Hi
I wanted to use extraPVCs feature[PR/2276] provided by 1.19.0 release to mount the keyring_file for mysql data at rest encryption on a 3 node cluster.
I wanted to ask since the extraPVCs do not support storage classes and PVC template, do you have any suggestions on how can we ensure that PVC is available to all 3 pxc pods and that mount is highly available?
We were thinking of using longhorn or some other distributed block storage on k8s but wanted to ask if that’s the ideal solution?
@matthewb @Ege_Gunes
Hey @Yash_Daga
The extraPVCs feature only mounts pre-existing PVCs by name. This means you need to create the PVCs yourself before deploying the feature. Then all the pods of the respective component you configured will have access to this PVC.
So in that case, creating a StorageClass e.g. longhorn-rwx with replication configured and then creating a PVC with storageClassName: longhorn-rwx and accessMode: ReadWriteMany, should work.
1 Like
Hi @George_Kechagias, thanks for your response.
I was trying to perform backup and restore using xtrabackup for encrypted InnoDB tables using keyring mounted as extraPVC.
After taking backup I tried to restore into a cluster where I had loaded the previous cluster’s master keys in the same component_keyring_file mounted as extraPVC here as well.
But the restore job was failing with
2026-01-28T05:07:06.494451-00:00 0 [ERROR] [MY-011825] [Xtrabackup] Error reading xtrabackup_keys: failed to derive encryption key
2026-01-28T05:07:06.494502-00:00 0 [ERROR] [MY-011825] [Xtrabackup] failed to load tablespace keys
I figured that it was because the restore pod didn’t have the keyring file mounted, but I was not sure how can I mount it and also ensure that component_keyring_file config is also present there.
It would be great if you could help me with this, I also tried using transition-key but was facing a different issue there Cannot specify custom --transition-key for XtraBackup in Percona PXC Cluster
Thanks
Hey @Yash_Daga
Right now, we are not mounting the extraPVC to the restore pods, but actually, this is a very nice improvement. We prepared a ticket for this, and we will try to pick upo this work as soon as possible.
Have a look here: Jira
Thanks @George_Kechagias for the quick response.
Currently for component_keyring_file installation we had to modify the cluster image to have a global manifest in the usr/sbin directory and keyring config file in usr/lib64/mysql/plugin directory.
To use the component keyring config arg while applying restore, apart from the keyring file we would also need the config to be located somewhere in the restore pod.
Can you suggest any way to ensure that?
Is there an estimated time for the extraPVC feature to be available in restore pods? Actually we required it for a product with Feb end deadline, I can help by raising the PR.
Thanks again for your support!
Is there an estimated time for the extraPVC feature to be available in restore pods? Actually we required it for a product with Feb end deadline, I can help by raising the PR.
Your contribution would be more than welcome! Keep in mind, though, that you might have to create a custom image yourself with the fix in order to use it immediately instead of waiting the next release.