UserVolumeConfig

UserVolumeConfig is a user volume configuration document. User volume is automatically allocated as a partition on the specified disk and mounted under /var/mnt/<name>. The partition label is automatically generated as u-<name>.

apiVersion: v1alpha1
kind: UserVolumeConfig
name: ceph-data # Name of the volume.
# The provisioning describes how the volume is provisioned.
provisioning:
    # The disk selector expression.
    diskSelector:
        match: disk.transport == "nvme" # The Common Expression Language (CEL) expression to match the disk.
    maxSize: 50GiB # The maximum size of the volume, if not specified the volume can grow to the size of the

    # # The minimum size of the volume.
    # minSize: 2.5GiB
# The filesystem describes how the volume is formatted.
filesystem:
    type: xfs # Filesystem type. Default is `xfs`.
# The encryption describes how the volume is encrypted.
encryption:
    provider: luks2 # Encryption provider to use for the encryption.
    # Defines the encryption keys generation and storage method.
    keys:
        - slot: 0 # Key slot number for LUKS2 encryption.
          # Enable TPM based disk encryption.
          tpm: {}

          # # KMS managed encryption key.
          # kms:
          #     endpoint: https://192.168.88.21:4443 # KMS endpoint to Seal/Unseal the key.
        - slot: 1 # Key slot number for LUKS2 encryption.
          # Key which value is stored in the configuration file.
          static:
            passphrase: topsecret # Defines the static passphrase value.

          # # KMS managed encryption key.
          # kms:
          #     endpoint: https://192.168.88.21:4443 # KMS endpoint to Seal/Unseal the key.

    # # Cipher to use for the encryption. Depends on the encryption provider.
    # cipher: aes-xts-plain64

    # # Defines the encryption sector size.
    # blockSize: 4096

    # # Additional --perf parameters for the LUKS2 encryption.
    # options:
    #     - no_read_workqueue
    #     - no_write_workqueue

Field	Type	Description
`name`	string	Name of the volume. Name might be between 1 and 34 characters long and can only contain: lowercase and uppercase ASCII letters, digits, and hyphens.
`provisioning`	ProvisioningSpec	The provisioning describes how the volume is provisioned.
`filesystem`	FilesystemSpec	The filesystem describes how the volume is formatted.
`encryption`	EncryptionSpec	The encryption describes how the volume is encrypted.

provisioning

ProvisioningSpec describes how the volume is provisioned.

Field	Type	Description
`diskSelector`	DiskSelector	The disk selector expression.
`grow`	bool	Should the volume grow to the size of the disk (if possible).
`minSize`	ByteSize	The minimum size of the volume. Size is specified in bytes, but can be expressed in human readable format, e.g. 100MB. Show example(s) `minSize: 2.5GiB`
`maxSize`	ByteSize	The maximum size of the volume, if not specified the volume can grow to the size of the disk. Size is specified in bytes, but can be expressed in human readable format, e.g. 100MB. Show example(s) `maxSize: 50GiB`

diskSelector

DiskSelector selects a disk for the volume.

Field	Type	Description	Value(s)
`match`	Expression	The Common Expression Language (CEL) expression to match the disk. Show example(s) `match: disk.size > 120u * GB && disk.size < 1u * TB` `match: disk.transport == "sata" && !disk.rotational && !system_disk`

filesystem

FilesystemSpec configures the filesystem for the volume.

Field	Type	Description	Value(s)
`type`	FilesystemType	Filesystem type. Default is `xfs`.	`ext4` `xfs`

encryption

EncryptionSpec represents volume encryption settings.

encryption:
    provider: luks2 # Encryption provider to use for the encryption.
    # Defines the encryption keys generation and storage method.
    keys:
        - slot: 0 # Key slot number for LUKS2 encryption.
          # Key which value is stored in the configuration file.
          static:
            passphrase: exampleKey # Defines the static passphrase value.

          # # KMS managed encryption key.
          # kms:
          #     endpoint: https://192.168.88.21:4443 # KMS endpoint to Seal/Unseal the key.
        - slot: 1 # Key slot number for LUKS2 encryption.
          # KMS managed encryption key.
          kms:
            endpoint: https://example-kms-endpoint.com # KMS endpoint to Seal/Unseal the key.
    cipher: aes-xts-plain64 # Cipher to use for the encryption. Depends on the encryption provider.
    blockSize: 4096 # Defines the encryption sector size.

    # # Additional --perf parameters for the LUKS2 encryption.
    # options:
    #     - no_read_workqueue
    #     - no_write_workqueue

Field	Type	Description	Value(s)
`provider`	EncryptionProviderType	Encryption provider to use for the encryption.	`luks2`
`keys`	[]EncryptionKey	Defines the encryption keys generation and storage method.
`cipher`	string	Cipher to use for the encryption. Depends on the encryption provider. Show example(s) `cipher: aes-xts-plain64`	`aes-xts-plain64` `xchacha12,aes-adiantum-plain64` `xchacha20,aes-adiantum-plain64`
`keySize`	uint	Defines the encryption key length.
`blockSize`	uint64	Defines the encryption sector size. Show example(s) `blockSize: 4096`
`options`	[]string	Additional –perf parameters for the LUKS2 encryption. Show example(s) `options: - no_read_workqueue - no_write_workqueue`	`no_read_workqueue` `no_write_workqueue` `same_cpu_crypt`

keys[]

EncryptionKey represents configuration for disk encryption key.

Field	Type	Description
`slot`	int	Key slot number for LUKS2 encryption.
`static`	EncryptionKeyStatic	Key which value is stored in the configuration file.
`nodeID`	EncryptionKeyNodeID	Deterministically generated key from the node UUID and PartitionLabel.
`kms`	EncryptionKeyKMS	KMS managed encryption key.
`tpm`	EncryptionKeyTPM	Enable TPM based disk encryption.

static

EncryptionKeyStatic represents throw away key type.

Field	Type	Description	Value(s)
`passphrase`	string	Defines the static passphrase value.

nodeID

EncryptionKeyNodeID represents deterministically generated key from the node UUID and PartitionLabel.

kms

EncryptionKeyKMS represents a key that is generated and then sealed/unsealed by the KMS server.

encryption:
    keys:
        - kms:
            endpoint: https://192.168.88.21:4443 # KMS endpoint to Seal/Unseal the key.

Field	Type	Description	Value(s)
`endpoint`	string	KMS endpoint to Seal/Unseal the key.

tpm

EncryptionKeyTPM represents a key that is generated and then sealed/unsealed by the TPM.

Field	Type	Description	Value(s)
`checkSecurebootStatusOnEnroll`	bool	Check that Secureboot is enabled in the EFI firmware. If Secureboot is not enabled, the enrollment of the key will fail. As the TPM key is anyways bound to the value of PCR 7, changing Secureboot status or configuration after the initial enrollment will make the key unusable.

Last modified April 17, 2025: feat: support encryption config for user volumes (ae94377d1)