GCP Persistent Disk CSI Driver for Constellation
January 22, 2026 ยท View on GitHub
Important
Constellation is no longer actively maintained by Edgeless Systems.
This project is no longer receiving updates or support from Edgeless Systems. The repository remains available for archival purposes and community use. New development continues in Contrast, which provides workload-level confidential computing using Confidential Containers. ๐ https://github.com/edgelesssys/contrast
This is a fork of the GCP CSI driver with added encryption features for Constellation.
About
This driver allows a Constellation cluster to use GCP Persistent Disks.
Plugin Features
CreateVolume Parameters
| Parameter | Values | Default | Description |
|---|---|---|---|
| type | Any PD type (see GCP documentation), eg pd-ssd pd-balanced | pd-standard | Type allows you to choose between standard Persistent Disks or Solid State Drive Persistent Disks |
| replication-type | none OR regional-pd | none | Replication type allows you to choose between Zonal Persistent Disks or Regional Persistent Disks |
| disk-encryption-kms-key | Fully qualified resource identifier for the key to use to encrypt new disks. | Empty string. | Encrypt disk using Customer Managed Encryption Key (CMEK). See GKE Docs for details. |
| labels | key1=value1,key2=value2 | Labels allow you to assign custom GCE Disk labels. | |
| provisioned-iops-on-create | string (int64 format). Values typically between 10,000 and 120,000 | Indicates how many IOPS to provision for the disk. See the Extreme persistent disk documentation for details, including valid ranges for IOPS. | |
| provisioned-throughput-on-create | string (int64 format). Values typically between 1 and 7,124 mb per second | Indicates how much throughput to provision for the disk. See the hyperdisk documentation for details, including valid ranges for throughput. | |
| resource-tags | <parent_id1>/<tag_key1>/<tag_value1>,<parent_id2>/<tag_key2>/<tag_value2> | Resource tags allow you to attach user-defined tags to each Compute Disk, Image and Snapshot. See Tags overview, Creating and managing tags. |
Topology
This driver supports only one topology key:
topology.gke.io/zone
that represents availability by zone (e.g. us-central1-c, etc.).
Driver Deployment
Use helm to deploy the driver to your cluster:
helm install gcp-csi-driver charts/ --namespace=kube-system
Wait for the driver setup to finish:
kubectl wait -n kube-system deployments csi-gce-pd-controller --for condition=available
Proceed to use to learn how to create a storage class for provisioning encrypted storage to your workloads.
Remove the driver using helm:
helm uninstall
Further Documentation
To build the driver container image:
driver_version=v0.0.0-test
GCE_PD_CSI_STAGING_IMAGE=ghcr.io/edgelesssys/constellation/gcp-csi-driver \
GCE_PD_CSI_STAGING_VERSION=${driver_version} \
make push-container
License
This project is licensed under the AGPLv3. It's based on code licensed under the Apache 2.0 license.