Skip to main content
apiVersion: v1alpha1
kind: UserVolumeConfig
name: ceph-data # Name of the volume.
# The provisioning describes how the volume is provisioned.
provisioning:
    # The disk selector expression.
    diskSelector:
        match: disk.transport == "nvme" # The Common Expression Language (CEL) expression to match the disk.
    maxSize: 50GiB # The maximum size of the volume, if not specified the volume can grow to the size of the

    # # The minimum size of the volume.
    # minSize: 2.5GiB
# The filesystem describes how the volume is formatted.
filesystem:
    type: xfs # Filesystem type. Default is `xfs`.
# The encryption describes how the volume is encrypted.
encryption:
    provider: luks2 # Encryption provider to use for the encryption.
    # Defines the encryption keys generation and storage method.
    keys:
        - slot: 0 # Key slot number for LUKS2 encryption.
          # Enable TPM based disk encryption.
          tpm: {}

          # # KMS managed encryption key.
          # kms:
          #     endpoint: https://192.168.88.21:4443 # KMS endpoint to Seal/Unseal the key.
        - slot: 1 # Key slot number for LUKS2 encryption.
          # Key which value is stored in the configuration file.
          static:
            passphrase: topsecret # Defines the static passphrase value.

          # # KMS managed encryption key.
          # kms:
          #     endpoint: https://192.168.88.21:4443 # KMS endpoint to Seal/Unseal the key.

    # # Cipher to use for the encryption. Depends on the encryption provider.
    # cipher: aes-xts-plain64

    # # Defines the encryption sector size.
    # blockSize: 4096

    # # Additional --perf parameters for the LUKS2 encryption.
    # options:
    #     - no_read_workqueue
    #     - no_write_workqueue
FieldTypeDescriptionValue(s)
namestring
provisioningProvisioningSpecThe provisioning describes how the volume is provisioned.
filesystemFilesystemSpecThe filesystem describes how the volume is formatted.
encryptionEncryptionSpecThe encryption describes how the volume is encrypted.

provisioning

ProvisioningSpec describes how the volume is provisioned.
FieldTypeDescriptionValue(s)
diskSelectorDiskSelectorThe disk selector expression.
growboolShould the volume grow to the size of the disk (if possible).
minSizeByteSize
maxSizeByteSize

diskSelector

DiskSelector selects a disk for the volume.
FieldTypeDescriptionValue(s)
matchExpressionThe Common Expression Language (CEL) expression to match the disk.

filesystem

FilesystemSpec configures the filesystem for the volume.
FieldTypeDescriptionValue(s)
typeFilesystemTypeFilesystem type. Default is xfs.ext4
xfs

encryption

EncryptionSpec represents volume encryption settings. 
encryption:
    provider: luks2 # Encryption provider to use for the encryption.
    # Defines the encryption keys generation and storage method.
    keys:
        - slot: 0 # Key slot number for LUKS2 encryption.
          # Key which value is stored in the configuration file.
          static:
            passphrase: exampleKey # Defines the static passphrase value.

          # # KMS managed encryption key.
          # kms:
          #     endpoint: https://192.168.88.21:4443 # KMS endpoint to Seal/Unseal the key.
        - slot: 1 # Key slot number for LUKS2 encryption.
          # KMS managed encryption key.
          kms:
            endpoint: https://example-kms-endpoint.com # KMS endpoint to Seal/Unseal the key.
    cipher: aes-xts-plain64 # Cipher to use for the encryption. Depends on the encryption provider.
    blockSize: 4096 # Defines the encryption sector size.

    # # Additional --perf parameters for the LUKS2 encryption.
    # options:
    #     - no_read_workqueue
    #     - no_write_workqueue
FieldTypeDescriptionValue(s)
providerEncryptionProviderTypeEncryption provider to use for the encryption.luks2
keysEncryptionKeyDefines the encryption keys generation and storage method.
cipherstringCipher to use for the encryption. Depends on the encryption provider.aes-xts-plain64
xchacha12,aes-adiantum-plain64
xchacha20,aes-adiantum-plain64
keySizeuintDefines the encryption key length.
blockSizeuint64Defines the encryption sector size.
options[]stringAdditional —perf parameters for the LUKS2 encryption.no_read_workqueue
no_write_workqueue
same_cpu_crypt

keys[]

EncryptionKey represents configuration for disk encryption key.
FieldTypeDescriptionValue(s)
slotintKey slot number for LUKS2 encryption.
staticEncryptionKeyStaticKey which value is stored in the configuration file.
nodeIDEncryptionKeyNodeIDDeterministically generated key from the node UUID and PartitionLabel.
kmsEncryptionKeyKMSKMS managed encryption key.
tpmEncryptionKeyTPMEnable TPM based disk encryption.

static

EncryptionKeyStatic represents throw away key type.
FieldTypeDescriptionValue(s)
passphrasestringDefines the static passphrase value.

nodeID

EncryptionKeyNodeID represents deterministically generated key from the node UUID and PartitionLabel.

kms

EncryptionKeyKMS represents a key that is generated and then sealed/unsealed by the KMS server. 
encryption:
    keys:
        - kms:
            endpoint: https://192.168.88.21:4443 # KMS endpoint to Seal/Unseal the key.
FieldTypeDescriptionValue(s)
endpointstringKMS endpoint to Seal/Unseal the key.

tpm

EncryptionKeyTPM represents a key that is generated and then sealed/unsealed by the TPM.
FieldTypeDescriptionValue(s)
checkSecurebootStatusOnEnrollbool