Storage - Encryption at rest

Contributed by: Ville Vesilehto

All block storage devices created by the CSI driver can be optionally encrypted at rest.
Encryption support was added to CSI driver in version v1.1.0 .

Encryption at rest can be enabled by defining encryption parameter in storage class

kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
  name: upcloud-encrypted-block-storage
  namespace: kube-system
parameters:
  tier: maxiops
  encryption: data-at-rest
provisioner: storage.csi.upcloud.com

Once defined, use newly created storage class with storage that you want to encrypt

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: csi-pvc-encrypted
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 10Gi
  storageClassName: upcloud-encrypted-block-storage