digitalocean · paravibe · Jun 20, 2023 · Jul 13, 2023 · Jul 13, 2023 · Jul 13, 2023
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 ## unreleased
 
+## v4.7.0 - 2023.06.23
+* Add LUKS encryption support
+  [[GH-514]](https://github.com/digitalocean/csi-digitalocean/pull/514)
+
 ## v4.6.1 - 2023.05.17
 * Update CSI sidecars to latest
   [[GH-502]](https://github.com/digitalocean/csi-digitalocean/pull/502)

diff --git a/README.md b/README.md
@@ -277,6 +277,21 @@ $ kubectl exec -ti my-csi-app /bin/sh
 hello-world
 ```
 
+## Volume parameters
+
+This plugin supports the following `StorageClass` parameters:
+
+For LUKS encryption:
+
+* `dobs.csi.digitalocean.com/luks-encrypted`: set to the string `"true"` if the volume should be encrypted
+  with LUKS
+* `dobs.csi.digitalocean.com/luks-cipher`: cipher to use; must be supported by the kernel and luks
+* `dobs.csi.digitalocean.com/luks-key-size`: key-size to use
+
+For LUKS encrypted volumes, a secret that contains the LUKS key needs to be referenced through
+the `csi.storage.k8s.io/node-stage-secret-name` and `csi.storage.k8s.io/node-stage-secret-namespace`
+parameter. See the included `StorageClass` definition.
+
 ## Upgrading
 
 When upgrading to a new Kubernetes minor version, you should upgrade the CSI

diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-v4.6.1
+v4.7.0
diff --git a/cmd/do-csi-plugin/Dockerfile b/cmd/do-csi-plugin/Dockerfile
@@ -17,6 +17,7 @@ FROM amd64/alpine:3.16
 # e2fsprogs-extra is required for resize2fs used for the resize operation
 # blkid: block device identification tool from util-linux
 RUN apk add --no-cache ca-certificates \
+                       cryptsetup \
                        e2fsprogs \
                        findmnt \
                        xfsprogs \

diff --git a/deploy/kubernetes/releases/csi-digitalocean-dev/driver.yaml b/deploy/kubernetes/releases/csi-digitalocean-dev/driver.yaml
@@ -38,6 +38,36 @@ deletionPolicy: Delete
 
 ---
 
+kind: StorageClass
+apiVersion: storage.k8s.io/v1
+metadata:
+  name: do-block-storage-luks-global
+provisioner: dobs.csi.digitalocean.com
+allowVolumeExpansion: true
+parameters:
+  dobs.csi.digitalocean.com/luks-encrypted: "true"
+  dobs.csi.digitalocean.com/luks-cipher: "aes-xts-plain64"
+  dobs.csi.digitalocean.com/luks-key-size: "512"
+  csi.storage.k8s.io/node-stage-secret-namespace: "kube-system"
+  csi.storage.k8s.io/node-stage-secret-name: "luks-key"
+
+---
+
+kind: StorageClass
+apiVersion: storage.k8s.io/v1
+metadata:
+  name: do-block-storage-luks
+provisioner: dobs.csi.digitalocean.com
+allowVolumeExpansion: true
+parameters:
+  dobs.csi.digitalocean.com/luks-encrypted: "true"
+  dobs.csi.digitalocean.com/luks-cipher: "aes-xts-plain64"
+  dobs.csi.digitalocean.com/luks-key-size: "512"
+  csi.storage.k8s.io/node-stage-secret-namespace: ${pvc.namespace}
+  csi.storage.k8s.io/node-stage-secret-name: ${pvc.name}-luks-key
+
+---
+
 kind: StorageClass
 apiVersion: storage.k8s.io/v1
 metadata:
@@ -443,6 +473,8 @@ spec:
               mountPropagation: "Bidirectional"
             - name: device-dir
               mountPath: /dev
+            - name: tmpfs
+              mountPath: /tmp
       volumes:
         - name: registration-dir
           hostPath:
@@ -462,6 +494,10 @@ spec:
         - name: udev-rules-dir
           hostPath:
             path: /etc/udev/rules.d/
+        # to make sure temporary stored luks keys never touch a disk
+        - name: tmpfs
+          emptyDir:
+            medium: Memory
 ---
 
 apiVersion: v1