diff --git a/stacks/affine/main.tf b/stacks/affine/main.tf index 21a4cada..20d17d1d 100644 --- a/stacks/affine/main.tf +++ b/stacks/affine/main.tf @@ -145,10 +145,10 @@ locals { ] } -resource "kubernetes_persistent_volume_claim" "data_proxmox" { +resource "kubernetes_persistent_volume_claim" "data_encrypted" { wait_until_bound = false metadata { - name = "affine-data-proxmox" + name = "affine-data-encrypted" namespace = kubernetes_namespace.affine.metadata[0].name annotations = { "resize.topolvm.io/threshold" = "80%" @@ -158,7 +158,7 @@ resource "kubernetes_persistent_volume_claim" "data_proxmox" { } spec { access_modes = ["ReadWriteOnce"] - storage_class_name = "proxmox-lvm" + storage_class_name = "proxmox-lvm-encrypted" resources { requests = { storage = "1Gi" @@ -313,7 +313,7 @@ resource "kubernetes_deployment" "affine" { volume { name = "data" persistent_volume_claim { - claim_name = kubernetes_persistent_volume_claim.data_proxmox.metadata[0].name + claim_name = kubernetes_persistent_volume_claim.data_encrypted.metadata[0].name } } } diff --git a/stacks/dbaas/modules/dbaas/main.tf b/stacks/dbaas/modules/dbaas/main.tf index 16c32265..3bac4d21 100644 --- a/stacks/dbaas/modules/dbaas/main.tf +++ b/stacks/dbaas/modules/dbaas/main.tf @@ -197,7 +197,7 @@ resource "helm_release" "mysql_cluster" { } datadirVolumeClaimTemplate = { - storageClassName = "proxmox-lvm" + storageClassName = "proxmox-lvm-encrypted" metadata = { annotations = { "resize.topolvm.io/threshold" = "80%" @@ -353,13 +353,13 @@ resource "helm_release" "mysql_cluster" { ] } -# MySQL Router - explicitly set resources (chart does not expose router.resources) -# VPA shows 100Mi upper bound, setting to 128Mi -# Note: This requires manual kubectl patch after helm release: -# kubectl patch deployment mysql-cluster-router -n dbaas --type=json -p='[ -# {"op": "replace", "path": "/spec/template/spec/containers/0/resources", -# "value": {"requests": {"cpu": "25m", "memory": "128Mi"}, "limits": {"memory": "128Mi"}}}]' -# TODO: migrate to mysql-operator fork or wait for upstream router.resources support + # MySQL Router - explicitly set resources (chart does not expose router.resources) + # VPA shows 100Mi upper bound, setting to 128Mi + # Note: This requires manual kubectl patch after helm release: + # kubectl patch deployment mysql-cluster-router -n dbaas --type=json -p='[ + # {"op": "replace", "path": "/spec/template/spec/containers/0/resources", + # "value": {"requests": {"cpu": "25m", "memory": "128Mi"}, "limits": {"memory": "128Mi"}}}]' + # TODO: migrate to mysql-operator fork or wait for upstream router.resources support })] @@ -398,10 +398,10 @@ module "nfs_mysql_backup_host" { nfs_path = "/srv/nfs/mysql-backup" } -resource "kubernetes_persistent_volume_claim" "pgadmin_proxmox" { +resource "kubernetes_persistent_volume_claim" "pgadmin_encrypted" { wait_until_bound = false metadata { - name = "dbaas-pgadmin-proxmox" + name = "dbaas-pgadmin-encrypted" namespace = kubernetes_namespace.dbaas.metadata[0].name annotations = { "resize.topolvm.io/threshold" = "80%" @@ -411,7 +411,7 @@ resource "kubernetes_persistent_volume_claim" "pgadmin_proxmox" { } spec { access_modes = ["ReadWriteOnce"] - storage_class_name = "proxmox-lvm" + storage_class_name = "proxmox-lvm-encrypted" resources { requests = { storage = "1Gi" @@ -523,9 +523,9 @@ resource "kubernetes_cron_job_v1" "mysql-backup-per-db" { namespace = kubernetes_namespace.dbaas.metadata[0].name } spec { - concurrency_policy = "Replace" - failed_jobs_history_limit = 3 - schedule = "45 0 * * *" + concurrency_policy = "Replace" + failed_jobs_history_limit = 3 + schedule = "45 0 * * *" starting_deadline_seconds = 10 successful_jobs_history_limit = 3 job_template { @@ -1093,7 +1093,7 @@ resource "null_resource" "pg_cluster" { instances = "2" image = "ghcr.io/cloudnative-pg/postgis:16" storage_size = "20Gi" - storage_class = "proxmox-lvm" + storage_class = "proxmox-lvm-encrypted" memory_limit = "2Gi" pg_params = "v2-shared512-walcomp-workmem16" } @@ -1127,7 +1127,7 @@ resource "null_resource" "pg_cluster" { resize.topolvm.io/storage_limit: "100Gi" storage: size: 20Gi - storageClass: proxmox-lvm + storageClass: proxmox-lvm-encrypted resources: requests: cpu: "50m" @@ -1257,7 +1257,7 @@ resource "kubernetes_deployment" "pgadmin" { # name = "pgadmin-config" # } persistent_volume_claim { - claim_name = kubernetes_persistent_volume_claim.pgadmin_proxmox.metadata[0].name + claim_name = kubernetes_persistent_volume_claim.pgadmin_encrypted.metadata[0].name } } dns_config { @@ -1386,9 +1386,9 @@ resource "kubernetes_cron_job_v1" "postgresql-backup-per-db" { namespace = kubernetes_namespace.dbaas.metadata[0].name } spec { - concurrency_policy = "Replace" - failed_jobs_history_limit = 3 - schedule = "15 0 * * *" + concurrency_policy = "Replace" + failed_jobs_history_limit = 3 + schedule = "15 0 * * *" starting_deadline_seconds = 10 successful_jobs_history_limit = 3 job_template { diff --git a/stacks/forgejo/main.tf b/stacks/forgejo/main.tf index 2b954873..d17e4dfe 100644 --- a/stacks/forgejo/main.tf +++ b/stacks/forgejo/main.tf @@ -20,10 +20,10 @@ module "tls_secret" { tls_secret_name = var.tls_secret_name } -resource "kubernetes_persistent_volume_claim" "data_proxmox" { +resource "kubernetes_persistent_volume_claim" "data_encrypted" { wait_until_bound = false metadata { - name = "forgejo-data-proxmox" + name = "forgejo-data-encrypted" namespace = kubernetes_namespace.forgejo.metadata[0].name annotations = { "resize.topolvm.io/threshold" = "80%" @@ -33,7 +33,7 @@ resource "kubernetes_persistent_volume_claim" "data_proxmox" { } spec { access_modes = ["ReadWriteOnce"] - storage_class_name = "proxmox-lvm" + storage_class_name = "proxmox-lvm-encrypted" resources { requests = { storage = "5Gi" @@ -124,7 +124,7 @@ resource "kubernetes_deployment" "forgejo" { volume { name = "data" persistent_volume_claim { - claim_name = kubernetes_persistent_volume_claim.data_proxmox.metadata[0].name + claim_name = kubernetes_persistent_volume_claim.data_encrypted.metadata[0].name } } } diff --git a/stacks/frigate/main.tf b/stacks/frigate/main.tf index a8bdc096..9f8c036d 100644 --- a/stacks/frigate/main.tf +++ b/stacks/frigate/main.tf @@ -23,10 +23,10 @@ module "tls_secret" { tls_secret_name = var.tls_secret_name } -resource "kubernetes_persistent_volume_claim" "config_proxmox" { +resource "kubernetes_persistent_volume_claim" "config_encrypted" { wait_until_bound = false metadata { - name = "frigate-config-proxmox" + name = "frigate-config-encrypted" namespace = kubernetes_namespace.frigate.metadata[0].name annotations = { "resize.topolvm.io/threshold" = "80%" @@ -36,7 +36,7 @@ resource "kubernetes_persistent_volume_claim" "config_proxmox" { } spec { access_modes = ["ReadWriteOnce"] - storage_class_name = "proxmox-lvm" + storage_class_name = "proxmox-lvm-encrypted" resources { requests = { storage = "1Gi" @@ -186,7 +186,7 @@ for name, det in stats.get('detectors', {}).items(): volume { name = "config" persistent_volume_claim { - claim_name = kubernetes_persistent_volume_claim.config_proxmox.metadata[0].name + claim_name = kubernetes_persistent_volume_claim.config_encrypted.metadata[0].name } } volume { diff --git a/stacks/hackmd/main.tf b/stacks/hackmd/main.tf index c211be62..79c5cfab 100644 --- a/stacks/hackmd/main.tf +++ b/stacks/hackmd/main.tf @@ -20,10 +20,10 @@ module "tls_secret" { tls_secret_name = var.tls_secret_name } -resource "kubernetes_persistent_volume_claim" "data_proxmox" { +resource "kubernetes_persistent_volume_claim" "data_encrypted" { wait_until_bound = false metadata { - name = "hackmd-data-proxmox" + name = "hackmd-data-encrypted" namespace = kubernetes_namespace.hackmd.metadata[0].name annotations = { "resize.topolvm.io/threshold" = "80%" @@ -33,7 +33,7 @@ resource "kubernetes_persistent_volume_claim" "data_proxmox" { } spec { access_modes = ["ReadWriteOnce"] - storage_class_name = "proxmox-lvm" + storage_class_name = "proxmox-lvm-encrypted" resources { requests = { storage = "1Gi" @@ -154,7 +154,7 @@ resource "kubernetes_deployment" "hackmd" { volume { name = "data" persistent_volume_claim { - claim_name = kubernetes_persistent_volume_claim.data_proxmox.metadata[0].name + claim_name = kubernetes_persistent_volume_claim.data_encrypted.metadata[0].name } } } diff --git a/stacks/headscale/modules/headscale/main.tf b/stacks/headscale/modules/headscale/main.tf index 735a582f..5fb0c280 100644 --- a/stacks/headscale/modules/headscale/main.tf +++ b/stacks/headscale/modules/headscale/main.tf @@ -44,10 +44,10 @@ module "nfs_data_host" { nfs_path = "/srv/nfs/headscale" } -resource "kubernetes_persistent_volume_claim" "data_proxmox" { +resource "kubernetes_persistent_volume_claim" "data_encrypted" { wait_until_bound = false metadata { - name = "headscale-data-proxmox" + name = "headscale-data-encrypted" namespace = kubernetes_namespace.headscale.metadata[0].name annotations = { "resize.topolvm.io/threshold" = "80%" @@ -57,7 +57,7 @@ resource "kubernetes_persistent_volume_claim" "data_proxmox" { } spec { access_modes = ["ReadWriteOnce"] - storage_class_name = "proxmox-lvm" + storage_class_name = "proxmox-lvm-encrypted" resources { requests = { storage = "1Gi" @@ -186,7 +186,7 @@ resource "kubernetes_deployment" "headscale" { volume { name = "nfs-config" persistent_volume_claim { - claim_name = kubernetes_persistent_volume_claim.data_proxmox.metadata[0].name + claim_name = kubernetes_persistent_volume_claim.data_encrypted.metadata[0].name } } # container { @@ -466,7 +466,7 @@ resource "kubernetes_cron_job_v1" "headscale_backup" { volume { name = "data" persistent_volume_claim { - claim_name = kubernetes_persistent_volume_claim.data_proxmox.metadata[0].name + claim_name = kubernetes_persistent_volume_claim.data_encrypted.metadata[0].name } } volume { diff --git a/stacks/health/main.tf b/stacks/health/main.tf index af0108b2..5d1c5b05 100644 --- a/stacks/health/main.tf +++ b/stacks/health/main.tf @@ -20,10 +20,10 @@ module "tls_secret" { tls_secret_name = var.tls_secret_name } -resource "kubernetes_persistent_volume_claim" "uploads_proxmox" { +resource "kubernetes_persistent_volume_claim" "uploads_encrypted" { wait_until_bound = false metadata { - name = "health-uploads-proxmox" + name = "health-uploads-encrypted" namespace = kubernetes_namespace.health.metadata[0].name annotations = { "resize.topolvm.io/threshold" = "80%" @@ -33,7 +33,7 @@ resource "kubernetes_persistent_volume_claim" "uploads_proxmox" { } spec { access_modes = ["ReadWriteOnce"] - storage_class_name = "proxmox-lvm" + storage_class_name = "proxmox-lvm-encrypted" resources { requests = { storage = "2Gi" @@ -135,7 +135,7 @@ resource "kubernetes_deployment" "health" { volume { name = "uploads" persistent_volume_claim { - claim_name = kubernetes_persistent_volume_claim.uploads_proxmox.metadata[0].name + claim_name = kubernetes_persistent_volume_claim.uploads_encrypted.metadata[0].name } } } diff --git a/stacks/mailserver/modules/mailserver/main.tf b/stacks/mailserver/modules/mailserver/main.tf index 93069515..cf75d9ab 100644 --- a/stacks/mailserver/modules/mailserver/main.tf +++ b/stacks/mailserver/modules/mailserver/main.tf @@ -117,10 +117,10 @@ resource "kubernetes_config_map" "mailserver_config" { } EOF # Increase max IMAP connections per user+IP - all Roundcube connections come from same pod IP - "dovecot.cf" = <<-EOF + "dovecot.cf" = <<-EOF mail_max_userip_connections = 50 EOF - fail2ban_conf = <<-EOF + fail2ban_conf = <<-EOF [DEFAULT] #logtarget = /var/log/fail2ban.log @@ -167,10 +167,10 @@ resource "kubernetes_secret" "opendkim_key" { } -resource "kubernetes_persistent_volume_claim" "data_proxmox" { +resource "kubernetes_persistent_volume_claim" "data_encrypted" { wait_until_bound = false metadata { - name = "mailserver-data-proxmox" + name = "mailserver-data-encrypted" namespace = kubernetes_namespace.mailserver.metadata[0].name annotations = { "resize.topolvm.io/threshold" = "80%" @@ -180,7 +180,7 @@ resource "kubernetes_persistent_volume_claim" "data_proxmox" { } spec { access_modes = ["ReadWriteOnce"] - storage_class_name = "proxmox-lvm" + storage_class_name = "proxmox-lvm-encrypted" resources { requests = { storage = "2Gi" @@ -447,7 +447,7 @@ resource "kubernetes_deployment" "mailserver" { volume { name = "data" persistent_volume_claim { - claim_name = kubernetes_persistent_volume_claim.data_proxmox.metadata[0].name + claim_name = kubernetes_persistent_volume_claim.data_encrypted.metadata[0].name } # iscsi { # target_portal = "iscsi.viktorbarzin.lan:3260" diff --git a/stacks/mailserver/modules/mailserver/roundcubemail.tf b/stacks/mailserver/modules/mailserver/roundcubemail.tf index f0f649fd..62d11e4f 100644 --- a/stacks/mailserver/modules/mailserver/roundcubemail.tf +++ b/stacks/mailserver/modules/mailserver/roundcubemail.tf @@ -40,10 +40,10 @@ resource "kubernetes_config_map" "roundcubemail_config" { } -resource "kubernetes_persistent_volume_claim" "roundcube_html_proxmox" { +resource "kubernetes_persistent_volume_claim" "roundcube_html_encrypted" { wait_until_bound = false metadata { - name = "roundcubemail-html-proxmox" + name = "roundcubemail-html-encrypted" namespace = kubernetes_namespace.mailserver.metadata[0].name annotations = { "resize.topolvm.io/threshold" = "80%" @@ -53,7 +53,7 @@ resource "kubernetes_persistent_volume_claim" "roundcube_html_proxmox" { } spec { access_modes = ["ReadWriteOnce"] - storage_class_name = "proxmox-lvm" + storage_class_name = "proxmox-lvm-encrypted" resources { requests = { storage = "1Gi" @@ -62,10 +62,10 @@ resource "kubernetes_persistent_volume_claim" "roundcube_html_proxmox" { } } -resource "kubernetes_persistent_volume_claim" "roundcube_enigma_proxmox" { +resource "kubernetes_persistent_volume_claim" "roundcube_enigma_encrypted" { wait_until_bound = false metadata { - name = "roundcubemail-enigma-proxmox" + name = "roundcubemail-enigma-encrypted" namespace = kubernetes_namespace.mailserver.metadata[0].name annotations = { "resize.topolvm.io/threshold" = "80%" @@ -75,7 +75,7 @@ resource "kubernetes_persistent_volume_claim" "roundcube_enigma_proxmox" { } spec { access_modes = ["ReadWriteOnce"] - storage_class_name = "proxmox-lvm" + storage_class_name = "proxmox-lvm-encrypted" resources { requests = { storage = "1Gi" @@ -213,13 +213,13 @@ resource "kubernetes_deployment" "roundcubemail" { volume { name = "html" persistent_volume_claim { - claim_name = kubernetes_persistent_volume_claim.roundcube_html_proxmox.metadata[0].name + claim_name = kubernetes_persistent_volume_claim.roundcube_html_encrypted.metadata[0].name } } volume { name = "enigma" persistent_volume_claim { - claim_name = kubernetes_persistent_volume_claim.roundcube_enigma_proxmox.metadata[0].name + claim_name = kubernetes_persistent_volume_claim.roundcube_enigma_encrypted.metadata[0].name } } dns_config { diff --git a/stacks/matrix/main.tf b/stacks/matrix/main.tf index 0d8ac38e..48e81d20 100644 --- a/stacks/matrix/main.tf +++ b/stacks/matrix/main.tf @@ -56,10 +56,10 @@ module "tls_secret" { tls_secret_name = var.tls_secret_name } -resource "kubernetes_persistent_volume_claim" "data_proxmox" { +resource "kubernetes_persistent_volume_claim" "data_encrypted" { wait_until_bound = false metadata { - name = "matrix-data-proxmox" + name = "matrix-data-encrypted" namespace = kubernetes_namespace.matrix.metadata[0].name annotations = { "resize.topolvm.io/threshold" = "80%" @@ -69,7 +69,7 @@ resource "kubernetes_persistent_volume_claim" "data_proxmox" { } spec { access_modes = ["ReadWriteOnce"] - storage_class_name = "proxmox-lvm" + storage_class_name = "proxmox-lvm-encrypted" resources { requests = { storage = "1Gi" @@ -182,7 +182,7 @@ resource "kubernetes_deployment" "matrix" { volume { name = "data" persistent_volume_claim { - claim_name = kubernetes_persistent_volume_claim.data_proxmox.metadata[0].name + claim_name = kubernetes_persistent_volume_claim.data_encrypted.metadata[0].name } } volume { diff --git a/stacks/meshcentral/main.tf b/stacks/meshcentral/main.tf index 6757b651..4adaab82 100644 --- a/stacks/meshcentral/main.tf +++ b/stacks/meshcentral/main.tf @@ -21,10 +21,10 @@ module "tls_secret" { tls_secret_name = var.tls_secret_name } -resource "kubernetes_persistent_volume_claim" "data_proxmox" { +resource "kubernetes_persistent_volume_claim" "data_encrypted" { wait_until_bound = false metadata { - name = "meshcentral-data-proxmox" + name = "meshcentral-data-encrypted" namespace = kubernetes_namespace.meshcentral.metadata[0].name annotations = { "resize.topolvm.io/threshold" = "80%" @@ -34,7 +34,7 @@ resource "kubernetes_persistent_volume_claim" "data_proxmox" { } spec { access_modes = ["ReadWriteOnce"] - storage_class_name = "proxmox-lvm" + storage_class_name = "proxmox-lvm-encrypted" resources { requests = { storage = "1Gi" @@ -43,10 +43,10 @@ resource "kubernetes_persistent_volume_claim" "data_proxmox" { } } -resource "kubernetes_persistent_volume_claim" "files_proxmox" { +resource "kubernetes_persistent_volume_claim" "files_encrypted" { wait_until_bound = false metadata { - name = "meshcentral-files-proxmox" + name = "meshcentral-files-encrypted" namespace = kubernetes_namespace.meshcentral.metadata[0].name annotations = { "resize.topolvm.io/threshold" = "80%" @@ -56,7 +56,7 @@ resource "kubernetes_persistent_volume_claim" "files_proxmox" { } spec { access_modes = ["ReadWriteOnce"] - storage_class_name = "proxmox-lvm" + storage_class_name = "proxmox-lvm-encrypted" resources { requests = { storage = "1Gi" @@ -213,13 +213,13 @@ EOT volume { name = "data" persistent_volume_claim { - claim_name = kubernetes_persistent_volume_claim.data_proxmox.metadata[0].name + claim_name = kubernetes_persistent_volume_claim.data_encrypted.metadata[0].name } } volume { name = "files" persistent_volume_claim { - claim_name = kubernetes_persistent_volume_claim.files_proxmox.metadata[0].name + claim_name = kubernetes_persistent_volume_claim.files_encrypted.metadata[0].name } } volume { diff --git a/stacks/n8n/main.tf b/stacks/n8n/main.tf index 502c0757..daff4662 100644 --- a/stacks/n8n/main.tf +++ b/stacks/n8n/main.tf @@ -47,10 +47,10 @@ resource "kubernetes_manifest" "external_secret" { depends_on = [kubernetes_namespace.n8n] } -resource "kubernetes_persistent_volume_claim" "data_proxmox" { +resource "kubernetes_persistent_volume_claim" "data_encrypted" { wait_until_bound = false metadata { - name = "n8n-data-proxmox" + name = "n8n-data-encrypted" namespace = kubernetes_namespace.n8n.metadata[0].name annotations = { "resize.topolvm.io/threshold" = "80%" @@ -60,7 +60,7 @@ resource "kubernetes_persistent_volume_claim" "data_proxmox" { } spec { access_modes = ["ReadWriteOnce"] - storage_class_name = "proxmox-lvm" + storage_class_name = "proxmox-lvm-encrypted" resources { requests = { storage = "1Gi" @@ -225,7 +225,7 @@ resource "kubernetes_deployment" "n8n" { volume { name = "data" persistent_volume_claim { - claim_name = kubernetes_persistent_volume_claim.data_proxmox.metadata[0].name + claim_name = kubernetes_persistent_volume_claim.data_encrypted.metadata[0].name } } } diff --git a/stacks/nextcloud/chart_values.yaml b/stacks/nextcloud/chart_values.yaml index e54855d5..30a9c45f 100644 --- a/stacks/nextcloud/chart_values.yaml +++ b/stacks/nextcloud/chart_values.yaml @@ -115,7 +115,7 @@ externalDatabase: persistence: enabled: true - existingClaim: nextcloud-data-proxmox + existingClaim: nextcloud-data-encrypted accessMode: ReadWriteOnce size: 20Gi diff --git a/stacks/nextcloud/main.tf b/stacks/nextcloud/main.tf index f5e621f9..e8145710 100644 --- a/stacks/nextcloud/main.tf +++ b/stacks/nextcloud/main.tf @@ -184,9 +184,10 @@ resource "kubernetes_config_map" "apache_tuning" { # } # } -resource "kubernetes_persistent_volume_claim" "nextcloud_data_iscsi" { +resource "kubernetes_persistent_volume_claim" "nextcloud_data_encrypted" { + wait_until_bound = false metadata { - name = "nextcloud-data-proxmox" + name = "nextcloud-data-encrypted" namespace = kubernetes_namespace.nextcloud.metadata[0].name annotations = { "resize.topolvm.io/threshold" = "80%" @@ -196,7 +197,7 @@ resource "kubernetes_persistent_volume_claim" "nextcloud_data_iscsi" { } spec { access_modes = ["ReadWriteOnce"] - storage_class_name = "proxmox-lvm" + storage_class_name = "proxmox-lvm-encrypted" resources { requests = { storage = "20Gi" @@ -509,7 +510,7 @@ resource "kubernetes_cron_job_v1" "nextcloud-backup" { volume { name = "nextcloud-data" persistent_volume_claim { - claim_name = kubernetes_persistent_volume_claim.nextcloud_data_iscsi.metadata[0].name + claim_name = kubernetes_persistent_volume_claim.nextcloud_data_encrypted.metadata[0].name } } diff --git a/stacks/proxmox-csi/modules/proxmox-csi/main.tf b/stacks/proxmox-csi/modules/proxmox-csi/main.tf index 8ca69221..a94d5df6 100644 --- a/stacks/proxmox-csi/modules/proxmox-csi/main.tf +++ b/stacks/proxmox-csi/modules/proxmox-csi/main.tf @@ -2,7 +2,7 @@ resource "kubernetes_namespace" "proxmox_csi" { metadata { name = "proxmox-csi" labels = { - tier = var.tier + tier = var.tier "resource-governance/custom-quota" = "true" } } @@ -30,16 +30,34 @@ resource "helm_release" "proxmox_csi" { } # StorageClass for block volumes on existing HDD thin pool - storageClass = [{ - name = "proxmox-lvm" - storage = "local-lvm" - reclaimPolicy = "Retain" - fstype = "ext4" - ssd = false - cache = "none" - volumeBindingMode = "WaitForFirstConsumer" - allowVolumeExpansion = true - }] + storageClass = [ + { + name = "proxmox-lvm" + storage = "local-lvm" + reclaimPolicy = "Retain" + fstype = "ext4" + ssd = false + cache = "none" + volumeBindingMode = "WaitForFirstConsumer" + allowVolumeExpansion = true + }, + { + name = "proxmox-lvm-encrypted" + storage = "local-lvm" + reclaimPolicy = "Retain" + fstype = "ext4" + ssd = false + cache = "none" + volumeBindingMode = "WaitForFirstConsumer" + allowVolumeExpansion = true + extraParameters = { + "csi.storage.k8s.io/node-stage-secret-name" = "proxmox-csi-encryption" + "csi.storage.k8s.io/node-stage-secret-namespace" = "kube-system" + "csi.storage.k8s.io/node-expand-secret-name" = "proxmox-csi-encryption" + "csi.storage.k8s.io/node-expand-secret-namespace" = "kube-system" + } + }, + ] controller = { replicas = 2 @@ -49,10 +67,13 @@ resource "helm_release" "proxmox_csi" { } } + # LUKS2 Argon2id key derivation needs ~1GiB memory node = { - resources = { - requests = { cpu = "10m", memory = "32Mi" } - limits = { memory = "64Mi" } + plugin = { + resources = { + requests = { cpu = "10m", memory = "64Mi" } + limits = { memory = "1280Mi" } + } } } })] @@ -153,3 +174,36 @@ resource "kubernetes_cluster_role_binding" "pve_snapshot_admin" { namespace = "kube-system" } } + +# --- ExternalSecret for LUKS encryption passphrase --- +# Creates K8s Secret "proxmox-csi-encryption" in kube-system from Vault KV. +# Referenced by the proxmox-lvm-encrypted StorageClass for node-stage and node-expand. +resource "kubernetes_manifest" "external_secret_encryption" { + manifest = { + apiVersion = "external-secrets.io/v1beta1" + kind = "ExternalSecret" + metadata = { + name = "proxmox-csi-encryption" + namespace = "kube-system" + } + spec = { + refreshInterval = "1h" + secretStoreRef = { + kind = "ClusterSecretStore" + name = "vault-kv" + } + target = { + name = "proxmox-csi-encryption" + creationPolicy = "Owner" + deletionPolicy = "Retain" + } + data = [{ + secretKey = "encryption-passphrase" + remoteRef = { + key = "viktor" + property = "proxmox_csi_encryption_passphrase" + } + }] + } + } +} diff --git a/stacks/redis/modules/redis/main.tf b/stacks/redis/modules/redis/main.tf index 5db72144..702e62e2 100644 --- a/stacks/redis/modules/redis/main.tf +++ b/stacks/redis/modules/redis/main.tf @@ -59,7 +59,7 @@ resource "helm_release" "redis" { master = { persistence = { enabled = true - storageClass = "proxmox-lvm" + storageClass = "proxmox-lvm-encrypted" size = "2Gi" annotations = { "resize.topolvm.io/threshold" = "80%" @@ -84,7 +84,7 @@ resource "helm_release" "redis" { persistence = { enabled = true - storageClass = "proxmox-lvm" + storageClass = "proxmox-lvm-encrypted" size = "2Gi" annotations = { "resize.topolvm.io/threshold" = "80%"