fixup! enable at-rest storage encryption by default

cryostatio · Oct 18, 2024 · d4cf55d · d4cf55d
1 parent 400eb70
commit d4cf55d
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 0 deletions.
diff --git a/charts/cryostat/README.md b/charts/cryostat/README.md
@@ -122,6 +122,7 @@ helm install cryostat ./charts/cryostat
 | `storage.image.repository`          | Repository for the storage container image                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | `quay.io/cryostat/cryostat-storage` |
 | `storage.image.pullPolicy`          | Image pull policy for the storage container image                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | `Always`                            |
 | `storage.image.tag`                 | Tag for the storage container image                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | `latest`                            |
+| `storage.encryption.enabled`        | Enable at-rest encryption of stored objects. The storage container will generate a secret key for each stored object and use this key to encrypt and decrypt objects transparently. The key is written to the object metadata, so in the default storage container configuration this only adds a small layer of additional security.                                                                                                                                                                                              | `true`                              |
 | `storage.service.type`              | Type of Service to create for the object storage                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   | `ClusterIP`                         |
 | `storage.service.port`              | Port number to expose on the Service                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | `8333`                              |
 | `storage.resources.requests.cpu`    | CPU resource request for the object storage container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources)                                                                                                                                                                                                                                                                                                                                                       | `50m`                               |

diff --git a/charts/cryostat/values.schema.json b/charts/cryostat/values.schema.json
@@ -474,6 +474,16 @@
                         }
                     }
                 },
+                "encryption": {
+                    "type": "object",
+                    "properties": {
+                        "enabled": {
+                            "type": "boolean",
+                            "description": "Enable at-rest encryption of stored objects. The storage container will generate a secret key for each stored object and use this key to encrypt and decrypt objects transparently. The key is written to the object metadata, so in the default storage container configuration this only adds a small layer of additional security.",
+                            "default": true
+                        }
+                    }
+                },
                 "service": {
                     "type": "object",
                     "properties": {