metal-stack · simcod · May 5, 2026 · Apr 28, 2026 · May 5, 2026
@@ -0,0 +1,52 @@
+---
+slug: /release-notes/v0.22.9
+title: v0.22.9
+sidebar_position: 1
+---
+# metal-stack v0.22.9
+See original release note at [https://github.com/metal-stack/releases/releases/tag/v0.22.9](https://github.com/metal-stack/releases/releases/tag/v0.22.9)
+## General
+* [Gardener v1.128](https://github.com/gardener/gardener/releases/tag/v1.128.0)
+   * Please note that this release contains the gardener-apiserver built from the metal-stack fork in order to prevent the defaulting of worker machine images by Gardener. This will be resolved upstream with https://github.com/gardener/gardener/pull/13785. If you do not use short image versions in the `CloudProfile` you can also use the upstream version of the gardener-apiserver.
+## Required Actions
+* Update existing zitadel-init configurations in your deployment (`zitadel_init_config`) to use `redirect_uris` instead of `redirect_uri`. (metal-stack/zitadel-init#9)
+* If during reconciles of old shoots the following shoot error occurs: `ScrapeConfig.monitoring.coreos.com "shoot-blackbox-exporter-k8s-service-check is invalid: spec.kubernetesSDConfigs[0].role: Unsupported value: "service"`, it is enough to edit the `ScrapeConfig` in the shoot namespace in the `Seed` and correct `service` to `Service`.
+## Component Releases
+### metal-roles v0.20.1
+* Use new OCI helm-charts from metal-stack. (metal-stack/metal-roles#582) @Gerrit91
+* Add param for deploying `ClusterRoleBinding`s into the virtual garden. (metal-stack/metal-roles#585) @Gerrit91
+### api v0.0.61
+* Machine create refinements (metal-stack/api#119) @majst01
+* Map validations (metal-stack/api#122) @majst01
+### node-init v0.1.8
+* Update actions workflows and dependencies. (metal-stack/node-init#20) @Gerrit91
+* feat: configure HTTP transport for persistent connections to kube-apiserver (metal-stack/node-init#19) @mwennrich
+* include sbom in container image (metal-stack/node-init#17) @mac641
+### zitadel-init v0.3.3
+* Allow configuration of multiple redirect URIs. (metal-stack/zitadel-init#9) @Gerrit91
+# Merged Pull Requests
+This is a list of pull requests that were merged since the last release. The list does not contain pull requests from release-vector-repositories.
+
+The fact that these pull requests were merged does not necessarily imply that they have already become part of this metal-stack release.
+
+* More documentation for release-drafter action. (metal-stack/actions-common#6) @Gerrit91
+* Provide common helm-chart action. (metal-stack/actions-common#7) @Gerrit91
+* chore: blog maintainers (metal-stack/website#253) @vknabel
+* Bump releases to version v0.22.8 (metal-stack/website#252) @metal-robot[bot]
+* Remove unnecessary braces from if conditions. (metal-stack/actions-common#9) @Gerrit91
+* Fix issue comments only working on pull requests. (metal-stack/metal-robot#108) @Gerrit91
+* chore(deps): bump postcss from 8.5.9 to 8.5.10 in the other-dependencies group (metal-stack/website#251) @dependabot[bot]
+* chore(deps): bump the docusaurus-dependencies group with 2 updates (metal-stack/website#250) @dependabot[bot]
+* Allow repo maintainers to run comment actions. (metal-stack/metal-robot#109) @Gerrit91
+* Support more chassistypes (metal-stack/go-hal#86) @majst01
+* Improved test coverage (metal-stack/cli#29) @AnnaSchreiner
+* Enter serial console (metal-stack/go-hal#87) @majst01
+* Remove security.User from auditing and split http/grpc/connect (metal-stack/metal-lib#206) @majst01
+* chore(ci): actions-common (metal-stack/metal-robot#110) @vknabel
+* chore(deps): bump the docusaurus-dependencies group with 2 updates (metal-stack/website#254) @dependabot[bot]
+* chore(deps): bump the other-dependencies group across 1 directory with 5 updates (metal-stack/website#255) @dependabot[bot]
+* Migrate to web-only UI (metal-stack/metal-ui#11) @ostempel
+* Dependency updates. (metal-stack/cli#30) @Gerrit91
+* adjust metal-ui skill and remove tauri leftovers (metal-stack/metal-ui#12) @ostempel
+* Add rule template. (metal-stack/website#256) @Gerrit91
+* Next release (metal-stack/releases#284) @metal-robot[bot]
@@ -49,9 +49,68 @@ Now you can use one of following storageClasses:
 * `csi-driver-lvm-linear`
 * `csi-driver-lvm-mirror`
 * `csi-driver-lvm-striped`
+* `csi-driver-lvm-linear-encrypted`
+* `csi-driver-lvm-mirror-encrypted`
+* `csi-driver-lvm-striped-encrypted`
 
 To get the previous old and now deprecated `csi-lvm-sc-linear`, ... storageclasses, set helm-chart value `compat03x=true`.
 
+## Encryption ##
+
+csi-driver-lvm supports LUKS2 encryption for volumes at rest. When encryption is enabled, the LVM logical volume is formatted with LUKS2 and a dm-crypt mapper device is used transparently for all I/O.
+
+### Setup ###
+
+1. Create a Kubernetes Secret containing the LUKS passphrase:
+
+```bash
+kubectl create secret generic csi-lvm-encryption-secret \
+  --from-literal=passphrase='my-secret-passphrase'
+```
+
+2. Enable the encrypted StorageClasses in your Helm values (they are disabled by default):
+
+```yaml
+storageClasses:
+  linearEncrypted:
+    enabled: true
+  mirrorEncrypted:
+    enabled: true
+  stripedEncrypted:
+    enabled: true
+```
+
+3. Create PVCs using one of the encrypted StorageClasses. The encryption is handled transparently by the driver.
+
+### How it works ###
+
+- **NodeStageVolume**: LUKS-formats the LV (first use only), then opens it via `cryptsetup luksOpen`, creating a `/dev/mapper/csi-lvm-<volumeID>` device
+- **NodePublishVolume**: Mounts the mapper device (instead of the raw LV) to the target path
+- **NodeUnpublishVolume**: Unmounts as usual
+- **NodeUnstageVolume**: Closes the LUKS device via `cryptsetup luksClose`
+- **Volume expansion**: The LV is extended first, then the LUKS layer is resized, then the filesystem
+
+Both filesystem and raw block access types are supported with encryption.
+
+### Encrypted Ephemeral Volumes ###
+
+Encryption is also supported for CSI ephemeral (inline) volumes. Since ephemeral volumes bypass `NodeStageVolume`, the LUKS formatting and opening is handled directly during `NodePublishVolume`, and the LUKS device is closed during `NodeUnpublishVolume`.
+
+To use an encrypted ephemeral volume, specify `encryption: "true"` in `volumeAttributes` and reference the encryption secret via `nodePublishSecretRef`:
+
+```yaml
+volumes:
+  - name: encrypted-ephemeral
+    csi:
+      driver: lvm.csi.metal-stack.io
+      volumeAttributes:
+        size: "100Mi"
+        type: "linear"
+        encryption: "true"
+      nodePublishSecretRef:
+        name: csi-lvm-encryption-secret
+```
+
 ## Migration ##
 
 If you want to migrate your existing PVC to / from csi-driver-lvm, you can use [korb](https://github.com/BeryJu/korb).

@@ -1 +1 @@
-{"version": "v0.22.8"}
+{"version": "v0.22.9"}
@@ -0,0 +1,52 @@
+---
+slug: /release-notes/v0.22.9
+title: v0.22.9
+sidebar_position: 1
+---
+# metal-stack v0.22.9
+See original release note at [https://github.com/metal-stack/releases/releases/tag/v0.22.9](https://github.com/metal-stack/releases/releases/tag/v0.22.9)
+## General
+* [Gardener v1.128](https://github.com/gardener/gardener/releases/tag/v1.128.0)
+   * Please note that this release contains the gardener-apiserver built from the metal-stack fork in order to prevent the defaulting of worker machine images by Gardener. This will be resolved upstream with https://github.com/gardener/gardener/pull/13785. If you do not use short image versions in the `CloudProfile` you can also use the upstream version of the gardener-apiserver.
+## Required Actions
+* Update existing zitadel-init configurations in your deployment (`zitadel_init_config`) to use `redirect_uris` instead of `redirect_uri`. (metal-stack/zitadel-init#9)
+* If during reconciles of old shoots the following shoot error occurs: `ScrapeConfig.monitoring.coreos.com "shoot-blackbox-exporter-k8s-service-check is invalid: spec.kubernetesSDConfigs[0].role: Unsupported value: "service"`, it is enough to edit the `ScrapeConfig` in the shoot namespace in the `Seed` and correct `service` to `Service`.
+## Component Releases
+### metal-roles v0.20.1
+* Use new OCI helm-charts from metal-stack. (metal-stack/metal-roles#582) @Gerrit91
+* Add param for deploying `ClusterRoleBinding`s into the virtual garden. (metal-stack/metal-roles#585) @Gerrit91
+### api v0.0.61
+* Machine create refinements (metal-stack/api#119) @majst01
+* Map validations (metal-stack/api#122) @majst01
+### node-init v0.1.8
+* Update actions workflows and dependencies. (metal-stack/node-init#20) @Gerrit91
+* feat: configure HTTP transport for persistent connections to kube-apiserver (metal-stack/node-init#19) @mwennrich
+* include sbom in container image (metal-stack/node-init#17) @mac641
+### zitadel-init v0.3.3
+* Allow configuration of multiple redirect URIs. (metal-stack/zitadel-init#9) @Gerrit91
+# Merged Pull Requests
+This is a list of pull requests that were merged since the last release. The list does not contain pull requests from release-vector-repositories.
+
+The fact that these pull requests were merged does not necessarily imply that they have already become part of this metal-stack release.
+
+* More documentation for release-drafter action. (metal-stack/actions-common#6) @Gerrit91
+* Provide common helm-chart action. (metal-stack/actions-common#7) @Gerrit91
+* chore: blog maintainers (metal-stack/website#253) @vknabel
+* Bump releases to version v0.22.8 (metal-stack/website#252) @metal-robot[bot]
+* Remove unnecessary braces from if conditions. (metal-stack/actions-common#9) @Gerrit91
+* Fix issue comments only working on pull requests. (metal-stack/metal-robot#108) @Gerrit91
+* chore(deps): bump postcss from 8.5.9 to 8.5.10 in the other-dependencies group (metal-stack/website#251) @dependabot[bot]
+* chore(deps): bump the docusaurus-dependencies group with 2 updates (metal-stack/website#250) @dependabot[bot]
+* Allow repo maintainers to run comment actions. (metal-stack/metal-robot#109) @Gerrit91
+* Support more chassistypes (metal-stack/go-hal#86) @majst01
+* Improved test coverage (metal-stack/cli#29) @AnnaSchreiner
+* Enter serial console (metal-stack/go-hal#87) @majst01
+* Remove security.User from auditing and split http/grpc/connect (metal-stack/metal-lib#206) @majst01
+* chore(ci): actions-common (metal-stack/metal-robot#110) @vknabel
+* chore(deps): bump the docusaurus-dependencies group with 2 updates (metal-stack/website#254) @dependabot[bot]
+* chore(deps): bump the other-dependencies group across 1 directory with 5 updates (metal-stack/website#255) @dependabot[bot]
+* Migrate to web-only UI (metal-stack/metal-ui#11) @ostempel
+* Dependency updates. (metal-stack/cli#30) @Gerrit91
+* adjust metal-ui skill and remove tauri leftovers (metal-stack/metal-ui#12) @ostempel
+* Add rule template. (metal-stack/website#256) @Gerrit91
+* Next release (metal-stack/releases#284) @metal-robot[bot]
@@ -49,9 +49,68 @@ Now you can use one of following storageClasses:
 * `csi-driver-lvm-linear`
 * `csi-driver-lvm-mirror`
 * `csi-driver-lvm-striped`
+* `csi-driver-lvm-linear-encrypted`
+* `csi-driver-lvm-mirror-encrypted`
+* `csi-driver-lvm-striped-encrypted`
 
 To get the previous old and now deprecated `csi-lvm-sc-linear`, ... storageclasses, set helm-chart value `compat03x=true`.
 
+## Encryption ##
+
+csi-driver-lvm supports LUKS2 encryption for volumes at rest. When encryption is enabled, the LVM logical volume is formatted with LUKS2 and a dm-crypt mapper device is used transparently for all I/O.
+
+### Setup ###
+
+1. Create a Kubernetes Secret containing the LUKS passphrase:
+
+```bash
+kubectl create secret generic csi-lvm-encryption-secret \
+  --from-literal=passphrase='my-secret-passphrase'
+```
+
+2. Enable the encrypted StorageClasses in your Helm values (they are disabled by default):
+
+```yaml
+storageClasses:
+  linearEncrypted:
+    enabled: true
+  mirrorEncrypted:
+    enabled: true
+  stripedEncrypted:
+    enabled: true
+```
+
+3. Create PVCs using one of the encrypted StorageClasses. The encryption is handled transparently by the driver.
+
+### How it works ###
+
+- **NodeStageVolume**: LUKS-formats the LV (first use only), then opens it via `cryptsetup luksOpen`, creating a `/dev/mapper/csi-lvm-<volumeID>` device
+- **NodePublishVolume**: Mounts the mapper device (instead of the raw LV) to the target path
+- **NodeUnpublishVolume**: Unmounts as usual
+- **NodeUnstageVolume**: Closes the LUKS device via `cryptsetup luksClose`
+- **Volume expansion**: The LV is extended first, then the LUKS layer is resized, then the filesystem
+
+Both filesystem and raw block access types are supported with encryption.
+
+### Encrypted Ephemeral Volumes ###
+
+Encryption is also supported for CSI ephemeral (inline) volumes. Since ephemeral volumes bypass `NodeStageVolume`, the LUKS formatting and opening is handled directly during `NodePublishVolume`, and the LUKS device is closed during `NodeUnpublishVolume`.
+
+To use an encrypted ephemeral volume, specify `encryption: "true"` in `volumeAttributes` and reference the encryption secret via `nodePublishSecretRef`:
+
+```yaml
+volumes:
+  - name: encrypted-ephemeral
+    csi:
+      driver: lvm.csi.metal-stack.io
+      volumeAttributes:
+        size: "100Mi"
+        type: "linear"
+        encryption: "true"
+      nodePublishSecretRef:
+        name: csi-lvm-encryption-secret
+```
+
 ## Migration ##
 
 If you want to migrate your existing PVC to / from csi-driver-lvm, you can use [korb](https://github.com/BeryJu/korb).