kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Refactor EncryptionConfig

This commit is contained in:
John Gardiner Myers 2021-06-26 13:03:58 -07:00
parent fdf034058d
commit 60ae29c93c
3 changed files with 49 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
nodeup/pkg/model/kube_apiserver.go
View File

@ -64,9 +64,8 @@ func (b *KubeAPIServerBuilder) Build(c *fi.ModelBuilderContext) error {
return err return err
} }
if b.Cluster.Spec.EncryptionConfig != nil { if b.NodeupConfig.APIServerConfig.EncryptionConfigSecretHash != "" {
if *b.Cluster.Spec.EncryptionConfig { encryptionConfigPath := fi.String(filepath.Join(b.PathSrvKubernetes(), "kube-apiserver", "encryptionconfig.yaml"))
encryptionConfigPath := fi.String(filepath.Join(b.PathSrvKubernetes(), "encryptionconfig.yaml"))
kubeAPIServer.EncryptionProviderConfig = encryptionConfigPath kubeAPIServer.EncryptionProviderConfig = encryptionConfigPath
@ -85,7 +84,6 @@ func (b *KubeAPIServerBuilder) Build(c *fi.ModelBuilderContext) error {
return fmt.Errorf("encryptionConfig enabled, but could not load encryptionconfig secret: %v", err) return fmt.Errorf("encryptionConfig enabled, but could not load encryptionconfig secret: %v", err)
} }
} }
}
{ {
keyset, err := b.KeyStore.FindKeyset("service-account") keyset, err := b.KeyStore.FindKeyset("service-account")
if err != nil { if err != nil {

4
pkg/apis/nodeup/config.go
View File

@ -123,6 +123,10 @@ type StaticManifest struct {
type APIServerConfig struct { type APIServerConfig struct {
// KubeAPIServer is a copy of the KubeAPIServerConfig from the cluster spec. // KubeAPIServer is a copy of the KubeAPIServerConfig from the cluster spec.
KubeAPIServer *kops.KubeAPIServerConfig KubeAPIServer *kops.KubeAPIServerConfig
// EncryptionConfigSecretHash is a hash of the encryptionconfig secret.
// It is empty if EncryptionConfig is not enabled.
// TODO: give secrets IDs and look them up like we do keypairs.
EncryptionConfigSecretHash string `json:",omitempty"`
} }
func NewConfig(cluster *kops.Cluster, instanceGroup *kops.InstanceGroup) (*Config, *BootConfig) { func NewConfig(cluster *kops.Cluster, instanceGroup *kops.InstanceGroup) (*Config, *BootConfig) {

15
upup/pkg/fi/cloudup/apply_cluster.go
View File

@ -19,6 +19,8 @@ package cloudup
import ( import (
"bytes" "bytes"
"context" "context"
"crypto/sha256"
"encoding/base64"
"fmt" "fmt"
"io" "io"
"net" "net"
@ -333,6 +335,7 @@ func (c *ApplyClusterCmd) Run(ctx context.Context) error {
} }
} }
encryptionConfigSecretHash := ""
if fi.BoolValue(c.Cluster.Spec.EncryptionConfig) { if fi.BoolValue(c.Cluster.Spec.EncryptionConfig) {
secret, err := secretStore.FindSecret("encryptionconfig") secret, err := secretStore.FindSecret("encryptionconfig")
if err != nil { if err != nil {
@ -344,6 +347,8 @@ func (c *ApplyClusterCmd) Run(ctx context.Context) error {
fmt.Println("See `kops create secret encryptionconfig -h` and https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/") fmt.Println("See `kops create secret encryptionconfig -h` and https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/")
return fmt.Errorf("could not find encryptionconfig secret") return fmt.Errorf("could not find encryptionconfig secret")
} }
hashBytes := sha256.Sum256(secret.Data)
encryptionConfigSecretHash = base64.URLEncoding.EncodeToString(hashBytes[:])
} }
ciliumSpec := c.Cluster.Spec.Networking.Cilium ciliumSpec := c.Cluster.Spec.Networking.Cilium
@ -487,7 +492,7 @@ func (c *ApplyClusterCmd) Run(ctx context.Context) error {
cloud: cloud, cloud: cloud,
} }
configBuilder, err := newNodeUpConfigBuilder(cluster, assetBuilder, c.Assets) configBuilder, err := newNodeUpConfigBuilder(cluster, assetBuilder, c.Assets, encryptionConfigSecretHash)
if err != nil { if err != nil {
return err return err
} }
@ -1147,9 +1152,10 @@ type nodeUpConfigBuilder struct {
images map[kops.InstanceGroupRole]map[architectures.Architecture][]*nodeup.Image images map[kops.InstanceGroupRole]map[architectures.Architecture][]*nodeup.Image
protokubeAsset map[architectures.Architecture][]*mirrors.MirroredAsset protokubeAsset map[architectures.Architecture][]*mirrors.MirroredAsset
channelsAsset map[architectures.Architecture][]*mirrors.MirroredAsset channelsAsset map[architectures.Architecture][]*mirrors.MirroredAsset
encryptionConfigSecretHash string
} }
func newNodeUpConfigBuilder(cluster *kops.Cluster, assetBuilder *assets.AssetBuilder, assets map[architectures.Architecture][]*mirrors.MirroredAsset) (model.NodeUpConfigBuilder, error) { func newNodeUpConfigBuilder(cluster *kops.Cluster, assetBuilder *assets.AssetBuilder, assets map[architectures.Architecture][]*mirrors.MirroredAsset, encryptionConfigSecretHash string) (model.NodeUpConfigBuilder, error) {
configBase, err := vfs.Context.BuildVfsPath(cluster.Spec.ConfigBase) configBase, err := vfs.Context.BuildVfsPath(cluster.Spec.ConfigBase)
if err != nil { if err != nil {
return nil, fmt.Errorf("error parsing config base %q: %v", cluster.Spec.ConfigBase, err) return nil, fmt.Errorf("error parsing config base %q: %v", cluster.Spec.ConfigBase, err)
@ -1291,6 +1297,7 @@ func newNodeUpConfigBuilder(cluster *kops.Cluster, assetBuilder *assets.AssetBui
images: images, images: images,
protokubeAsset: protokubeAsset, protokubeAsset: protokubeAsset,
channelsAsset: channelsAsset, channelsAsset: channelsAsset,
encryptionConfigSecretHash: encryptionConfigSecretHash,
} }
return &configBuilder, nil return &configBuilder, nil
@ -1344,6 +1351,10 @@ func (n *nodeUpConfigBuilder) BuildConfig(ig *kops.InstanceGroup, apiserverAddit
} }
} }
if isMaster || role == kops.InstanceGroupRoleAPIServer {
config.APIServerConfig.EncryptionConfigSecretHash = n.encryptionConfigSecretHash
}
if isMaster || useGossip { if isMaster || useGossip {
for _, arch := range architectures.GetSupported() { for _, arch := range architectures.GetSupported() {
for _, a := range n.protokubeAsset[arch] { for _, a := range n.protokubeAsset[arch] {