Skip to content

Add luks encryption support#148

Merged
Gerrit91 merged 18 commits into
metal-stack:masterfrom
chbmuc:encryption
Apr 28, 2026
Merged

Add luks encryption support#148
Gerrit91 merged 18 commits into
metal-stack:masterfrom
chbmuc:encryption

Conversation

@chbmuc
Copy link
Copy Markdown
Contributor

@chbmuc chbmuc commented Feb 10, 2026
edited by Gerrit91
Loading

Description

This PR adds LUKS2 encryption support for volumes (raw block and filesystem).

The test framework has been extended and all tests pass in a local test run.

Closes #29.

@chbmuc chbmuc requested a review from a team as a code owner February 10, 2026 15:50
majst01
majst01 reviewed Feb 10, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@majst01 majst01 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

first small improvements

Comment thread pkg/lvm/luks.go Outdated
Comment thread pkg/server/node.go Outdated
Comment thread pkg/server/node.go Outdated
Comment thread pkg/server/node.go Outdated
@chbmuc @majst01
Add review comments
e0074d7 
Co-authored-by: Stefan Majer <stefan.majer@gmail.com>
Gerrit91
Gerrit91 reviewed Feb 11, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@Gerrit91 Gerrit91 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cool. Not an expert on this, but looks pretty good from the code perspective.

Comment thread pkg/lvm/luks.go Outdated
Comment thread pkg/lvm/luks.go Outdated
Comment thread pkg/lvm/luks.go Outdated
Comment thread pkg/lvm/luks.go Outdated
Comment thread pkg/lvm/lvm.go Outdated
Comment thread pkg/lvm/lvm.go Outdated
majst01
majst01 reviewed Feb 13, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@majst01 majst01 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We are almost there

Comment thread pkg/server/node.go Outdated
ostempel
ostempel reviewed Feb 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@ostempel ostempel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Really nice feature. Have some feedback for you

Comment thread pkg/lvm/luks.go Outdated
Comment thread pkg/lvm/luks.go Outdated
Comment thread pkg/lvm/luks.go Outdated
Comment thread pkg/server/node.go Outdated
Comment thread pkg/server/node.go
Comment thread pkg/lvm/luks.go Outdated
Comment thread pkg/lvm/luks.go Outdated
Comment thread charts/csi-driver-lvm/values.yaml
ostempel
ostempel reviewed Feb 24, 2026
View reviewed changes
Comment thread tests/bats/test.bats
@ostempel
Copy link
Copy Markdown
Contributor

ostempel commented Mar 31, 2026

thank you very much! I will take a look this week.

ostempel
ostempel reviewed Apr 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@ostempel ostempel left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great feature! 🚀

Just small nitpicks for the testing.
Here we can remove the creation and deletion of the encrypted-linear storageclass since it already is deployed through the helm-chart and its custom values.yaml

Otherwise than this we can merge.

Also would be really happy if you add this feature to the associated gardener-extension-csi-driver-lvm

Comment thread tests/bats/test.bats Outdated
Comment thread tests/bats/test.bats
Comment thread tests/bats/test.bats Outdated
@chbmuc
Copy link
Copy Markdown
Contributor Author

chbmuc commented Apr 8, 2026

PR should be complete now.

I will take a look at the gardener-extension-csi-driver-lvm - no promises... Do you want encryption to be an Opt-In setting or shall we enable it be default?

@Gerrit91
Copy link
Copy Markdown
Contributor

Gerrit91 commented Apr 9, 2026

I will take a look at the gardener-extension-csi-driver-lvm - no promises... Do you want encryption to be an Opt-In setting or shall we enable it be default?

I'd say we should go for opt-in setting in the extension. Higher-level APIs can still implement a different defaulting.

@chbmuc
Copy link
Copy Markdown
Contributor Author

chbmuc commented Apr 13, 2026

I have commited metal-stack/gardener-extension-csi-driver-lvm#25 now.

ostempel
ostempel reviewed Apr 13, 2026
View reviewed changes
Comment thread tests/files/storageclass.linear-encrypted.yaml Outdated
ostempel
ostempel approved these changes Apr 22, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@ostempel ostempel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Gerrit91 Gerrit91 merged commit 9799671 into metal-stack:master Apr 28, 2026
6 checks passed
@Gerrit91 Gerrit91 mentioned this pull request May 21, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@majst01 majst01 majst01 left review comments

@Gerrit91 Gerrit91 Gerrit91 left review comments

@ostempel ostempel ostempel approved these changes

Assignees

No one assigned

Labels

None yet

Projects

Development
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Filesystem encryption support

4 participants

@chbmuc @ostempel @Gerrit91 @majst01