Add encrypted storage class to longhorn

.github/workflows/deploy_k8s_cluster.yaml

@@ -16,6 +16,7 @@ env:
   TF_VAR_mesh_local_password: ${{ secrets.TF_VAR_MESHDB_LOCAL_PASSWORD }}
   TF_VAR_k3s_token: ${{ secrets.TF_VAR_K3S_TOKEN }}
   TF_VAR_DATADOG_API_KEY: ${{ secrets.DATADOG_API_KEY }}
+  TF_VAR_longhorn_passphrase: ${{ secrets.LONGHORN_PASSPHRASE }}
   # Credentials for deployment to AWS
   AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
   AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

ansible/roles/k8s-cluster-helm/tasks/main.yaml

@@ -1,6 +1,6 @@
 - name: Copy longhorn manifiest
   ansible.builtin.copy:
-    src: ./files/longhorn_manifest.yaml
+    src: ./templates/longhorn_manifest.yaml.j2
     dest: /root/longhorn_manifest.yaml
     owner: root
     group: root

ansible/roles/k8s-cluster-helm/templates/longhorn_manifest.yaml.j2

@@ -0,0 +1,45 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: longhorn-system
+---
+apiVersion: helm.cattle.io/v1
+kind: HelmChart
+metadata:
+  name: longhorn
+  namespace: longhorn-system
+spec:
+  repo: https://charts.longhorn.io
+  chart: longhorn
+  targetNamespace: longhorn-system
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: longhorn-crypto
+  namespace: longhorn-system
+stringData:
+  CRYPTO_KEY_VALUE: "{{ LONGHORN_PASSPHRASE }}"
+  CRYPTO_KEY_PROVIDER: "secret"
+  CRYPTO_KEY_CIPHER: "aes-xts-plain64"
+  CRYPTO_KEY_HASH: "sha256"
+  CRYPTO_KEY_SIZE: "256"
+  CRYPTO_PBKDF: "argon2i"
+---
+kind: StorageClass
+apiVersion: storage.k8s.io/v1
+metadata:
+  name: longhorn-encrypted
+provisioner: driver.longhorn.io
+allowVolumeExpansion: true
+parameters:
+  numberOfReplicas: "3"
+  staleReplicaTimeout: "2880" # 48 hours in minutes
+  fromBackup: ""
+  encrypted: "true"
+  csi.storage.k8s.io/provisioner-secret-name: "longhorn-crypto"
+  csi.storage.k8s.io/provisioner-secret-namespace: "longhorn-system"
+  csi.storage.k8s.io/node-publish-secret-name: "longhorn-crypto"
+  csi.storage.k8s.io/node-publish-secret-namespace: "longhorn-system"
+  csi.storage.k8s.io/node-stage-secret-name: "longhorn-crypto"
+  csi.storage.k8s.io/node-stage-secret-namespace: "longhorn-system"

terraform/cluster.tf

@@ -21,6 +21,7 @@ module "some_mesh_cluster" {
   mesh_external_ip              = var.mesh_external_ip
   meshdb_fqdn                   = var.meshdb_fqdn
   mesh_local_password           = var.mesh_local_password
+  longhorn_passphrase           = var.longhorn_passphrase
   k3s_token                     = var.k3s_token
   DATADOG_API_KEY               = var.DATADOG_API_KEY
   vm_nic                        = var.vm_nic

terraform/mesh_cluster/ansible.tf

@@ -8,6 +8,7 @@ resource "ansible_group" "mgrs" {
     K3S_TOKEN                    = var.k3s_token
     DATADOG_API_KEY              = var.DATADOG_API_KEY
     ENV_NAME                     = var.mesh_env_name
+    LONGHORN_PASSPHRASE          = var.longhorn_passphrase
   }
 }
 

terraform/mesh_cluster/vars.tf

@@ -32,6 +32,12 @@ variable "mesh_local_password" {
   sensitive   = true
 }
 
+variable "longhorn_passphrase" {
+  type        = string
+  description = "password encrypted volumes in longhorn"
+  sensitive   = true
+}
+
 variable "mesh_mgr_ips" {
   description = "static IPs to use for managers"
 }

terraform/vars.tf

@@ -60,6 +60,12 @@ variable "mesh_local_password" {
   sensitive   = true
 }
 
+variable "longhorn_passphrase" {
+  type        = string
+  description = "password encrypted volumes in longhorn"
+  sensitive   = true
+}
+
 variable "mesh_mgr_ips" {
   description = "static IPs to use for managers"
 }