Enable longhorn dynamic volume provisioning with secret creation to support longhorn encryption per volume

Summary

Enable Longhorn dynamic volume provisioning with secret creation to support Longhorn encryption per volume.

https://longhorn.io/docs/1.5.3/advanced-resources/security/volume-encryption/

To enable Longhorn encryption storageclass with per-volume encryption need to implement a dynamic provisioner to create the secret as per pvc and namespace.

related references

Details

To support Longhorn encryption per volume storageclass has been configured with the below detail to provision the volume with encryption which require dynaminc secret for creation as well as publish.

allowVolumeExpansion: true apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: annotations: longhorn.io/last-applied-configmap: | kind: StorageClass apiVersion: storage.k8s.io/v1 metadata: name: longhorn-crypto-per-volume annotations: storageclass.kubernetes.io/is-default-class: "false" provisioner: driver.longhorn.io allowVolumeExpansion: true reclaimPolicy: "Delete" volumeBindingMode: Immediate parameters: numberOfReplicas: "3" staleReplicaTimeout: "30" fromBackup: "" fsType: "ext4" dataLocality: "disabled" storageclass.kubernetes.io/is-default-class: 'false' managedFields: - apiVersion: storage.k8s.io/v1 fieldsType: FieldsV1 fieldsV1: f:allowVolumeExpansion: {} f:metadata: f:annotations: .: {} f:longhorn.io/last-applied-configmap: {} f:storageclass.kubernetes.io/is-default-class: {} f:parameters: .: {} f:dataLocality: {} f:fromBackup: {} f:fsType: {} f:numberOfReplicas: {} f:staleReplicaTimeout: {} f:provisioner: {} f:reclaimPolicy: {} f:volumeBindingMode: {} manager: longhorn-manager operation: Update name: longhorn-crypto-per-volume parameters: dataLocality: disabled fromBackup: '' fsType: ext4 numberOfReplicas: '3' staleReplicaTimeout: '30' encrypted: "true" csi.storage.k8s.io/provisioner-secret-name: ${pvc.name} csi.storage.k8s.io/provisioner-secret-namespace: ${pvc.namespace} csi.storage.k8s.io/node-publish-secret-name: ${pvc.name} csi.storage.k8s.io/node-publish-secret-namespace: ${pvc.namespace} csi.storage.k8s.io/node-stage-secret-name: ${pvc.name} csi.storage.k8s.io/node-stage-secret-namespace: ${pvc.namespace} provisioner: driver.longhorn.io reclaimPolicy: Delete volumeBindingMode: Immediate