feat(CSI-316): support encryption with custom settings per filesystem #444
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This was referenced Feb 6, 2025
Merged
|
Warning This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
This stack of pull requests is managed by Graphite. Learn more about stacking. |
sergeyberezansky
force-pushed
the
sergey/per-filesystem-encryption
branch
from
fbf1b36 to
2134746
Compare
sergeyberezansky
force-pushed
the
02-04-fix_csi-320_print_raw_entry_in_log_when_endpoint_address_fails_to_be_parsed
branch
from
b5c9448 to
5d29834
Compare
sergeyberezansky
force-pushed
the
sergey/per-filesystem-encryption
branch
from
2134746 to
0f361eb
Compare
sergeyberezansky
force-pushed
the
sergey/per-filesystem-encryption
branch
from
0f361eb to
4dbe7d8
Compare
sergeyberezansky
force-pushed
the
02-04-fix_csi-320_print_raw_entry_in_log_when_endpoint_address_fails_to_be_parsed
branch
from
5d29834 to
637598a
Compare
sergeyberezansky
force-pushed
the
sergey/per-filesystem-encryption
branch
from
dac3d09 to
d833576
Compare
sergeyberezansky
changed the base branch from
02-04-fix_csi-320_print_raw_entry_in_log_when_endpoint_address_fails_to_be_parsed
to
graphite-base/444
sergeyberezansky
force-pushed
the
graphite-base/444
branch
from
637598a to
da199a3
Compare
sergeyberezansky
force-pushed
the
sergey/per-filesystem-encryption
branch
from
d833576 to
9b2a66e
Compare
sergeyberezansky
changed the base branch from
graphite-base/444
to
02-10-fix_csi-323_when_snapshot_of_directory_backed_volumes_is_prohibited_incorrect_error_message_is_shown_stating_volume_is_legacy
sergeyberezansky
force-pushed
the
02-10-fix_csi-323_when_snapshot_of_directory_backed_volumes_is_prohibited_incorrect_error_message_is_shown_stating_volume_is_legacy
branch
from
da199a3 to
837a80a
Compare
sergeyberezansky
force-pushed
the
sergey/per-filesystem-encryption
branch
from
9b2a66e to
4836fbb
Compare
sergeyberezansky
force-pushed
the
02-10-fix_csi-323_when_snapshot_of_directory_backed_volumes_is_prohibited_incorrect_error_message_is_shown_stating_volume_is_legacy
branch
from
837a80a to
194d682
Compare
sergeyberezansky
force-pushed
the
sergey/per-filesystem-encryption
branch
2 times, most recently
from
9dc3dee to
abbd5b9
Compare
sergeyberezansky
force-pushed
the
02-10-fix_csi-323_when_snapshot_of_directory_backed_volumes_is_prohibited_incorrect_error_message_is_shown_stating_volume_is_legacy
branch
from
194d682 to
8f31fce
Compare
sergeyberezansky
force-pushed
the
02-10-fix_csi-323_when_snapshot_of_directory_backed_volumes_is_prohibited_incorrect_error_message_is_shown_stating_volume_is_legacy
branch
from
8f31fce to
e07aba9
Compare
sergeyberezansky
force-pushed
the
sergey/per-filesystem-encryption
branch
from
abbd5b9 to
706ce3c
Compare
sergeyberezansky
force-pushed
the
sergey/per-filesystem-encryption
branch
from
cea4942 to
263dac6
Compare
sergeyberezansky
force-pushed
the
sergey/per-filesystem-encryption
branch
from
263dac6 to
124da4d
Compare
sergeyberezansky
force-pushed
the
graphite-base/444
branch
from
d0abd34 to
f11ba49
Compare
sergeyberezansky
force-pushed
the
sergey/per-filesystem-encryption
branch
from
124da4d to
5203425
Compare
sergeyberezansky
changed the base branch from
graphite-base/444
to
sergey/remove-legacy-volumes
This was referenced Mar 12, 2025
sergeyberezansky
force-pushed
the
sergey/remove-legacy-volumes
branch
from
dc90016 to
37eff82
Compare
sergeyberezansky
force-pushed
the
sergey/per-filesystem-encryption
branch
from
5203425 to
01519d8
Compare
sergeyberezansky
force-pushed
the
sergey/remove-legacy-volumes
branch
from
37eff82 to
d0d9685
Compare
sergeyberezansky
force-pushed
the
sergey/per-filesystem-encryption
branch
from
01519d8 to
ac8d264
Compare
…isting filesystem
sergeyberezansky
force-pushed
the
sergey/remove-legacy-volumes
branch
from
d0d9685 to
dd9168f
Compare
sergeyberezansky
force-pushed
the
sergey/per-filesystem-encryption
branch
from
ac8d264 to
25e5865
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
TL;DR
Added support for encrypted filesystem-backed volumes in WEKA CSI using pre-existing KMS keys. This is an interim step between encryption using only a single cluster-wide key and a full-fledged automated key management per filesystem.
What changed?
How to test?
storageclass-wekafs-fs-encryption-key-in-secret.yamlcsi-wekafs-api-secret-kms-encryption-key-in-secret.yamlpvc-wekafs-fs-encryption-key-in-secret.yamlcsi-app-on-fs-encryption-key-in-secret.yamlWhy make this change?
To enable secure data storage by supporting filesystem-level encryption in WEKA CSI, allowing users to protect their data using pre-existing KMS keys. This feature allows tenant separation by having different encryption keys and not only a cluster-wide key.