SwapVolumeConfig
SwapVolumeConfig is a disk swap volume configuration document.
Swap volume is automatically allocated as a partition on the specified disk
and activated as swap, removing a swap volume deactivates swap.
The partition label is automatically generated as
s-<name>.apiVersion: v1alpha1
kind: SwapVolumeConfig
name: swap1 # Name of the volume.
# The provisioning describes how the volume is provisioned.
provisioning:
# The disk selector expression.
diskSelector:
match: disk.transport == "nvme" # The Common Expression Language (CEL) expression to match the disk.
minSize: 3GiB # The minimum size of the volume.
maxSize: 4GiB # The maximum size of the volume, if not specified the volume can grow to the size of the
# The encryption describes how the volume is encrypted.
encryption:
provider: luks2 # Encryption provider to use for the encryption.
# Defines the encryption keys generation and storage method.
keys:
- slot: 0 # Key slot number for LUKS2 encryption.
# Key which value is stored in the configuration file.
static:
passphrase: swapsecret # Defines the static passphrase value.
# # KMS managed encryption key.
# kms:
# endpoint: https://192.168.88.21:4443 # KMS endpoint to Seal/Unseal the key.
# # Cipher to use for the encryption. Depends on the encryption provider.
# cipher: aes-xts-plain64
# # Defines the encryption sector size.
# blockSize: 4096
# # Additional --perf parameters for the LUKS2 encryption.
# options:
# - no_read_workqueue
# - no_write_workqueue| Field | Type | Description | Value(s) |
|---|---|---|---|
name | string | Name of the volume. Name might be between 1 and 34 characters long and can only contain: lowercase and uppercase ASCII letters, digits, and hyphens. | |
provisioning | ProvisioningSpec | The provisioning describes how the volume is provisioned. | |
encryption | EncryptionSpec | The encryption describes how the volume is encrypted. |
provisioning
ProvisioningSpec describes how the volume is provisioned.
| Field | Type | Description | Value(s) |
|---|---|---|---|
diskSelector | DiskSelector | The disk selector expression. | |
grow | bool | Should the volume grow to the size of the disk (if possible). | |
minSize | ByteSize | The minimum size of the volume. Size is specified in bytes, but can be expressed in human readable format, e.g. 100MB. Show example(s) | |
maxSize | ByteSize | The maximum size of the volume, if not specified the volume can grow to the size of the disk. Size is specified in bytes, but can be expressed in human readable format, e.g. 100MB. Show example(s) |
diskSelector
DiskSelector selects a disk for the volume.
| Field | Type | Description | Value(s) |
|---|---|---|---|
match | Expression | The Common Expression Language (CEL) expression to match the disk.Show example(s) |
encryption
EncryptionSpec represents volume encryption settings.
encryption:
provider: luks2 # Encryption provider to use for the encryption.
# Defines the encryption keys generation and storage method.
keys:
- slot: 0 # Key slot number for LUKS2 encryption.
# Key which value is stored in the configuration file.
static:
passphrase: exampleKey # Defines the static passphrase value.
# # KMS managed encryption key.
# kms:
# endpoint: https://192.168.88.21:4443 # KMS endpoint to Seal/Unseal the key.
- slot: 1 # Key slot number for LUKS2 encryption.
# KMS managed encryption key.
kms:
endpoint: https://example-kms-endpoint.com # KMS endpoint to Seal/Unseal the key.
cipher: aes-xts-plain64 # Cipher to use for the encryption. Depends on the encryption provider.
blockSize: 4096 # Defines the encryption sector size.
# # Additional --perf parameters for the LUKS2 encryption.
# options:
# - no_read_workqueue
# - no_write_workqueue| Field | Type | Description | Value(s) |
|---|---|---|---|
provider | EncryptionProviderType | Encryption provider to use for the encryption. | luks2 |
keys | []EncryptionKey | Defines the encryption keys generation and storage method. | |
cipher | string | Cipher to use for the encryption. Depends on the encryption provider.Show example(s) | aes-xts-plain64xchacha12,aes-adiantum-plain64xchacha20,aes-adiantum-plain64 |
keySize | uint | Defines the encryption key length. | |
blockSize | uint64 | Defines the encryption sector size.Show example(s) | |
options | []string | Additional –perf parameters for the LUKS2 encryption.Show example(s) | no_read_workqueueno_write_workqueuesame_cpu_crypt |
keys[]
EncryptionKey represents configuration for disk encryption key.
| Field | Type | Description | Value(s) |
|---|---|---|---|
slot | int | Key slot number for LUKS2 encryption. | |
static | EncryptionKeyStatic | Key which value is stored in the configuration file. | |
nodeID | EncryptionKeyNodeID | Deterministically generated key from the node UUID and PartitionLabel. | |
kms | EncryptionKeyKMS | KMS managed encryption key. | |
tpm | EncryptionKeyTPM | Enable TPM based disk encryption. |
static
EncryptionKeyStatic represents throw away key type.
| Field | Type | Description | Value(s) |
|---|---|---|---|
passphrase | string | Defines the static passphrase value. |
nodeID
EncryptionKeyNodeID represents deterministically generated key from the node UUID and PartitionLabel.
kms
EncryptionKeyKMS represents a key that is generated and then sealed/unsealed by the KMS server.
encryption:
keys:
- kms:
endpoint: https://192.168.88.21:4443 # KMS endpoint to Seal/Unseal the key.| Field | Type | Description | Value(s) |
|---|---|---|---|
endpoint | string | KMS endpoint to Seal/Unseal the key. |
tpm
EncryptionKeyTPM represents a key that is generated and then sealed/unsealed by the TPM.
| Field | Type | Description | Value(s) |
|---|---|---|---|
checkSecurebootStatusOnEnroll | bool | Check that Secureboot is enabled in the EFI firmware. If Secureboot is not enabled, the enrollment of the key will fail. As the TPM key is anyways bound to the value of PCR 7, changing Secureboot status or configuration after the initial enrollment will make the key unusable. |