feat(CSI-316): support encryption with custom settings per filesystem #444
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This was referenced Feb 6, 2025
Merged
|
Warning This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
This stack of pull requests is managed by Graphite. Learn more about stacking. |
sergeyberezansky
force-pushed
the
sergey/per-filesystem-encryption
branch
from
fbf1b36 to
2134746
Compare
sergeyberezansky
force-pushed
the
02-04-fix_csi-320_print_raw_entry_in_log_when_endpoint_address_fails_to_be_parsed
branch
from
b5c9448 to
5d29834
Compare
sergeyberezansky
force-pushed
the
sergey/per-filesystem-encryption
branch
from
2134746 to
0f361eb
Compare
sergeyberezansky
force-pushed
the
sergey/per-filesystem-encryption
branch
from
0f361eb to
4dbe7d8
Compare
sergeyberezansky
force-pushed
the
02-04-fix_csi-320_print_raw_entry_in_log_when_endpoint_address_fails_to_be_parsed
branch
from
5d29834 to
637598a
Compare
sergeyberezansky
force-pushed
the
sergey/per-filesystem-encryption
branch
from
dac3d09 to
d833576
Compare
sergeyberezansky
changed the base branch from
02-04-fix_csi-320_print_raw_entry_in_log_when_endpoint_address_fails_to_be_parsed
to
graphite-base/444
sergeyberezansky
force-pushed
the
graphite-base/444
branch
from
637598a to
da199a3
Compare
sergeyberezansky
force-pushed
the
sergey/per-filesystem-encryption
branch
from
d833576 to
9b2a66e
Compare
sergeyberezansky
changed the base branch from
graphite-base/444
to
02-10-fix_csi-323_when_snapshot_of_directory_backed_volumes_is_prohibited_incorrect_error_message_is_shown_stating_volume_is_legacy
sergeyberezansky
force-pushed
the
02-10-fix_csi-323_when_snapshot_of_directory_backed_volumes_is_prohibited_incorrect_error_message_is_shown_stating_volume_is_legacy
branch
from
da199a3 to
837a80a
Compare
sergeyberezansky
force-pushed
the
sergey/per-filesystem-encryption
branch
from
9b2a66e to
4836fbb
Compare
sergeyberezansky
force-pushed
the
02-10-fix_csi-323_when_snapshot_of_directory_backed_volumes_is_prohibited_incorrect_error_message_is_shown_stating_volume_is_legacy
branch
from
837a80a to
194d682
Compare
sergeyberezansky
force-pushed
the
sergey/per-filesystem-encryption
branch
2 times, most recently
from
9dc3dee to
abbd5b9
Compare
sergeyberezansky
force-pushed
the
02-10-fix_csi-323_when_snapshot_of_directory_backed_volumes_is_prohibited_incorrect_error_message_is_shown_stating_volume_is_legacy
branch
from
194d682 to
8f31fce
Compare
sergeyberezansky
force-pushed
the
02-10-fix_csi-323_when_snapshot_of_directory_backed_volumes_is_prohibited_incorrect_error_message_is_shown_stating_volume_is_legacy
branch
from
8f31fce to
e07aba9
Compare
sergeyberezansky
force-pushed
the
sergey/per-filesystem-encryption
branch
from
abbd5b9 to
706ce3c
Compare
sergeyberezansky
force-pushed
the
02-10-fix_csi-323_when_snapshot_of_directory_backed_volumes_is_prohibited_incorrect_error_message_is_shown_stating_volume_is_legacy
branch
from
e07aba9 to
6c4ad0f
Compare
sergeyberezansky
force-pushed
the
sergey/per-filesystem-encryption
branch
from
706ce3c to
34ab757
Compare
sergeyberezansky
changed the base branch from
02-10-fix_csi-323_when_snapshot_of_directory_backed_volumes_is_prohibited_incorrect_error_message_is_shown_stating_volume_is_legacy
to
graphite-base/444
sergeyberezansky
force-pushed
the
sergey/per-filesystem-encryption
branch
from
34ab757 to
9d1553e
Compare
sergeyberezansky
force-pushed
the
graphite-base/444
branch
from
6c4ad0f to
0586bb2
Compare
sergeyberezansky
changed the base branch from
graphite-base/444
to
sergey/support-basic-fs-encryption
sergeyberezansky
force-pushed
the
sergey/support-basic-fs-encryption
branch
2 times, most recently
from
9d2189f to
d01cddb
Compare
sergeyberezansky
force-pushed
the
sergey/per-filesystem-encryption
branch
from
9d1553e to
699956f
Compare
sergeyberezansky
force-pushed
the
sergey/support-basic-fs-encryption
branch
2 times, most recently
from
9e35330 to
aa5bd68
Compare
sergeyberezansky
force-pushed
the
sergey/per-filesystem-encryption
branch
from
699956f to
cea4942
Compare
sergeyberezansky
changed the base branch from
sergey/support-basic-fs-encryption
to
graphite-base/444
…isting filesystem
sergeyberezansky
force-pushed
the
graphite-base/444
branch
from
aa5bd68 to
d0abd34
Compare
sergeyberezansky
force-pushed
the
sergey/per-filesystem-encryption
branch
from
cea4942 to
263dac6
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
TL;DR
Added support for encrypted filesystem-backed volumes in WEKA CSI using pre-existing KMS keys. This is an interim step between encryption using only a single cluster-wide key and a full-fledged automated key management per filesystem.
What changed?
How to test?
storageclass-wekafs-fs-encryption-key-in-secret.yamlcsi-wekafs-api-secret-kms-encryption-key-in-secret.yamlpvc-wekafs-fs-encryption-key-in-secret.yamlcsi-app-on-fs-encryption-key-in-secret.yamlWhy make this change?
To enable secure data storage by supporting filesystem-level encryption in WEKA CSI, allowing users to protect their data using pre-existing KMS keys. This feature allows tenant separation by having different encryption keys and not only a cluster-wide key.