kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add flag for root volume encryption

This commit is contained in:
Ciprian Hacman 2020-08-21 07:54:39 +03:00
parent 90fc25a25d
commit 2880e22bce
16 changed files with 42 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
k8s/crds/kops.k8s.io_instancegroups.yaml
View File

@ -695,6 +695,10 @@ spec:
NOTE: This setting applies only to the Launch Configuration and NOTE: This setting applies only to the Launch Configuration and
does not affect Launch Templates.' does not affect Launch Templates.'
type: boolean type: boolean
rootVolumeEncryption:
description: RootVolumeEncryption enables EBS root volume encryption
for an instance
type: boolean
rootVolumeIops: rootVolumeIops:
description: If volume type is io1, then we need to specify the number description: If volume type is io1, then we need to specify the number
of Iops. of Iops.

2
pkg/apis/kops/instancegroup.go
View File

@ -106,6 +106,8 @@ type InstanceGroupSpec struct {
// The root volume is deleted by default. Cluster deletion does not remove retained root volumes. // The root volume is deleted by default. Cluster deletion does not remove retained root volumes.
// NOTE: This setting applies only to the Launch Configuration and does not affect Launch Templates. // NOTE: This setting applies only to the Launch Configuration and does not affect Launch Templates.
RootVolumeDeleteOnTermination *bool `json:"rootVolumeDeleteOnTermination,omitempty"` RootVolumeDeleteOnTermination *bool `json:"rootVolumeDeleteOnTermination,omitempty"`
// RootVolumeEncryption enables EBS root volume encryption for an instance
RootVolumeEncryption *bool `json:"rootVolumeEncryption,omitempty"`
// Volumes is a collection of additional volumes to create for instances within this InstanceGroup // Volumes is a collection of additional volumes to create for instances within this InstanceGroup
Volumes []*VolumeSpec `json:"volumes,omitempty"` Volumes []*VolumeSpec `json:"volumes,omitempty"`
// VolumeMounts a collection of volume mounts // VolumeMounts a collection of volume mounts

2
pkg/apis/kops/v1alpha2/instancegroup.go
View File

@ -103,6 +103,8 @@ type InstanceGroupSpec struct {
// The root volume is deleted by default. Cluster deletion does not remove retained root volumes. // The root volume is deleted by default. Cluster deletion does not remove retained root volumes.
// NOTE: This setting applies only to the Launch Configuration and does not affect Launch Templates. // NOTE: This setting applies only to the Launch Configuration and does not affect Launch Templates.
RootVolumeDeleteOnTermination *bool `json:"rootVolumeDeleteOnTermination,omitempty"` RootVolumeDeleteOnTermination *bool `json:"rootVolumeDeleteOnTermination,omitempty"`
// RootVolumeEncryption enables EBS root volume encryption for an instance
RootVolumeEncryption *bool `json:"rootVolumeEncryption,omitempty"`
// Volumes is a collection of additional volumes to create for instances within this InstanceGroup // Volumes is a collection of additional volumes to create for instances within this InstanceGroup
Volumes []*VolumeSpec `json:"volumes,omitempty"` Volumes []*VolumeSpec `json:"volumes,omitempty"`
// VolumeMounts a collection of volume mounts // VolumeMounts a collection of volume mounts

2
pkg/apis/kops/v1alpha2/zz_generated.conversion.go
View File

@ -3303,6 +3303,7 @@ func autoConvert_v1alpha2_InstanceGroupSpec_To_kops_InstanceGroupSpec(in *Instan
out.RootVolumeIops = in.RootVolumeIops out.RootVolumeIops = in.RootVolumeIops
out.RootVolumeOptimization = in.RootVolumeOptimization out.RootVolumeOptimization = in.RootVolumeOptimization
out.RootVolumeDeleteOnTermination = in.RootVolumeDeleteOnTermination out.RootVolumeDeleteOnTermination = in.RootVolumeDeleteOnTermination
out.RootVolumeEncryption = in.RootVolumeEncryption
if in.Volumes != nil { if in.Volumes != nil {
in, out := &in.Volumes, &out.Volumes in, out := &in.Volumes, &out.Volumes
*out = make([]*kops.VolumeSpec, len(*in)) *out = make([]*kops.VolumeSpec, len(*in))
@ -3442,6 +3443,7 @@ func autoConvert_kops_InstanceGroupSpec_To_v1alpha2_InstanceGroupSpec(in *kops.I
out.RootVolumeIops = in.RootVolumeIops out.RootVolumeIops = in.RootVolumeIops
out.RootVolumeOptimization = in.RootVolumeOptimization out.RootVolumeOptimization = in.RootVolumeOptimization
out.RootVolumeDeleteOnTermination = in.RootVolumeDeleteOnTermination out.RootVolumeDeleteOnTermination = in.RootVolumeDeleteOnTermination
out.RootVolumeEncryption = in.RootVolumeEncryption
if in.Volumes != nil { if in.Volumes != nil {
in, out := &in.Volumes, &out.Volumes in, out := &in.Volumes, &out.Volumes
*out = make([]*VolumeSpec, len(*in)) *out = make([]*VolumeSpec, len(*in))

5
pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go
View File

@ -1697,6 +1697,11 @@ func (in *InstanceGroupSpec) DeepCopyInto(out *InstanceGroupSpec) {
*out = new(bool) *out = new(bool)
**out = **in **out = **in
} }
if in.RootVolumeEncryption != nil {
in, out := &in.RootVolumeEncryption, &out.RootVolumeEncryption
*out = new(bool)
**out = **in
}
if in.Volumes != nil { if in.Volumes != nil {
in, out := &in.Volumes, &out.Volumes in, out := &in.Volumes, &out.Volumes
*out = make([]*VolumeSpec, len(*in)) *out = make([]*VolumeSpec, len(*in))

5
pkg/apis/kops/zz_generated.deepcopy.go
View File

@ -1863,6 +1863,11 @@ func (in *InstanceGroupSpec) DeepCopyInto(out *InstanceGroupSpec) {
*out = new(bool) *out = new(bool)
**out = **in **out = **in
} }
if in.RootVolumeEncryption != nil {
in, out := &in.RootVolumeEncryption, &out.RootVolumeEncryption
*out = new(bool)
**out = **in
}
if in.Volumes != nil { if in.Volumes != nil {
in, out := &in.Volumes, &out.Volumes in, out := &in.Volumes, &out.Volumes
*out = make([]*VolumeSpec, len(*in)) *out = make([]*VolumeSpec, len(*in))

2
pkg/model/awsmodel/autoscalinggroup.go
View File

@ -128,6 +128,7 @@ func (b *AutoscalingGroupModelBuilder) buildLaunchTemplateTask(c *fi.ModelBuilde
RootVolumeSize: lc.RootVolumeSize, RootVolumeSize: lc.RootVolumeSize,
RootVolumeIops: lc.RootVolumeIops, RootVolumeIops: lc.RootVolumeIops,
RootVolumeType: lc.RootVolumeType, RootVolumeType: lc.RootVolumeType,
RootVolumeEncryption: lc.RootVolumeEncryption,
SSHKey: lc.SSHKey, SSHKey: lc.SSHKey,
SecurityGroups: lc.SecurityGroups, SecurityGroups: lc.SecurityGroups,
Tags: tags, Tags: tags,
@ -199,6 +200,7 @@ func (b *AutoscalingGroupModelBuilder) buildLaunchConfigurationTask(c *fi.ModelB
RootVolumeOptimization: ig.Spec.RootVolumeOptimization, RootVolumeOptimization: ig.Spec.RootVolumeOptimization,
RootVolumeSize: fi.Int64(int64(volumeSize)), RootVolumeSize: fi.Int64(int64(volumeSize)),
RootVolumeType: fi.String(volumeType), RootVolumeType: fi.String(volumeType),
RootVolumeEncryption: ig.Spec.RootVolumeEncryption,
SecurityGroups: []*awstasks.SecurityGroup{sgLink}, SecurityGroups: []*awstasks.SecurityGroup{sgLink},
} }

6
tests/integration/update_cluster/complex/cloudformation.json
View File

@ -226,7 +226,8 @@
"Ebs": { "Ebs": {
"VolumeType": "gp2", "VolumeType": "gp2",
"VolumeSize": 64, "VolumeSize": 64,
"DeleteOnTermination": true "DeleteOnTermination": true,
"Encrypted": true
} }
}, },
{ {
@ -336,7 +337,8 @@
"Ebs": { "Ebs": {
"VolumeType": "gp2", "VolumeType": "gp2",
"VolumeSize": 128, "VolumeSize": 128,
"DeleteOnTermination": true "DeleteOnTermination": true,
"Encrypted": true
} }
}, },
{ {

2
tests/integration/update_cluster/complex/in-legacy-v1alpha2.yaml
View File

@ -86,6 +86,7 @@ spec:
- us-test-1a - us-test-1a
detailedInstanceMonitoring: true detailedInstanceMonitoring: true
rootVolumeDeleteOnTermination: false rootVolumeDeleteOnTermination: false
rootVolumeEncryption: true
volumes: volumes:
- device: /dev/xvdd - device: /dev/xvdd
deleteOnTermination: false deleteOnTermination: false
@ -114,6 +115,7 @@ spec:
maxSize: 1 maxSize: 1
minSize: 1 minSize: 1
role: Master role: Master
rootVolumeEncryption: true
subnets: subnets:
- us-test-1a - us-test-1a
additionalUserData: additionalUserData:

2
tests/integration/update_cluster/complex/in-v1alpha2.yaml
View File

@ -86,6 +86,7 @@ spec:
- us-test-1a - us-test-1a
detailedInstanceMonitoring: true detailedInstanceMonitoring: true
rootVolumeDeleteOnTermination: false rootVolumeDeleteOnTermination: false
rootVolumeEncryption: true
volumes: volumes:
- device: /dev/xvdd - device: /dev/xvdd
deleteOnTermination: false deleteOnTermination: false
@ -114,6 +115,7 @@ spec:
maxSize: 1 maxSize: 1
minSize: 1 minSize: 1
role: Master role: Master
rootVolumeEncryption: true
subnets: subnets:
- us-test-1a - us-test-1a
additionalUserData: additionalUserData:

2
tests/integration/update_cluster/complex/kubernetes.tf
View File

@ -293,6 +293,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-complex-example-com" {
device_name = "/dev/xvda" device_name = "/dev/xvda"
ebs { ebs {
delete_on_termination = true delete_on_termination = true
encrypted = true
volume_size = 64 volume_size = 64
volume_type = "gp2" volume_type = "gp2"
} }
@ -356,6 +357,7 @@ resource "aws_launch_template" "nodes-complex-example-com" {
device_name = "/dev/xvda" device_name = "/dev/xvda"
ebs { ebs {
delete_on_termination = true delete_on_termination = true
encrypted = true
volume_size = 128 volume_size = 128
volume_type = "gp2" volume_type = "gp2"
} }

4
upup/pkg/fi/cloudup/awstasks/launchconfiguration.go
View File

@ -80,6 +80,8 @@ type LaunchConfiguration struct {
RootVolumeSize *int64 RootVolumeSize *int64
// RootVolumeType is the type of the EBS root volume to use (e.g. gp2) // RootVolumeType is the type of the EBS root volume to use (e.g. gp2)
RootVolumeType *string RootVolumeType *string
// RootVolumeEncryption enables EBS root volume encryption for an instance
RootVolumeEncryption *bool
// SSHKey is the ssh key for the instances // SSHKey is the ssh key for the instances
SSHKey *SSHKey SSHKey *SSHKey
// SecurityGroups is a list of security group associated // SecurityGroups is a list of security group associated
@ -201,6 +203,7 @@ func (e *LaunchConfiguration) Find(c *fi.Context) (*LaunchConfiguration, error)
actual.RootVolumeSize = b.Ebs.VolumeSize actual.RootVolumeSize = b.Ebs.VolumeSize
actual.RootVolumeType = b.Ebs.VolumeType actual.RootVolumeType = b.Ebs.VolumeType
actual.RootVolumeIops = b.Ebs.Iops actual.RootVolumeIops = b.Ebs.Iops
actual.RootVolumeEncryption = b.Ebs.Encrypted
actual.RootVolumeDeleteOnTermination = b.Ebs.DeleteOnTermination actual.RootVolumeDeleteOnTermination = b.Ebs.DeleteOnTermination
} else { } else {
_, d := BlockDeviceMappingFromAutoscaling(b) _, d := BlockDeviceMappingFromAutoscaling(b)
@ -386,6 +389,7 @@ func (t *LaunchConfiguration) buildRootDevice(cloud awsup.AWSCloud) (map[string]
EbsVolumeSize: t.RootVolumeSize, EbsVolumeSize: t.RootVolumeSize,
EbsVolumeType: t.RootVolumeType, EbsVolumeType: t.RootVolumeType,
EbsVolumeIops: t.RootVolumeIops, EbsVolumeIops: t.RootVolumeIops,
EbsEncrypted: t.RootVolumeEncryption,
} }
return bm, nil return bm, nil

3
upup/pkg/fi/cloudup/awstasks/launchtemplate.go
View File

@ -57,6 +57,8 @@ type LaunchTemplate struct {
RootVolumeSize *int64 RootVolumeSize *int64
// RootVolumeType is the type of the EBS root volume to use (e.g. gp2) // RootVolumeType is the type of the EBS root volume to use (e.g. gp2)
RootVolumeType *string RootVolumeType *string
// RootVolumeEncryption enables EBS root volume encryption for an instance
RootVolumeEncryption *bool
// SSHKey is the ssh key for the instances // SSHKey is the ssh key for the instances
SSHKey *SSHKey SSHKey *SSHKey
// SecurityGroups is a list of security group associated // SecurityGroups is a list of security group associated
@ -113,6 +115,7 @@ func (t *LaunchTemplate) buildRootDevice(cloud awsup.AWSCloud) (map[string]*Bloc
EbsVolumeSize: t.RootVolumeSize, EbsVolumeSize: t.RootVolumeSize,
EbsVolumeType: t.RootVolumeType, EbsVolumeType: t.RootVolumeType,
EbsVolumeIops: t.RootVolumeIops, EbsVolumeIops: t.RootVolumeIops,
EbsEncrypted: t.RootVolumeEncryption,
} }
return bm, nil return bm, nil

1
upup/pkg/fi/cloudup/awstasks/launchtemplate_target_api.go
View File

@ -231,6 +231,7 @@ func (t *LaunchTemplate) Find(c *fi.Context) (*LaunchTemplate, error) {
actual.RootVolumeSize = b.Ebs.VolumeSize actual.RootVolumeSize = b.Ebs.VolumeSize
actual.RootVolumeType = b.Ebs.VolumeType actual.RootVolumeType = b.Ebs.VolumeType
actual.RootVolumeIops = b.Ebs.Iops actual.RootVolumeIops = b.Ebs.Iops
actual.RootVolumeEncryption = b.Ebs.Encrypted
} else { } else {
_, d := BlockDeviceMappingFromLaunchTemplateBootDeviceRequest(b) _, d := BlockDeviceMappingFromLaunchTemplateBootDeviceRequest(b)
actual.BlockDeviceMappings = append(actual.BlockDeviceMappings, d) actual.BlockDeviceMappings = append(actual.BlockDeviceMappings, d)

1
upup/pkg/fi/cloudup/awstasks/launchtemplate_target_cloudformation.go
View File

@ -234,6 +234,7 @@ func (t *LaunchTemplate) RenderCloudformation(target *cloudformation.Cloudformat
IOPS: x.EbsVolumeIops, IOPS: x.EbsVolumeIops,
VolumeSize: x.EbsVolumeSize, VolumeSize: x.EbsVolumeSize,
VolumeType: x.EbsVolumeType, VolumeType: x.EbsVolumeType,
Encrypted: x.EbsEncrypted,
}, },
}) })
} }

1
upup/pkg/fi/cloudup/awstasks/launchtemplate_target_terraform.go
View File

@ -245,6 +245,7 @@ func (t *LaunchTemplate) RenderTerraform(target *terraform.TerraformTarget, a, e
EBS: []*terraformLaunchTemplateBlockDeviceEBS{ EBS: []*terraformLaunchTemplateBlockDeviceEBS{
{ {
DeleteOnTermination: fi.Bool(true), DeleteOnTermination: fi.Bool(true),
Encrypted: x.EbsEncrypted,
IOPS: x.EbsVolumeIops, IOPS: x.EbsVolumeIops,
VolumeSize: x.EbsVolumeSize, VolumeSize: x.EbsVolumeSize,
VolumeType: x.EbsVolumeType, VolumeType: x.EbsVolumeType,