openebs · balaharish7 · May 26, 2025 · May 22, 2025 · May 23, 2025 · May 23, 2025
@@ -0,0 +1,106 @@
+{
+  "version.label": {
+    "message": "4.2.x",
+    "description": "The label for version 4.2.x"
+  },
+  "sidebar.docs.category.Introduction to OpenEBS": {
+    "message": "Introduction to OpenEBS",
+    "description": "The label for category Introduction to OpenEBS in sidebar docs"
+  },
+  "sidebar.docs.category.Concepts": {
+    "message": "Concepts",
+    "description": "The label for category Concepts in sidebar docs"
+  },
+  "sidebar.docs.category.Data Engines": {
+    "message": "Data Engines",
+    "description": "The label for category Data Engines in sidebar docs"
+  },
+  "sidebar.docs.category.Quickstart Guide": {
+    "message": "Quickstart Guide",
+    "description": "The label for category Quickstart Guide in sidebar docs"
+  },
+  "sidebar.docs.category.User Guides": {
+    "message": "User Guides",
+    "description": "The label for category User Guides in sidebar docs"
+  },
+  "sidebar.docs.category.Local Storage User Guide": {
+    "message": "Local Storage User Guide",
+    "description": "The label for category Local Storage User Guide in sidebar docs"
+  },
+  "sidebar.docs.category.Local PV Hostpath": {
+    "message": "Local PV Hostpath",
+    "description": "The label for category Local PV Hostpath in sidebar docs"
+  },
+  "sidebar.docs.category.Configuration": {
+    "message": "Configuration",
+    "description": "The label for category Configuration in sidebar docs"
+  },
+  "sidebar.docs.category.Advanced Operations": {
+    "message": "Advanced Operations",
+    "description": "The label for category Advanced Operations in sidebar docs"
+  },
+  "sidebar.docs.category.XFS Quota": {
+    "message": "XFS Quota",
+    "description": "The label for category XFS Quota in sidebar docs"
+  },
+  "sidebar.docs.category.Local PV LVM": {
+    "message": "Local PV LVM",
+    "description": "The label for category Local PV LVM in sidebar docs"
+  },
+  "sidebar.docs.category.Local PV ZFS": {
+    "message": "Local PV ZFS",
+    "description": "The label for category Local PV ZFS in sidebar docs"
+  },
+  "sidebar.docs.category.Additional Information": {
+    "message": "Additional Information",
+    "description": "The label for category Additional Information in sidebar docs"
+  },
+  "sidebar.docs.category.Replicated Storage User Guide": {
+    "message": "Replicated Storage User Guide",
+    "description": "The label for category Replicated Storage User Guide in sidebar docs"
+  },
+  "sidebar.docs.category.Replicated PV Mayastor": {
+    "message": "Replicated PV Mayastor",
+    "description": "The label for category Replicated PV Mayastor in sidebar docs"
+  },
+  "sidebar.docs.category.Data Migration": {
+    "message": "Data Migration",
+    "description": "The label for category Data Migration in sidebar docs"
+  },
+  "sidebar.docs.category.Migration using Velero": {
+    "message": "Migration using Velero",
+    "description": "The label for category Migration using Velero in sidebar docs"
+  },
+  "sidebar.docs.category.Migration for Distributed DB": {
+    "message": "Migration for Distributed DB",
+    "description": "The label for category Migration for Distributed DB in sidebar docs"
+  },
+  "sidebar.docs.category.Migration for Replicated DB": {
+    "message": "Migration for Replicated DB",
+    "description": "The label for category Migration for Replicated DB in sidebar docs"
+  },
+  "sidebar.docs.category.Solutioning": {
+    "message": "Solutioning",
+    "description": "The label for category Solutioning in sidebar docs"
+  },
+  "sidebar.docs.category.OpenEBS on K8s Platforms": {
+    "message": "OpenEBS on K8s Platforms",
+    "description": "The label for category OpenEBS on K8s Platforms in sidebar docs"
+  },
+  "sidebar.docs.category.Read-Write-Many": {
+    "message": "Read-Write-Many",
+    "description": "The label for category Read-Write-Many in sidebar docs"
+  },
+  "sidebar.docs.category.Backup and Restore": {
+    "message": "Backup and Restore",
+    "description": "The label for category Backup and Restore in sidebar docs"
+  },
+  "sidebar.docs.category.Troubleshooting": {
+    "message": "Troubleshooting",
+    "description": "The label for category Troubleshooting in sidebar docs"
+  },
+  "sidebar.docs.category.Support": {
+    "message": "Support",
+    "description": "The label for category Support in sidebar docs"
+  }
+}
@@ -0,0 +1,120 @@
+---
+id: encryption
+title: Encryption
+keywords:
+ - Encryption
+ - Data Encryption
+ - Encrypted Volumes
+description: This guide explains about the Data Encryption At-Rest feature.
+---
+
+## Overview
+
+OpenEBS supports data-at-rest encryption to ensure the confidentiality of persistent disk data. By configuring disk pools with user-defined encryption keys, the pools themselves are encrypted, and volume replicas placed on these pools are automatically encrypted. This approach is especially beneficial for meeting security and regulatory compliance requirements.
+
+This guide outlines how to enable encryption in Mayastor DiskPools and use them for volume replica placement.
+
+## Prerequisites
+
+Before provisioning encrypted volumes, ensure the following are set up:
+
+### Create a Kubernetes Secret with AES-XTS Keys
+
+Encryption in Mayastor uses the AES-XTS cipher, which requires two 128-bit hex-encoded keys.
+
+**Example: Kubernetes Secret**
+```
+apiVersion: v1
+kind: Secret
+metadata:
+  name: pool-encr-secret
+  namespace: mayastor
+type: Opaque
+immutable: true
+stringData:
+  encryption_parameters: |
+    {
+      "cipher": "AesXts",
+      "key": "2b7e151628aed2a6abf7158809cf4f3c",
+      "key_len": 128,
+      "key2": "2b7e151628aed2a6abf7158809cf4f3d",
+      "key2_len": 128
+    }
+```
+
+:::note
+You can additionally use Kubernetes built-in resource encryption to secure this Secret resource. Refer to the [Encrypting Confidential Data at Rest Documentation](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/) for more information.
+:::
+
+### Configure DiskPool to Use the Encryption Secret
+
+Reference the encryption secret in the `DiskPool` resource to enable encrypted storage.
+
+**Example: DiskPool Configuration**
+```
+apiVersion: "openebs.io/v1beta3"
+kind: DiskPool
+metadata:
+  name: <POOL_NAME>
+  namespace: mayastor
+spec:
+  node: <NODE_NAME>
+  disks: ["/dev/disk/by-id/<DEVICE_NAME>"]
+  encryptionConfig:
+    source:
+      secret:
+        name: pool-encr-secret
+```
+
+### Define StorageClass for Encrypted Volumes
+
+To place volume replicas on encrypted pools, set `encrypted: "true"` in the `StorageClass`.
+
+**Example: StorageClass**
+
+```
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: mayastor-2-encr
+parameters:
+  protocol: nvmf
+  repl: "2"
+  encrypted: "true"
+provisioner: io.openebs.csi-mayastor
+reclaimPolicy: Delete
+```
+
+## Migrating from Non-Encrypted to Encrypted Pools
+
+Currently, there is no automatic support for migrating existing unencrypted volumes. The following manual migration steps are recommended:
+
+**Migration Steps**
+
+1. Identify Target Pool: Select a non-encrypted pool (Example: P1) to migrate.
+2. List Volumes on P1: Identify all volumes with replicas on P1.
+3. (Optional) Scale Up Volumes: Increase replica count (Example: from 2 to 3) to maintain availability.
+4. Mayastor Cordon Node: Cordon the mayastor node hosting P1 to stop new replicas from being scheduled using the plugin command `kubectl mayastor cordon node N1 key=value`.
+5. Update Volume Config: Set encrypted: true using the Mayastor plugin command `kubectl mayastor set volume <volume-id> encryption true`.
+6. Scale Down Volumes: Reduce replica count to remove replicas from P1.
+7. Recreate Encrypted Pool:
+    - Delete the non-encrypted pool.
+    - Recreate it with encryption using the previously defined secret.
+8. Scale-up Volumes: Increase replica count to allow new encrypted replicas to be created on the new pool.
+9. Optional Replica Adjustment: After migration, optionally reduce replica count back to the original.
+
+:::note
+Monitor disk space and health throughout the migration to avoid service disruption.
+:::
+
+## Validation and Tips
+
+- The Kubernetes Secret must be created before applying the DiskPool.
+- Key rotation is not supported at this time.
+- Persistent device paths are required for pool creation. Retrieve them using:
+```
+kubectl mayastor get block-devices <node-id>
+```
+:::note
+Pool and volume migration is manual and requires careful planning.
+:::
@@ -323,18 +323,19 @@ as the storage class has `zone` as the value for `poolHasTopologyKey` that match
 This feature enforces the following rules to ensure the proper placement and distribution of replicas and targets so that there is not any single point of failure affecting multiple instances of StatefulSet.
 
 1. Anti-Affinity among single-replica volumes:
- This rule ensures that replicas of different volumes are distributed in such a way that there is no single point of failure. By avoiding the colocation of replicas from different volumes on the same node.
+    This rule ensures that replicas of different volumes are distributed in such a way that there is no single point of failure. By avoiding the colocation of replicas from different volumes on the same node.
 
-2.  Anti-Affinity among multi-replica volumes: 
-
-If the affinity group volumes have multiple replicas, they already have some level of redundancy. This feature ensures that in such cases, the replicas are distributed optimally for the stsAffinityGroup volumes.
+2.  Anti-Affinity among multi-replica volumes:
+    If the affinity group volumes have multiple replicas, they already have some level of redundancy. This feature ensures that in such cases, the replicas are distributed optimally for the stsAffinityGroup volumes.
 
 3. Anti-affinity among targets:
+    The [High Availability](../replicated-pv-mayastor/advanced-operations/HA.md) feature ensures that there is no single point of failure for the targets.
+    The `stsAffinityGroup` ensures that in such cases, the targets are distributed optimally for the stsAffinityGroup volumes.
 
-The [High Availability](../replicated-pv-mayastor/advanced-operations/HA.md) feature ensures that there is no single point of failure for the targets.
-The `stsAffinityGroup` ensures that in such cases, the targets are distributed optimally for the stsAffinityGroup volumes.
+    By default, the `stsAffinityGroup` feature is disabled. To enable it, modify the storage class YAML by setting the `parameters.stsAffinityGroup` parameter to true.
 
-By default, the `stsAffinityGroup` feature is disabled. To enable it, modify the storage class YAML by setting the `parameters.stsAffinityGroup` parameter to true.
+#### Known Limitation
+For multi-replica volumes that are part of a `stsAffinityGroup`, scaling down is permitted only up to two replicas. Reducing the replica count below two is not supported.
 
 ### "cloneFsIdAsVolumeId"
 

@@ -59,7 +59,7 @@ helm repo update
 
 3. Execute `kubectl openebs upgrade -n <namespace>` to upgrade OpenEBS.
 
-4. Monitor the upgrade status using `kubectl openebs get upgrade-status -n <namespace>`.
+4. Monitor the upgrade status using `kubectl openebs get upgrade status -n <namespace>`.
 
 5. Verify that the CRDs, Volumes, Snapshots, and StoragePools are not affected by the upgrade process.
 
@@ -92,7 +92,7 @@ Follow these steps to upgrade OpenEBS from version 4.x to 4.3:
 
 2. Execute `kubectl openebs upgrade -n <namespace>` to upgrade OpenEBS.
 
-3. Monitor the upgrade status using `kubectl openebs get upgrade-status -n <namespace>`.
+3. Monitor the upgrade status using `kubectl openebs get upgrade status -n <namespace>`.
 
 4. Verify that the CRDs, Volumes, Snapshots, and StoragePools are not affected by the upgrade process.
 

@@ -483,6 +483,21 @@ module.exports = {
                       id: "user-guides/replicated-storage-user-guide/replicated-pv-mayastor/advanced-operations/supportability",
                       label: "Supportability"
                     },
+                    {
+                      type: "doc",
+                      id: "user-guides/replicated-storage-user-guide/replicated-pv-mayastor/advanced-operations/replica-operations",
+                      label: "Replica Operations"
+                    },
+                    {
+                      type: "doc",
+                      id: "user-guides/replicated-storage-user-guide/replicated-pv-mayastor/advanced-operations/eventing",
+                      label: "Eventing"
+                    },
+                    {
+                      type: "doc",
+                      id: "user-guides/replicated-storage-user-guide/replicated-pv-mayastor/advanced-operations/call-home-metrics",
+                      label: "Call-Home Metrics"
+                    },
                     {
                       type: "doc",
                       id: "user-guides/replicated-storage-user-guide/replicated-pv-mayastor/advanced-operations/monitoring",
@@ -543,21 +558,6 @@ module.exports = {
                       id: "user-guides/replicated-storage-user-guide/replicated-pv-mayastor/additional-information/io-path-description",
                       label: "I/O Path Description"
                     },
-                    {
-                      type: "doc",
-                      id: "user-guides/replicated-storage-user-guide/replicated-pv-mayastor/additional-information/replica-operations",
-                      label: "Replica Operations"
-                    },
-                    {
-                      type: "doc",
-                      id: "user-guides/replicated-storage-user-guide/replicated-pv-mayastor/additional-information/eventing",
-                      label: "Eventing"
-                    },
-                    {
-                      type: "doc",
-                      id: "user-guides/replicated-storage-user-guide/replicated-pv-mayastor/additional-information/call-home-metrics",
-                      label: "Call-Home Metrics"
-                    },
                     {
                       type: "doc",
                       id: "user-guides/replicated-storage-user-guide/replicated-pv-mayastor/additional-information/ttps",