kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Refactor EncryptionConfig

This commit is contained in:
John Gardiner Myers 2021-06-26 13:03:58 -07:00
parent fdf034058d
commit 60ae29c93c
3 changed files with 49 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
nodeup/pkg/model/kube_apiserver.go
View File

@ -64,26 +64,24 @@ func (b *KubeAPIServerBuilder) Build(c *fi.ModelBuilderContext) error {
return err return err
} }
if b.Cluster.Spec.EncryptionConfig != nil { if b.NodeupConfig.APIServerConfig.EncryptionConfigSecretHash != "" {
if *b.Cluster.Spec.EncryptionConfig { encryptionConfigPath := fi.String(filepath.Join(b.PathSrvKubernetes(), "kube-apiserver", "encryptionconfig.yaml"))
encryptionConfigPath := fi.String(filepath.Join(b.PathSrvKubernetes(), "encryptionconfig.yaml"))
kubeAPIServer.EncryptionProviderConfig = encryptionConfigPath kubeAPIServer.EncryptionProviderConfig = encryptionConfigPath
key := "encryptionconfig" key := "encryptionconfig"
encryptioncfg, err := b.SecretStore.Secret(key) encryptioncfg, err := b.SecretStore.Secret(key)
if err == nil { if err == nil {
contents := string(encryptioncfg.Data) contents := string(encryptioncfg.Data)
t := &nodetasks.File{ t := &nodetasks.File{
Path: *encryptionConfigPath, Path: *encryptionConfigPath,
Contents: fi.NewStringResource(contents), Contents: fi.NewStringResource(contents),
Mode: fi.String("600"), Mode: fi.String("600"),
Type: nodetasks.FileType_File, Type: nodetasks.FileType_File,
}
c.AddTask(t)
} else {
return fmt.Errorf("encryptionConfig enabled, but could not load encryptionconfig secret: %v", err)
} }
c.AddTask(t)
} else {
return fmt.Errorf("encryptionConfig enabled, but could not load encryptionconfig secret: %v", err)
} }
} }
{ {

4
pkg/apis/nodeup/config.go
View File

@ -123,6 +123,10 @@ type StaticManifest struct {
type APIServerConfig struct { type APIServerConfig struct {
// KubeAPIServer is a copy of the KubeAPIServerConfig from the cluster spec. // KubeAPIServer is a copy of the KubeAPIServerConfig from the cluster spec.
KubeAPIServer *kops.KubeAPIServerConfig KubeAPIServer *kops.KubeAPIServerConfig
// EncryptionConfigSecretHash is a hash of the encryptionconfig secret.
// It is empty if EncryptionConfig is not enabled.
// TODO: give secrets IDs and look them up like we do keypairs.
EncryptionConfigSecretHash string `json:",omitempty"`
} }
func NewConfig(cluster *kops.Cluster, instanceGroup *kops.InstanceGroup) (*Config, *BootConfig) { func NewConfig(cluster *kops.Cluster, instanceGroup *kops.InstanceGroup) (*Config, *BootConfig) {

49
upup/pkg/fi/cloudup/apply_cluster.go
View File

@ -19,6 +19,8 @@ package cloudup
import ( import (
"bytes" "bytes"
"context" "context"
"crypto/sha256"
"encoding/base64"
"fmt" "fmt"
"io" "io"
"net" "net"
@ -333,6 +335,7 @@ func (c *ApplyClusterCmd) Run(ctx context.Context) error {
} }
} }
encryptionConfigSecretHash := ""
if fi.BoolValue(c.Cluster.Spec.EncryptionConfig) { if fi.BoolValue(c.Cluster.Spec.EncryptionConfig) {
secret, err := secretStore.FindSecret("encryptionconfig") secret, err := secretStore.FindSecret("encryptionconfig")
if err != nil { if err != nil {
@ -344,6 +347,8 @@ func (c *ApplyClusterCmd) Run(ctx context.Context) error {
fmt.Println("See `kops create secret encryptionconfig -h` and https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/") fmt.Println("See `kops create secret encryptionconfig -h` and https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/")
return fmt.Errorf("could not find encryptionconfig secret") return fmt.Errorf("could not find encryptionconfig secret")
} }
hashBytes := sha256.Sum256(secret.Data)
encryptionConfigSecretHash = base64.URLEncoding.EncodeToString(hashBytes[:])
} }
ciliumSpec := c.Cluster.Spec.Networking.Cilium ciliumSpec := c.Cluster.Spec.Networking.Cilium
@ -487,7 +492,7 @@ func (c *ApplyClusterCmd) Run(ctx context.Context) error {
cloud: cloud, cloud: cloud,
} }
configBuilder, err := newNodeUpConfigBuilder(cluster, assetBuilder, c.Assets) configBuilder, err := newNodeUpConfigBuilder(cluster, assetBuilder, c.Assets, encryptionConfigSecretHash)
if err != nil { if err != nil {
return err return err
} }
@ -1139,17 +1144,18 @@ type nodeUpConfigBuilder struct {
// url with hash: <hex>@http://... or <hex>@https://... // url with hash: <hex>@http://... or <hex>@https://...
assets map[architectures.Architecture][]*mirrors.MirroredAsset assets map[architectures.Architecture][]*mirrors.MirroredAsset
assetBuilder *assets.AssetBuilder assetBuilder *assets.AssetBuilder
channels []string channels []string
configBase vfs.Path configBase vfs.Path
cluster *kops.Cluster cluster *kops.Cluster
etcdManifests map[kops.InstanceGroupRole][]string etcdManifests map[kops.InstanceGroupRole][]string
images map[kops.InstanceGroupRole]map[architectures.Architecture][]*nodeup.Image images map[kops.InstanceGroupRole]map[architectures.Architecture][]*nodeup.Image
protokubeAsset map[architectures.Architecture][]*mirrors.MirroredAsset protokubeAsset map[architectures.Architecture][]*mirrors.MirroredAsset
channelsAsset map[architectures.Architecture][]*mirrors.MirroredAsset channelsAsset map[architectures.Architecture][]*mirrors.MirroredAsset
encryptionConfigSecretHash string
} }
func newNodeUpConfigBuilder(cluster *kops.Cluster, assetBuilder *assets.AssetBuilder, assets map[architectures.Architecture][]*mirrors.MirroredAsset) (model.NodeUpConfigBuilder, error) { func newNodeUpConfigBuilder(cluster *kops.Cluster, assetBuilder *assets.AssetBuilder, assets map[architectures.Architecture][]*mirrors.MirroredAsset, encryptionConfigSecretHash string) (model.NodeUpConfigBuilder, error) {
configBase, err := vfs.Context.BuildVfsPath(cluster.Spec.ConfigBase) configBase, err := vfs.Context.BuildVfsPath(cluster.Spec.ConfigBase)
if err != nil { if err != nil {
return nil, fmt.Errorf("error parsing config base %q: %v", cluster.Spec.ConfigBase, err) return nil, fmt.Errorf("error parsing config base %q: %v", cluster.Spec.ConfigBase, err)
@ -1282,15 +1288,16 @@ func newNodeUpConfigBuilder(cluster *kops.Cluster, assetBuilder *assets.AssetBui
} }
configBuilder := nodeUpConfigBuilder{ configBuilder := nodeUpConfigBuilder{
assetBuilder: assetBuilder, assetBuilder: assetBuilder,
assets: assets, assets: assets,
channels: channels, channels: channels,
configBase: configBase, configBase: configBase,
cluster: cluster, cluster: cluster,
etcdManifests: etcdManifests, etcdManifests: etcdManifests,
images: images, images: images,
protokubeAsset: protokubeAsset, protokubeAsset: protokubeAsset,
channelsAsset: channelsAsset, channelsAsset: channelsAsset,
encryptionConfigSecretHash: encryptionConfigSecretHash,
} }
return &configBuilder, nil return &configBuilder, nil
@ -1344,6 +1351,10 @@ func (n *nodeUpConfigBuilder) BuildConfig(ig *kops.InstanceGroup, apiserverAddit
} }
} }
if isMaster || role == kops.InstanceGroupRoleAPIServer {
config.APIServerConfig.EncryptionConfigSecretHash = n.encryptionConfigSecretHash
}
if isMaster || useGossip { if isMaster || useGossip {
for _, arch := range architectures.GetSupported() { for _, arch := range architectures.GetSupported() {
for _, a := range n.protokubeAsset[arch] { for _, a := range n.protokubeAsset[arch] {