diff --git a/docs/07-Release Notes/v0.22/v0.22.9.md b/docs/07-Release Notes/v0.22/v0.22.9.md new file mode 100644 index 0000000..2183d24 --- /dev/null +++ b/docs/07-Release Notes/v0.22/v0.22.9.md @@ -0,0 +1,52 @@ +--- +slug: /release-notes/v0.22.9 +title: v0.22.9 +sidebar_position: 1 +--- +# metal-stack v0.22.9 +See original release note at [https://github.com/metal-stack/releases/releases/tag/v0.22.9](https://github.com/metal-stack/releases/releases/tag/v0.22.9) +## General +* [Gardener v1.128](https://github.com/gardener/gardener/releases/tag/v1.128.0) + * Please note that this release contains the gardener-apiserver built from the metal-stack fork in order to prevent the defaulting of worker machine images by Gardener. This will be resolved upstream with https://github.com/gardener/gardener/pull/13785. If you do not use short image versions in the `CloudProfile` you can also use the upstream version of the gardener-apiserver. +## Required Actions +* Update existing zitadel-init configurations in your deployment (`zitadel_init_config`) to use `redirect_uris` instead of `redirect_uri`. (metal-stack/zitadel-init#9) +* If during reconciles of old shoots the following shoot error occurs: `ScrapeConfig.monitoring.coreos.com "shoot-blackbox-exporter-k8s-service-check is invalid: spec.kubernetesSDConfigs[0].role: Unsupported value: "service"`, it is enough to edit the `ScrapeConfig` in the shoot namespace in the `Seed` and correct `service` to `Service`. +## Component Releases +### metal-roles v0.20.1 +* Use new OCI helm-charts from metal-stack. (metal-stack/metal-roles#582) @Gerrit91 +* Add param for deploying `ClusterRoleBinding`s into the virtual garden. (metal-stack/metal-roles#585) @Gerrit91 +### api v0.0.61 +* Machine create refinements (metal-stack/api#119) @majst01 +* Map validations (metal-stack/api#122) @majst01 +### node-init v0.1.8 +* Update actions workflows and dependencies. (metal-stack/node-init#20) @Gerrit91 +* feat: configure HTTP transport for persistent connections to kube-apiserver (metal-stack/node-init#19) @mwennrich +* include sbom in container image (metal-stack/node-init#17) @mac641 +### zitadel-init v0.3.3 +* Allow configuration of multiple redirect URIs. (metal-stack/zitadel-init#9) @Gerrit91 +# Merged Pull Requests +This is a list of pull requests that were merged since the last release. The list does not contain pull requests from release-vector-repositories. + +The fact that these pull requests were merged does not necessarily imply that they have already become part of this metal-stack release. + +* More documentation for release-drafter action. (metal-stack/actions-common#6) @Gerrit91 +* Provide common helm-chart action. (metal-stack/actions-common#7) @Gerrit91 +* chore: blog maintainers (metal-stack/website#253) @vknabel +* Bump releases to version v0.22.8 (metal-stack/website#252) @metal-robot[bot] +* Remove unnecessary braces from if conditions. (metal-stack/actions-common#9) @Gerrit91 +* Fix issue comments only working on pull requests. (metal-stack/metal-robot#108) @Gerrit91 +* chore(deps): bump postcss from 8.5.9 to 8.5.10 in the other-dependencies group (metal-stack/website#251) @dependabot[bot] +* chore(deps): bump the docusaurus-dependencies group with 2 updates (metal-stack/website#250) @dependabot[bot] +* Allow repo maintainers to run comment actions. (metal-stack/metal-robot#109) @Gerrit91 +* Support more chassistypes (metal-stack/go-hal#86) @majst01 +* Improved test coverage (metal-stack/cli#29) @AnnaSchreiner +* Enter serial console (metal-stack/go-hal#87) @majst01 +* Remove security.User from auditing and split http/grpc/connect (metal-stack/metal-lib#206) @majst01 +* chore(ci): actions-common (metal-stack/metal-robot#110) @vknabel +* chore(deps): bump the docusaurus-dependencies group with 2 updates (metal-stack/website#254) @dependabot[bot] +* chore(deps): bump the other-dependencies group across 1 directory with 5 updates (metal-stack/website#255) @dependabot[bot] +* Migrate to web-only UI (metal-stack/metal-ui#11) @ostempel +* Dependency updates. (metal-stack/cli#30) @Gerrit91 +* adjust metal-ui skill and remove tauri leftovers (metal-stack/metal-ui#12) @ostempel +* Add rule template. (metal-stack/website#256) @Gerrit91 +* Next release (metal-stack/releases#284) @metal-robot[bot] \ No newline at end of file diff --git a/docs/08-References/Storage/csi-driver-lvm/csi-driver-lvm.md b/docs/08-References/Storage/csi-driver-lvm/csi-driver-lvm.md index 769e45e..ee86ea0 100644 --- a/docs/08-References/Storage/csi-driver-lvm/csi-driver-lvm.md +++ b/docs/08-References/Storage/csi-driver-lvm/csi-driver-lvm.md @@ -49,9 +49,68 @@ Now you can use one of following storageClasses: * `csi-driver-lvm-linear` * `csi-driver-lvm-mirror` * `csi-driver-lvm-striped` +* `csi-driver-lvm-linear-encrypted` +* `csi-driver-lvm-mirror-encrypted` +* `csi-driver-lvm-striped-encrypted` To get the previous old and now deprecated `csi-lvm-sc-linear`, ... storageclasses, set helm-chart value `compat03x=true`. +## Encryption ## + +csi-driver-lvm supports LUKS2 encryption for volumes at rest. When encryption is enabled, the LVM logical volume is formatted with LUKS2 and a dm-crypt mapper device is used transparently for all I/O. + +### Setup ### + +1. Create a Kubernetes Secret containing the LUKS passphrase: + +```bash +kubectl create secret generic csi-lvm-encryption-secret \ + --from-literal=passphrase='my-secret-passphrase' +``` + +2. Enable the encrypted StorageClasses in your Helm values (they are disabled by default): + +```yaml +storageClasses: + linearEncrypted: + enabled: true + mirrorEncrypted: + enabled: true + stripedEncrypted: + enabled: true +``` + +3. Create PVCs using one of the encrypted StorageClasses. The encryption is handled transparently by the driver. + +### How it works ### + +- **NodeStageVolume**: LUKS-formats the LV (first use only), then opens it via `cryptsetup luksOpen`, creating a `/dev/mapper/csi-lvm-` device +- **NodePublishVolume**: Mounts the mapper device (instead of the raw LV) to the target path +- **NodeUnpublishVolume**: Unmounts as usual +- **NodeUnstageVolume**: Closes the LUKS device via `cryptsetup luksClose` +- **Volume expansion**: The LV is extended first, then the LUKS layer is resized, then the filesystem + +Both filesystem and raw block access types are supported with encryption. + +### Encrypted Ephemeral Volumes ### + +Encryption is also supported for CSI ephemeral (inline) volumes. Since ephemeral volumes bypass `NodeStageVolume`, the LUKS formatting and opening is handled directly during `NodePublishVolume`, and the LUKS device is closed during `NodeUnpublishVolume`. + +To use an encrypted ephemeral volume, specify `encryption: "true"` in `volumeAttributes` and reference the encryption secret via `nodePublishSecretRef`: + +```yaml +volumes: + - name: encrypted-ephemeral + csi: + driver: lvm.csi.metal-stack.io + volumeAttributes: + size: "100Mi" + type: "linear" + encryption: "true" + nodePublishSecretRef: + name: csi-lvm-encryption-secret +``` + ## Migration ## If you want to migrate your existing PVC to / from csi-driver-lvm, you can use [korb](https://github.com/BeryJu/korb). diff --git a/src/version.json b/src/version.json index 5867119..6381879 100644 --- a/src/version.json +++ b/src/version.json @@ -1 +1 @@ -{"version": "v0.22.8"} +{"version": "v0.22.9"} diff --git a/versioned_docs/version-v0.22/07-Release Notes/v0.22/v0.22.9.md b/versioned_docs/version-v0.22/07-Release Notes/v0.22/v0.22.9.md new file mode 100644 index 0000000..2183d24 --- /dev/null +++ b/versioned_docs/version-v0.22/07-Release Notes/v0.22/v0.22.9.md @@ -0,0 +1,52 @@ +--- +slug: /release-notes/v0.22.9 +title: v0.22.9 +sidebar_position: 1 +--- +# metal-stack v0.22.9 +See original release note at [https://github.com/metal-stack/releases/releases/tag/v0.22.9](https://github.com/metal-stack/releases/releases/tag/v0.22.9) +## General +* [Gardener v1.128](https://github.com/gardener/gardener/releases/tag/v1.128.0) + * Please note that this release contains the gardener-apiserver built from the metal-stack fork in order to prevent the defaulting of worker machine images by Gardener. This will be resolved upstream with https://github.com/gardener/gardener/pull/13785. If you do not use short image versions in the `CloudProfile` you can also use the upstream version of the gardener-apiserver. +## Required Actions +* Update existing zitadel-init configurations in your deployment (`zitadel_init_config`) to use `redirect_uris` instead of `redirect_uri`. (metal-stack/zitadel-init#9) +* If during reconciles of old shoots the following shoot error occurs: `ScrapeConfig.monitoring.coreos.com "shoot-blackbox-exporter-k8s-service-check is invalid: spec.kubernetesSDConfigs[0].role: Unsupported value: "service"`, it is enough to edit the `ScrapeConfig` in the shoot namespace in the `Seed` and correct `service` to `Service`. +## Component Releases +### metal-roles v0.20.1 +* Use new OCI helm-charts from metal-stack. (metal-stack/metal-roles#582) @Gerrit91 +* Add param for deploying `ClusterRoleBinding`s into the virtual garden. (metal-stack/metal-roles#585) @Gerrit91 +### api v0.0.61 +* Machine create refinements (metal-stack/api#119) @majst01 +* Map validations (metal-stack/api#122) @majst01 +### node-init v0.1.8 +* Update actions workflows and dependencies. (metal-stack/node-init#20) @Gerrit91 +* feat: configure HTTP transport for persistent connections to kube-apiserver (metal-stack/node-init#19) @mwennrich +* include sbom in container image (metal-stack/node-init#17) @mac641 +### zitadel-init v0.3.3 +* Allow configuration of multiple redirect URIs. (metal-stack/zitadel-init#9) @Gerrit91 +# Merged Pull Requests +This is a list of pull requests that were merged since the last release. The list does not contain pull requests from release-vector-repositories. + +The fact that these pull requests were merged does not necessarily imply that they have already become part of this metal-stack release. + +* More documentation for release-drafter action. (metal-stack/actions-common#6) @Gerrit91 +* Provide common helm-chart action. (metal-stack/actions-common#7) @Gerrit91 +* chore: blog maintainers (metal-stack/website#253) @vknabel +* Bump releases to version v0.22.8 (metal-stack/website#252) @metal-robot[bot] +* Remove unnecessary braces from if conditions. (metal-stack/actions-common#9) @Gerrit91 +* Fix issue comments only working on pull requests. (metal-stack/metal-robot#108) @Gerrit91 +* chore(deps): bump postcss from 8.5.9 to 8.5.10 in the other-dependencies group (metal-stack/website#251) @dependabot[bot] +* chore(deps): bump the docusaurus-dependencies group with 2 updates (metal-stack/website#250) @dependabot[bot] +* Allow repo maintainers to run comment actions. (metal-stack/metal-robot#109) @Gerrit91 +* Support more chassistypes (metal-stack/go-hal#86) @majst01 +* Improved test coverage (metal-stack/cli#29) @AnnaSchreiner +* Enter serial console (metal-stack/go-hal#87) @majst01 +* Remove security.User from auditing and split http/grpc/connect (metal-stack/metal-lib#206) @majst01 +* chore(ci): actions-common (metal-stack/metal-robot#110) @vknabel +* chore(deps): bump the docusaurus-dependencies group with 2 updates (metal-stack/website#254) @dependabot[bot] +* chore(deps): bump the other-dependencies group across 1 directory with 5 updates (metal-stack/website#255) @dependabot[bot] +* Migrate to web-only UI (metal-stack/metal-ui#11) @ostempel +* Dependency updates. (metal-stack/cli#30) @Gerrit91 +* adjust metal-ui skill and remove tauri leftovers (metal-stack/metal-ui#12) @ostempel +* Add rule template. (metal-stack/website#256) @Gerrit91 +* Next release (metal-stack/releases#284) @metal-robot[bot] \ No newline at end of file diff --git a/versioned_docs/version-v0.22/08-References/Storage/csi-driver-lvm/csi-driver-lvm.md b/versioned_docs/version-v0.22/08-References/Storage/csi-driver-lvm/csi-driver-lvm.md index 769e45e..ee86ea0 100644 --- a/versioned_docs/version-v0.22/08-References/Storage/csi-driver-lvm/csi-driver-lvm.md +++ b/versioned_docs/version-v0.22/08-References/Storage/csi-driver-lvm/csi-driver-lvm.md @@ -49,9 +49,68 @@ Now you can use one of following storageClasses: * `csi-driver-lvm-linear` * `csi-driver-lvm-mirror` * `csi-driver-lvm-striped` +* `csi-driver-lvm-linear-encrypted` +* `csi-driver-lvm-mirror-encrypted` +* `csi-driver-lvm-striped-encrypted` To get the previous old and now deprecated `csi-lvm-sc-linear`, ... storageclasses, set helm-chart value `compat03x=true`. +## Encryption ## + +csi-driver-lvm supports LUKS2 encryption for volumes at rest. When encryption is enabled, the LVM logical volume is formatted with LUKS2 and a dm-crypt mapper device is used transparently for all I/O. + +### Setup ### + +1. Create a Kubernetes Secret containing the LUKS passphrase: + +```bash +kubectl create secret generic csi-lvm-encryption-secret \ + --from-literal=passphrase='my-secret-passphrase' +``` + +2. Enable the encrypted StorageClasses in your Helm values (they are disabled by default): + +```yaml +storageClasses: + linearEncrypted: + enabled: true + mirrorEncrypted: + enabled: true + stripedEncrypted: + enabled: true +``` + +3. Create PVCs using one of the encrypted StorageClasses. The encryption is handled transparently by the driver. + +### How it works ### + +- **NodeStageVolume**: LUKS-formats the LV (first use only), then opens it via `cryptsetup luksOpen`, creating a `/dev/mapper/csi-lvm-` device +- **NodePublishVolume**: Mounts the mapper device (instead of the raw LV) to the target path +- **NodeUnpublishVolume**: Unmounts as usual +- **NodeUnstageVolume**: Closes the LUKS device via `cryptsetup luksClose` +- **Volume expansion**: The LV is extended first, then the LUKS layer is resized, then the filesystem + +Both filesystem and raw block access types are supported with encryption. + +### Encrypted Ephemeral Volumes ### + +Encryption is also supported for CSI ephemeral (inline) volumes. Since ephemeral volumes bypass `NodeStageVolume`, the LUKS formatting and opening is handled directly during `NodePublishVolume`, and the LUKS device is closed during `NodeUnpublishVolume`. + +To use an encrypted ephemeral volume, specify `encryption: "true"` in `volumeAttributes` and reference the encryption secret via `nodePublishSecretRef`: + +```yaml +volumes: + - name: encrypted-ephemeral + csi: + driver: lvm.csi.metal-stack.io + volumeAttributes: + size: "100Mi" + type: "linear" + encryption: "true" + nodePublishSecretRef: + name: csi-lvm-encryption-secret +``` + ## Migration ## If you want to migrate your existing PVC to / from csi-driver-lvm, you can use [korb](https://github.com/BeryJu/korb).