elasticsearch-operator Encrypting volumes

It'd be great if I could specify that the es storage be encrypted.

May 07 '18 16:05 montyz

You can probably (haven't tried it yet) do this by creating a storageclass with encrypted: true (and a valid key in KMS) and referencing that storageclass in the cluster definition. https://kubernetes.io/docs/concepts/storage/storage-classes/#aws

May 07 '18 22:05 pieterlange

You can use this: kind: StorageClass apiVersion: storage.k8s.io/v1 metadata: name: enc-ebs-gp2 provisioner: kubernetes.io/aws-ebs parameters: type: gp2 fsType: ext4 encrypted: "true"

May 08 '18 03:05 peterloron

So far I tried creating a default storage class that is encrypted, as well as specifying an explicit storage class:

  storage:
    type: gp2
    storage-class: standard-xfs

In both cases the operator creates its own storage classes named us-west-* and uses them:

k get sc
NAME                     PROVISIONER             AGE
default                  kubernetes.io/aws-ebs   1d
gp2                      kubernetes.io/aws-ebs   1d
standard-xfs (default)   kubernetes.io/aws-ebs   16h
us-west-2a               kubernetes.io/aws-ebs   16h
us-west-2b               kubernetes.io/aws-ebs   16h
us-west-2c               kubernetes.io/aws-ebs   16h

Also, when I delete the cluster, the pvcs remain behind.

May 09 '18 15:05 montyz

I was able to get this working by setting up my own storage classes named us-west-2* before deploying the cluster. I also had to manually delete the pvcs and pvs before that would work. They aren't deleted when the cluster is deleted and were reused.

May 09 '18 16:05 montyz

There is an open issue to fix which will get merged soon. It got lost in a big refactor a while back.

May 13 '18 14:05 stevesloka

elasticsearch-operator elasticsearch-operator copied to clipboard

Encrypting volumes

elasticsearch-operator
elasticsearch-operator copied to clipboard