Merge pull request #638 from kube-hetzner/fix/longhorn-encryption-at-…

…rest Fix/longhorn encryption at rest
kube-hetzner · Mar 11, 2023 · 29eaf89 · 29eaf89
2 parents 9e7c842 + e01176d
commit 29eaf89
Show file tree

Hide file tree

Showing 2 changed files with 78 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -48,6 +48,7 @@ To achieve this, we built up on the shoulders of giants by choosing [openSUSE Mi
 - [x] Can use Klipper as an **on-metal LB** or the **Hetzner LB**.
 - [x] Ability to **add nodes and nodepools** when the cluster is running.
 - [x] Possibility to toggle **Longhorn** and **Hetzner CSI**.
+- [x] Encryption at rest fully functional in both **Longhorn** and **Hetzner CSI**.
 - [x] Choose between **Flannel, Calico, or Cilium** as CNI.
 - [x] Optional **Wireguard** encryption of the Kube network for added security.
 - [x] Optional use of **Floating IPs** for use via Cilium's Egress Gateway.
@@ -433,6 +434,82 @@ The same goes for all add-ons, like Longhorn, Cert-manager, and Traefik.
 
 </details>
 
+<details>
+
+<summary>Encryption at rest with HCloud CSI</summary>
+
+The easiest way to get encrypted volumes working is actually to use the new encryption functionality of hcloud csi itself, see https://github.com/hetznercloud/csi-driver.
+For this, you just need to create a secret containing the encryption key
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: encryption-secret
+  namespace: kube-system
+stringData:
+  encryption-passphrase: foobar
+```
+and to create a new storage class
+```yaml
+  apiVersion: storage.k8s.io/v1
+  kind: StorageClass
+  metadata:
+    name: hcloud-volumes-encrypted
+  provisioner: csi.hetzner.cloud
+  reclaimPolicy: Delete
+  volumeBindingMode: WaitForFirstConsumer
+  allowVolumeExpansion: true
+  parameters:
+    csi.storage.k8s.io/node-publish-secret-name: encryption-secret
+    csi.storage.k8s.io/node-publish-secret-namespace: kube-system
+```
+
+</details>
+
+<details>
+
+<summary>Encryption at rest with Longhorn</summary>
+To get started, use a cluster-wide key for all volumes like this,
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: longhorn-crypto
+  namespace: longhorn-system
+stringData:
+  CRYPTO_KEY_VALUE: "I have nothing to hide."
+  CRYPTO_KEY_PROVIDER: "secret"
+  CRYPTO_KEY_CIPHER: "aes-xts-plain64"
+  CRYPTO_KEY_HASH: "sha256"
+  CRYPTO_KEY_SIZE: "256"
+  CRYPTO_PBKDF: "argon2i"
+```
+and create a new storage class
+```yaml
+kind: StorageClass
+apiVersion: storage.k8s.io/v1
+metadata:
+  name: longhorn-crypto-global
+provisioner: driver.longhorn.io
+allowVolumeExpansion: true
+parameters:
+  nodeSelector: "node-storage"
+  numberOfReplicas: "1"
+  staleReplicaTimeout: "2880" # 48 hours in minutes
+  fromBackup: ""
+  fsType: ext4
+  encrypted: "true"
+  # global secret that contains the encryption key that will be used for all volumes
+  csi.storage.k8s.io/provisioner-secret-name: "longhorn-crypto"
+  csi.storage.k8s.io/provisioner-secret-namespace: "longhorn-system"
+  csi.storage.k8s.io/node-publish-secret-name: "longhorn-crypto"
+  csi.storage.k8s.io/node-publish-secret-namespace: "longhorn-system"
+  csi.storage.k8s.io/node-stage-secret-name: "longhorn-crypto"
+  csi.storage.k8s.io/node-stage-secret-namespace: "longhorn-system"
+```
+For more details, see [Longhorn's documentation](https://longhorn.io/docs/1.4.0/advanced-resources/security/volume-encryption/).
+
+</details>
 ## Debugging
 
 First and foremost, it depends, but it's always good to have a quick look into Hetzner quickly without logging in to the UI. That is where the `hcloud` cli comes in.

diff --git a/locals.tf b/locals.tf
@@ -113,7 +113,7 @@ locals {
 
   packages_to_install = concat(
     var.enable_wireguard ? ["wireguard-tools"] : [],
-    var.enable_longhorn ? ["open-iscsi", "nfs-client", "xfsprogs", "cryptsetup"] : [],
+    var.enable_longhorn ? ["open-iscsi", "nfs-client", "xfsprogs", "cryptsetup", "lvm2"] : [],
     var.extra_packages_to_install,
   )