From 2e96eecd7b6016cdbd2432fd3d9a4e44fa8623a6 Mon Sep 17 00:00:00 2001 From: james-otten Date: Sat, 28 Sep 2024 17:00:17 -0400 Subject: [PATCH] Add encrypted storage class to longhorn (#36) * Add encrypted storage class to longhorn * validate * undo temp change --- .github/workflows/deploy_k8s_cluster.yaml | 1 + .../files/longhorn_manifest.yaml | 15 ------- .../roles/k8s-cluster-helm/tasks/main.yaml | 2 +- .../templates/longhorn_manifest.yaml.j2 | 45 +++++++++++++++++++ terraform/cluster.tf | 1 + terraform/mesh_cluster/ansible.tf | 1 + terraform/mesh_cluster/vars.tf | 6 +++ terraform/vars.tf | 6 +++ 8 files changed, 61 insertions(+), 16 deletions(-) delete mode 100644 ansible/roles/k8s-cluster-helm/files/longhorn_manifest.yaml create mode 100644 ansible/roles/k8s-cluster-helm/templates/longhorn_manifest.yaml.j2 diff --git a/.github/workflows/deploy_k8s_cluster.yaml b/.github/workflows/deploy_k8s_cluster.yaml index a74fb14..2b5a225 100644 --- a/.github/workflows/deploy_k8s_cluster.yaml +++ b/.github/workflows/deploy_k8s_cluster.yaml @@ -16,6 +16,7 @@ env: TF_VAR_mesh_local_password: ${{ secrets.TF_VAR_MESHDB_LOCAL_PASSWORD }} TF_VAR_k3s_token: ${{ secrets.TF_VAR_K3S_TOKEN }} TF_VAR_DATADOG_API_KEY: ${{ secrets.DATADOG_API_KEY }} + TF_VAR_longhorn_passphrase: ${{ secrets.LONGHORN_PASSPHRASE }} # Credentials for deployment to AWS AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} diff --git a/ansible/roles/k8s-cluster-helm/files/longhorn_manifest.yaml b/ansible/roles/k8s-cluster-helm/files/longhorn_manifest.yaml deleted file mode 100644 index 744b8cb..0000000 --- a/ansible/roles/k8s-cluster-helm/files/longhorn_manifest.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: longhorn-system ---- -apiVersion: helm.cattle.io/v1 -kind: HelmChart -metadata: - name: longhorn - namespace: longhorn-system -spec: - repo: https://charts.longhorn.io - chart: longhorn - targetNamespace: longhorn-system - diff --git a/ansible/roles/k8s-cluster-helm/tasks/main.yaml b/ansible/roles/k8s-cluster-helm/tasks/main.yaml index 1d075c9..b6a6740 100644 --- a/ansible/roles/k8s-cluster-helm/tasks/main.yaml +++ b/ansible/roles/k8s-cluster-helm/tasks/main.yaml @@ -1,6 +1,6 @@ - name: Copy longhorn manifiest ansible.builtin.copy: - src: ./files/longhorn_manifest.yaml + src: ./templates/longhorn_manifest.yaml.j2 dest: /root/longhorn_manifest.yaml owner: root group: root diff --git a/ansible/roles/k8s-cluster-helm/templates/longhorn_manifest.yaml.j2 b/ansible/roles/k8s-cluster-helm/templates/longhorn_manifest.yaml.j2 new file mode 100644 index 0000000..89850ae --- /dev/null +++ b/ansible/roles/k8s-cluster-helm/templates/longhorn_manifest.yaml.j2 @@ -0,0 +1,45 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: longhorn-system +--- +apiVersion: helm.cattle.io/v1 +kind: HelmChart +metadata: + name: longhorn + namespace: longhorn-system +spec: + repo: https://charts.longhorn.io + chart: longhorn + targetNamespace: longhorn-system +--- +apiVersion: v1 +kind: Secret +metadata: + name: longhorn-crypto + namespace: longhorn-system +stringData: + CRYPTO_KEY_VALUE: "{{ LONGHORN_PASSPHRASE }}" + CRYPTO_KEY_PROVIDER: "secret" + CRYPTO_KEY_CIPHER: "aes-xts-plain64" + CRYPTO_KEY_HASH: "sha256" + CRYPTO_KEY_SIZE: "256" + CRYPTO_PBKDF: "argon2i" +--- +kind: StorageClass +apiVersion: storage.k8s.io/v1 +metadata: + name: longhorn-encrypted +provisioner: driver.longhorn.io +allowVolumeExpansion: true +parameters: + numberOfReplicas: "3" + staleReplicaTimeout: "2880" # 48 hours in minutes + fromBackup: "" + encrypted: "true" + csi.storage.k8s.io/provisioner-secret-name: "longhorn-crypto" + csi.storage.k8s.io/provisioner-secret-namespace: "longhorn-system" + csi.storage.k8s.io/node-publish-secret-name: "longhorn-crypto" + csi.storage.k8s.io/node-publish-secret-namespace: "longhorn-system" + csi.storage.k8s.io/node-stage-secret-name: "longhorn-crypto" + csi.storage.k8s.io/node-stage-secret-namespace: "longhorn-system" diff --git a/terraform/cluster.tf b/terraform/cluster.tf index 6a7b8ad..2b73a95 100644 --- a/terraform/cluster.tf +++ b/terraform/cluster.tf @@ -21,6 +21,7 @@ module "some_mesh_cluster" { mesh_external_ip = var.mesh_external_ip meshdb_fqdn = var.meshdb_fqdn mesh_local_password = var.mesh_local_password + longhorn_passphrase = var.longhorn_passphrase k3s_token = var.k3s_token DATADOG_API_KEY = var.DATADOG_API_KEY vm_nic = var.vm_nic diff --git a/terraform/mesh_cluster/ansible.tf b/terraform/mesh_cluster/ansible.tf index 50819c8..5a19f18 100644 --- a/terraform/mesh_cluster/ansible.tf +++ b/terraform/mesh_cluster/ansible.tf @@ -8,6 +8,7 @@ resource "ansible_group" "mgrs" { K3S_TOKEN = var.k3s_token DATADOG_API_KEY = var.DATADOG_API_KEY ENV_NAME = var.mesh_env_name + LONGHORN_PASSPHRASE = var.longhorn_passphrase } } diff --git a/terraform/mesh_cluster/vars.tf b/terraform/mesh_cluster/vars.tf index e0a0c36..b018a02 100644 --- a/terraform/mesh_cluster/vars.tf +++ b/terraform/mesh_cluster/vars.tf @@ -32,6 +32,12 @@ variable "mesh_local_password" { sensitive = true } +variable "longhorn_passphrase" { + type = string + description = "password encrypted volumes in longhorn" + sensitive = true +} + variable "mesh_mgr_ips" { description = "static IPs to use for managers" } diff --git a/terraform/vars.tf b/terraform/vars.tf index 0fa7746..1f4a561 100644 --- a/terraform/vars.tf +++ b/terraform/vars.tf @@ -60,6 +60,12 @@ variable "mesh_local_password" { sensitive = true } +variable "longhorn_passphrase" { + type = string + description = "password encrypted volumes in longhorn" + sensitive = true +} + variable "mesh_mgr_ips" { description = "static IPs to use for managers" }