23, 2025 01:34
@M4t7e
Copy link
Contributor

M4t7e commented May 5, 2025

Many thanks @mlinares1998! That looks great! 🙂

Do you think it could be extended to support multiple storage classes?

@mlinares1998
Copy link
Contributor Author

Many thanks @mlinares1998! That looks great! 🙂

Do you think it could be extended to support multiple storage classes?

Hi!! @M4t7e Thanks for your review!
What do you mean exactly?
Allowing to define multiple storage classes within the module along the default one?

@M4t7e
Copy link
Contributor

M4t7e commented May 5, 2025

Allowing to define multiple storage classes within the module along the default one?

Exactly, that’s what I meant. I can imagine users wanting different storage classes for various use cases.

@mlinares1998
Copy link
Contributor Author

@M4t7e
I've added in 13f0102 support for defining additional StorageClasses alongside the default one.
Additionally, it's now possible to configure the reclaimPolicy for the default StorageClass as well 😄

@mlinares1998
Copy link
Contributor Author

Hi! @M4t7e any updates on this?
Regards! 😄

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mlinares1998 @M4t7e