Configuring On Disk Encryption for database server

Setting helm attribute “onedb.encryptionAtRest” to true enables disk encryption for OneDB database server storage spaces. Encryption key and stash file content is stored in pod specific Kubernetes secret object. K8s Secret object naming convention: <helm release.name>-ear-onedb0 for onedb-server-0 pod and <helm release.name>-ear-onedb1 for onedb-server-1 pod.

Important: Make sure to backup content of these Kubernetes secret objects. Without data from these Kubernetes secret objects, OneDB storage space content cannot be decrypted, and data must be restored from database backup.

helm uninstall command do not delete these Kubernetes secret objects, and helm install command re-use content of these secret objects if OneDB server pods were started using pre-existing PVCs. These secret objects must be manually deleted if they are no longer needed.

Example:
$ kubectl get secrets
NAME                                                  TYPE                                  DATA   AGE
onedb-ear-onedb0                                      Opaque                                2      3h40m
onedb-ear-onedb1                                      Opaque                                2      3h43m

$ kubectl describe secret onedb-ear-onedb0
Name:         onedb-ear-onedb0
Namespace:    onedb-nagaraju
Labels:       app=OneDB
              type=ear
Annotations:  <none>

Type:  Opaque

Data
====
p12:  5291 bytes
stl:  32 bytes