Merge pull request #2271 from pronix/feature/extend_PR_398

create encrypted volume during initiation cluster

cmd/kops/create_cluster.go

@@ -56,6 +56,7 @@ type CreateClusterOptions struct {
 	MasterSize           string
 	MasterCount          int32
 	NodeCount            int32
+	EncryptEtcdStorage   bool
 	Project              string
 	KubernetesVersion    string
 	OutDir               string
@@ -166,6 +167,7 @@ func NewCmdCreateCluster(f *util.Factory, out io.Writer) *cobra.Command {
 
 	cmd.Flags().Int32Var(&options.MasterCount, "master-count", options.MasterCount, "Set the number of masters.  Defaults to one master per master-zone")
 	cmd.Flags().Int32Var(&options.NodeCount, "node-count", options.NodeCount, "Set the number of nodes")
+	cmd.Flags().BoolVar(&options.EncryptEtcdStorage, "encrypt-etcd-storage", options.EncryptEtcdStorage, "Generate key in aws kms and use it for encrypt etcd volumes")
 
 	cmd.Flags().StringVar(&options.Image, "image", options.Image, "Image to use")
 
@@ -436,6 +438,9 @@ func RunCreateCluster(f *util.Factory, out io.Writer, c *CreateClusterOptions) e
 
 			for i, ig := range masters {
 				m := &api.EtcdMemberSpec{}
+				if c.EncryptEtcdStorage {
+					m.EncryptedVolume = &c.EncryptEtcdStorage
+				}
 				m.Name = names[i]
 
 				m.InstanceGroup = fi.String(ig.ObjectMeta.Name)

cmd/kops/create_cluster_integration_test.go

@@ -42,6 +42,8 @@ func TestCreateClusterMinimal(t *testing.T) {
 func TestCreateClusterHA(t *testing.T) {
 	runCreateClusterIntegrationTest(t, "../../tests/integration/create_cluster/ha", "v1alpha1")
 	runCreateClusterIntegrationTest(t, "../../tests/integration/create_cluster/ha", "v1alpha2")
+	runCreateClusterIntegrationTest(t, "../../tests/integration/create_cluster/ha_encrypt", "v1alpha1")
+	runCreateClusterIntegrationTest(t, "../../tests/integration/create_cluster/ha_encrypt", "v1alpha2")
 }
 
 // TestCreateClusterHASharedZones tests kops create cluster when the master count is bigger than the numebr of zones

tests/integration/create_cluster/ha_encrypt/expected-v1alpha1.yaml

@@ -0,0 +1,130 @@
+apiVersion: kops/v1alpha1
+kind: Cluster
+metadata:
+  creationTimestamp: 2017-01-01T00:00:00Z
+  name: ha.example.com
+spec:
+  adminAccess:
+  - 0.0.0.0/0
+  api:
+    dns: {}
+  authorization:
+    alwaysAllow: {}
+  channel: stable
+  cloudProvider: aws
+  configBase: memfs://tests/ha.example.com
+  etcdClusters:
+  - etcdMembers:
+    - encryptedVolume: true
+      name: a
+      zone: us-test-1a
+    - encryptedVolume: true
+      name: b
+      zone: us-test-1b
+    - encryptedVolume: true
+      name: c
+      zone: us-test-1c
+    name: main
+  - etcdMembers:
+    - encryptedVolume: true
+      name: a
+      zone: us-test-1a
+    - encryptedVolume: true
+      name: b
+      zone: us-test-1b
+    - encryptedVolume: true
+      name: c
+      zone: us-test-1c
+    name: events
+  kubernetesVersion: v1.6.0-alpha.3
+  masterPublicName: api.ha.example.com
+  networkCIDR: 172.20.0.0/16
+  networking:
+    kubenet: {}
+  nonMasqueradeCIDR: 100.64.0.0/10
+  topology:
+    dns:
+      type: Public
+    masters: public
+    nodes: public
+  zones:
+  - cidr: 172.20.32.0/19
+    name: us-test-1a
+  - cidr: 172.20.64.0/19
+    name: us-test-1b
+  - cidr: 172.20.96.0/19
+    name: us-test-1c
+
+---
+
+apiVersion: kops/v1alpha1
+kind: InstanceGroup
+metadata:
+  creationTimestamp: 2017-01-01T00:00:00Z
+  labels:
+    kops.k8s.io/cluster: ha.example.com
+  name: master-us-test-1a
+spec:
+  image: kope.io/k8s-1.5-debian-jessie-amd64-hvm-ebs-2017-01-09
+  machineType: m3.medium
+  maxSize: 1
+  minSize: 1
+  role: Master
+  zones:
+  - us-test-1a
+
+---
+
+apiVersion: kops/v1alpha1
+kind: InstanceGroup
+metadata:
+  creationTimestamp: 2017-01-01T00:00:00Z
+  labels:
+    kops.k8s.io/cluster: ha.example.com
+  name: master-us-test-1b
+spec:
+  image: kope.io/k8s-1.5-debian-jessie-amd64-hvm-ebs-2017-01-09
+  machineType: m3.medium
+  maxSize: 1
+  minSize: 1
+  role: Master
+  zones:
+  - us-test-1b
+
+---
+
+apiVersion: kops/v1alpha1
+kind: InstanceGroup
+metadata:
+  creationTimestamp: 2017-01-01T00:00:00Z
+  labels:
+    kops.k8s.io/cluster: ha.example.com
+  name: master-us-test-1c
+spec:
+  image: kope.io/k8s-1.5-debian-jessie-amd64-hvm-ebs-2017-01-09
+  machineType: m3.medium
+  maxSize: 1
+  minSize: 1
+  role: Master
+  zones:
+  - us-test-1c
+
+---
+
+apiVersion: kops/v1alpha1
+kind: InstanceGroup
+metadata:
+  creationTimestamp: 2017-01-01T00:00:00Z
+  labels:
+    kops.k8s.io/cluster: ha.example.com
+  name: nodes
+spec:
+  image: kope.io/k8s-1.5-debian-jessie-amd64-hvm-ebs-2017-01-09
+  machineType: t2.medium
+  maxSize: 2
+  minSize: 2
+  role: Node
+  zones:
+  - us-test-1a
+  - us-test-1b
+  - us-test-1c

tests/integration/create_cluster/ha_encrypt/expected-v1alpha2.yaml

@@ -0,0 +1,138 @@
+apiVersion: kops/v1alpha2
+kind: Cluster
+metadata:
+  creationTimestamp: 2017-01-01T00:00:00Z
+  name: ha.example.com
+spec:
+  api:
+    dns: {}
+  authorization:
+    alwaysAllow: {}
+  channel: stable
+  cloudProvider: aws
+  configBase: memfs://tests/ha.example.com
+  etcdClusters:
+  - etcdMembers:
+    - encryptedVolume: true
+      instanceGroup: master-us-test-1a
+      name: a
+    - encryptedVolume: true
+      instanceGroup: master-us-test-1b
+      name: b
+    - encryptedVolume: true
+      instanceGroup: master-us-test-1c
+      name: c
+    name: main
+  - etcdMembers:
+    - encryptedVolume: true
+      instanceGroup: master-us-test-1a
+      name: a
+    - encryptedVolume: true
+      instanceGroup: master-us-test-1b
+      name: b
+    - encryptedVolume: true
+      instanceGroup: master-us-test-1c
+      name: c
+    name: events
+  kubernetesApiAccess:
+  - 0.0.0.0/0
+  kubernetesVersion: v1.6.0-alpha.3
+  masterPublicName: api.ha.example.com
+  networkCIDR: 172.20.0.0/16
+  networking:
+    kubenet: {}
+  nonMasqueradeCIDR: 100.64.0.0/10
+  sshAccess:
+  - 0.0.0.0/0
+  subnets:
+  - cidr: 172.20.32.0/19
+    name: us-test-1a
+    type: Public
+    zone: us-test-1a
+  - cidr: 172.20.64.0/19
+    name: us-test-1b
+    type: Public
+    zone: us-test-1b
+  - cidr: 172.20.96.0/19
+    name: us-test-1c
+    type: Public
+    zone: us-test-1c
+  topology:
+    dns:
+      type: Public
+    masters: public
+    nodes: public
+
+---
+
+apiVersion: kops/v1alpha2
+kind: InstanceGroup
+metadata:
+  creationTimestamp: 2017-01-01T00:00:00Z
+  labels:
+    kops.k8s.io/cluster: ha.example.com
+  name: master-us-test-1a
+spec:
+  image: kope.io/k8s-1.5-debian-jessie-amd64-hvm-ebs-2017-01-09
+  machineType: m3.medium
+  maxSize: 1
+  minSize: 1
+  role: Master
+  subnets:
+  - us-test-1a
+
+---
+
+apiVersion: kops/v1alpha2
+kind: InstanceGroup
+metadata:
+  creationTimestamp: 2017-01-01T00:00:00Z
+  labels:
+    kops.k8s.io/cluster: ha.example.com
+  name: master-us-test-1b
+spec:
+  image: kope.io/k8s-1.5-debian-jessie-amd64-hvm-ebs-2017-01-09
+  machineType: m3.medium
+  maxSize: 1
+  minSize: 1
+  role: Master
+  subnets:
+  - us-test-1b
+
+---
+
+apiVersion: kops/v1alpha2
+kind: InstanceGroup
+metadata:
+  creationTimestamp: 2017-01-01T00:00:00Z
+  labels:
+    kops.k8s.io/cluster: ha.example.com
+  name: master-us-test-1c
+spec:
+  image: kope.io/k8s-1.5-debian-jessie-amd64-hvm-ebs-2017-01-09
+  machineType: m3.medium
+  maxSize: 1
+  minSize: 1
+  role: Master
+  subnets:
+  - us-test-1c
+
+---
+
+apiVersion: kops/v1alpha2
+kind: InstanceGroup
+metadata:
+  creationTimestamp: 2017-01-01T00:00:00Z
+  labels:
+    kops.k8s.io/cluster: ha.example.com
+  name: nodes
+spec:
+  image: kope.io/k8s-1.5-debian-jessie-amd64-hvm-ebs-2017-01-09
+  machineType: t2.medium
+  maxSize: 2
+  minSize: 2
+  role: Node
+  subnets:
+  - us-test-1a
+  - us-test-1b
+  - us-test-1c

tests/integration/create_cluster/ha_encrypt/options.yaml

@@ -0,0 +1,12 @@
+ClusterName: ha.example.com
+Zones:
+- us-test-1a
+- us-test-1b
+- us-test-1c
+MasterZones:
+- us-test-1a
+- us-test-1b
+- us-test-1c
+Cloud: aws
+KubernetesVersion: v1.6.0-alpha.3
+EncryptEtcdStorage: true