feat(config): add encryption field for userVolumes

budimanjojo · budimanjojo · commit 046506632386 · 2025-07-22T10:19:28.000+07:00
Signed-off-by: budimanjojo &lt;budimanjojo@gmail.com&gt;
diff --git a/docs/docs/reference/configuration.md b/docs/docs/reference/configuration.md
@@ -533,6 +533,11 @@ userVolumes:
       maxSize: 50GiB
     filesystem:
       type: xfs
+    encryption:
+      provider: luks2
+      keys:
+        - slot: 0
+          tpm: {}
 ```
 </summary></td>
 <td markdown="1" align="center">`nil`</td>
@@ -1102,6 +1107,22 @@ filesystem:
 <td markdown="1" align="center">:negative_squared_cross_mark:</td>
 </tr>
 
+<tr markdown="1">
+<td markdown="1">`encryption`</td>
+<td markdown="1">[EncryptionSpec](#encryptionspec)</td>
+<td markdown="1">Encryption spec of the volume config.<details><summary>*Show example*</summary>
+```yaml
+encryption:
+  provider: luks2
+  keys:
+    - slot: 0
+      tpm: {}
+```
+</details></td>
+<td markdown="1" align="center">`nil`</td>
+<td markdown="1" align="center">:negative_squared_cross_mark:</td>
+</tr>
+
 </table>
 
 ## NetworkRule
@@ -1215,3 +1236,7 @@ In addition to this, there's also a `skipEnvsubst` key that can be set to `true`
 ## FilesystemSpec
 
 `FilesystemSpec` is type of upstream Talos <a href="https://www.talos.dev/v1.10/reference/configuration/block/uservolumeconfig/#UserVolumeConfig.filesystem" target="_blank">`block.ProvisioningSpec`</a>
+
+## EncryptionSpec
+
+`Encryption` is type of upstream Talos <a href="https://www.talos.dev/v1.10/reference/configuration/block/uservolumeconfig/#UserVolumeConfig.encryption" target="_blank">`block.EncryptionSpec`</a>
diff --git a/example/talconfig.yaml b/example/talconfig.yaml
@@ -40,6 +40,14 @@ nodes:
           maxSize: 50GiB
         filesystem:
           type: xfs
+        encryption:
+          provider: luks2
+          keys:
+            - slot: 0
+              tpm: {}
+            - slot: 1
+              static:
+                passphrase: topsecret
       - name: sata
         provisioning:
           diskSelector:
diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -106,6 +106,7 @@ type UserVolume struct {
 	Name         string                 `yaml:"name" jsonschema:"description=Name of user volume config"`
 	Provisioning block.ProvisioningSpec `yaml:"provisioning" jsonschema:"description=Provisioning spec of the user volume config"`
 	Filesystem   block.FilesystemSpec   `yaml:"filesystem" jsonschema:"description=Filesystem spec of the user volume config"`
+	Encryption   block.EncryptionSpec   `yaml:"encryption" jsonschema:"description=Encryption spec of the user volume config"`
 }
 
 type Volume struct {
diff --git a/pkg/talos/uservolumeconfig.go b/pkg/talos/uservolumeconfig.go
@@ -49,6 +49,7 @@ func GenerateUserVolumeConfig(cfgs []*config.UserVolume, mode string) ([]*block.
 		uvc.MetaName = uv.Name
 		uvc.ProvisioningSpec = uv.Provisioning
 		uvc.FilesystemSpec = uv.Filesystem
+		uvc.EncryptionSpec = uv.Encryption
 
 		if _, err := uvc.Validate(m); err != nil {
 			return nil, err
diff --git a/pkg/talos/uservolumeconfig_test.go b/pkg/talos/uservolumeconfig_test.go
@@ -22,6 +22,14 @@ func TestGenerateNodeUserVolumeConfig(t *testing.T) {
           maxSize: 50GiB
         filesystem:
           type: xfs
+        encryption:
+          provider: luks2
+          keys:
+            - slot: 0
+              tpm: {}
+            - slot: 1
+              static:
+                passphrase: topsecret
       - name: ceph-data2
         provisioning:
           diskSelector:
@@ -42,6 +50,19 @@ func TestGenerateNodeUserVolumeConfig(t *testing.T) {
 	expectedVolume1Filesystem := block.FilesystemSpec{
 		FilesystemType: blocktype.FilesystemTypeXFS,
 	}
+	expectedVolume1Encryption := block.EncryptionSpec{
+		EncryptionProvider: blocktype.EncryptionProviderLUKS2,
+		EncryptionKeys: []block.EncryptionKey{
+			{
+				KeySlot: 0,
+				KeyTPM:  &block.EncryptionKeyTPM{},
+			},
+			{
+				KeySlot:   1,
+				KeyStatic: &block.EncryptionKeyStatic{KeyData: "topsecret"},
+			},
+		},
+	}
 	expectedVolume2Name := "ceph-data2"
 	expectedVolume2Provisioning := block.ProvisioningSpec{
 		DiskSelectorSpec: block.DiskSelector{
@@ -58,6 +79,7 @@ func TestGenerateNodeUserVolumeConfig(t *testing.T) {
 	compare(result[0].Name(), expectedVolume1Name, t)
 	compare(result[0].ProvisioningSpec, expectedVolume1Provisioning, t)
 	compare(result[0].FilesystemSpec, expectedVolume1Filesystem, t)
+	compare(result[0].EncryptionSpec, expectedVolume1Encryption, t)
 	compare(result[1].Name(), expectedVolume2Name, t)
 	compare(result[1].ProvisioningSpec, expectedVolume2Provisioning, t)
 }

Original file line number	Diff line number	Diff line change
`@@ -106,6 +106,7 @@ type UserVolume struct {`
`106`	`106`	Name string `yaml:"name" jsonschema:"description=Name of user volume config"`
`107`	`107`	Provisioning block.ProvisioningSpec `yaml:"provisioning" jsonschema:"description=Provisioning spec of the user volume config"`
`108`	`108`	Filesystem block.FilesystemSpec `yaml:"filesystem" jsonschema:"description=Filesystem spec of the user volume config"`
	`109`	+ Encryption block.EncryptionSpec `yaml:"encryption" jsonschema:"description=Encryption spec of the user volume config"`
`109`	`110`	`}`
`110`	`111`
`111`	`112`	`type Volume struct {`