Skip to content

Commit

Permalink
docs: add missing native encryption at rest support to the limitations
Browse files Browse the repository at this point in the history
Signed-off-by: Suleyman Akbas <sakbas@redhat.com>
  • Loading branch information
suleymanakbas91 committed Feb 22, 2024
1 parent cd6cba9 commit b954baf
Show file tree
Hide file tree
Showing 2 changed files with 59 additions and 1 deletion.
59 changes: 59 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@ end
* [Single LVMCluster support](#single-lvmcluster-support)
* [Upgrades from v 4.10 and v4.11](#upgrades-from-v-410-and-v411)
* [Missing native LVM RAID Configuration support](#missing-native-lvm-raid-configuration-support)
* [Missing native encryption at rest support](#missing-native-encryption-at-rest-support)
* [Snapshotting and Cloning in Multi-Node Topologies](#snapshotting-and-cloning-in-multi-node-topologies)
* [Validation of `LVMCluster` CRs outside the `openshift-storage` namespace](#validation-of-lvmcluster-crs-outside-the-openshift-storage-namespace)
- [Troubleshooting](#troubleshooting)
Expand Down Expand Up @@ -454,6 +455,64 @@ Simply create a RAID array with `mdadm` and then use this in your `deviceSelecto

_NOTE: Currently, RAID Arrays created with `mdraid` are not automatically recognized when not using any `deviceSelector`, thus they MUST be specified explicitly._

### Missing native LV-level encryption support

Currently, LVM Operator does not have a native LV-level encryption support. Instead, you can encrypt the entire disk or partitions, and use them within LVMCluster. This way all LVs created by LVMS on this disk will be encrypted out-of-the-box.

Here is an example `MachineConfig` that can be used to configure encrypted partitions during an OpenShift installation:

```yaml
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
name: 98-encrypted-disk-partition-master
labels:
machineconfiguration.openshift.io/role: master
spec:
config:
ignition:
version: 3.2.0
storage:
disks:
- device: /dev/nvme0n1
wipeTable: false
partitions:
- sizeMiB: 204800
startMiB: 600000
label: application
number: 5
luks:
- clevis:
tpm2: true
device: /dev/disk/by-partlabel/application
name: application
options:
- --cipher
- aes-cbc-essiv:sha256
wipeVolume: true
```

Then, the path to the encrypted partition can be specified in the LVMCluster CR:

```yaml
apiVersion: lvm.topolvm.io/v1alpha1
kind: LVMCluster
metadata:
name: my-lvmcluster
namespace: openshift-storage
spec:
storage:
deviceClasses:
- name: vg1
deviceSelector:
paths:
- /dev/mapper/application
thinPoolConfig:
name: thin-pool-1
sizePercent: 90
overprovisionRatio: 10
```

### Snapshotting and Cloning in Multi-Node Topologies

In general, since LVMCluster does not ensure data replication, `VolumeSnapshots` and consumption of them is always limited to the original dataSource.
Expand Down
1 change: 0 additions & 1 deletion internal/controllers/vgmanager/lvm/lvm_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -583,7 +583,6 @@ func TestNewDefaultHostLVM(t *testing.T) {
assert.NotNilf(t, lvm, "lvm should not be nil")
}


func Test_untaggedVGs(t *testing.T) {
vgs := []VolumeGroup{
{Name: "vg1", Tags: []string{"tag1"}},
Expand Down

0 comments on commit b954baf

Please sign in to comment.