diff --git a/README.md b/README.md index 6c1114fc0..a088efc68 100644 --- a/README.md +++ b/README.md @@ -52,6 +52,7 @@ end * [Single LVMCluster support](#single-lvmcluster-support) * [Upgrades from v 4.10 and v4.11](#upgrades-from-v-410-and-v411) * [Missing native LVM RAID Configuration support](#missing-native-lvm-raid-configuration-support) + * [Missing native encryption at rest support](#missing-native-encryption-at-rest-support) * [Snapshotting and Cloning in Multi-Node Topologies](#snapshotting-and-cloning-in-multi-node-topologies) * [Validation of `LVMCluster` CRs outside the `openshift-storage` namespace](#validation-of-lvmcluster-crs-outside-the-openshift-storage-namespace) - [Troubleshooting](#troubleshooting) @@ -454,6 +455,64 @@ Simply create a RAID array with `mdadm` and then use this in your `deviceSelecto _NOTE: Currently, RAID Arrays created with `mdraid` are not automatically recognized when not using any `deviceSelector`, thus they MUST be specified explicitly._ +### Missing native LV-level encryption support + +Currently, LVM Operator does not have a native LV-level encryption support. Instead, you can encrypt the entire disk or partitions, and use them within LVMCluster. This way all LVs created by LVMS on this disk will be encrypted out-of-the-box. + +Here is an example `MachineConfig` that can be used to configure encrypted partitions during an OpenShift installation: + +```yaml +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +metadata: + name: 98-encrypted-disk-partition-master + labels: + machineconfiguration.openshift.io/role: master +spec: + config: + ignition: + version: 3.2.0 + storage: + disks: + - device: /dev/nvme0n1 + wipeTable: false + partitions: + - sizeMiB: 204800 + startMiB: 600000 + label: application + number: 5 + luks: + - clevis: + tpm2: true + device: /dev/disk/by-partlabel/application + name: application + options: + - --cipher + - aes-cbc-essiv:sha256 + wipeVolume: true +``` + +Then, the path to the encrypted partition can be specified in the LVMCluster CR: + +```yaml +apiVersion: lvm.topolvm.io/v1alpha1 +kind: LVMCluster +metadata: + name: my-lvmcluster + namespace: openshift-storage +spec: + storage: + deviceClasses: + - name: vg1 + deviceSelector: + paths: + - /dev/mapper/application + thinPoolConfig: + name: thin-pool-1 + sizePercent: 90 + overprovisionRatio: 10 +``` + ### Snapshotting and Cloning in Multi-Node Topologies In general, since LVMCluster does not ensure data replication, `VolumeSnapshots` and consumption of them is always limited to the original dataSource. diff --git a/internal/controllers/vgmanager/lvm/lvm_test.go b/internal/controllers/vgmanager/lvm/lvm_test.go index 492514947..e44eda877 100644 --- a/internal/controllers/vgmanager/lvm/lvm_test.go +++ b/internal/controllers/vgmanager/lvm/lvm_test.go @@ -583,7 +583,6 @@ func TestNewDefaultHostLVM(t *testing.T) { assert.NotNilf(t, lvm, "lvm should not be nil") } - func Test_untaggedVGs(t *testing.T) { vgs := []VolumeGroup{ {Name: "vg1", Tags: []string{"tag1"}},