kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Refactor EncryptionConfig

This commit is contained in:
John Gardiner Myers 2021-06-26 13:03:58 -07:00
parent fdf034058d
commit 60ae29c93c
3 changed files with 49 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
nodeup/pkg/model/kube_apiserver.go
View File

@ -64,26 +64,24 @@ func (b *KubeAPIServerBuilder) Build(c *fi.ModelBuilderContext) error {
return err
}
if b.Cluster.Spec.EncryptionConfig != nil {
if *b.Cluster.Spec.EncryptionConfig {
encryptionConfigPath := fi.String(filepath.Join(b.PathSrvKubernetes(), "encryptionconfig.yaml"))
if b.NodeupConfig.APIServerConfig.EncryptionConfigSecretHash != "" {
encryptionConfigPath := fi.String(filepath.Join(b.PathSrvKubernetes(), "kube-apiserver", "encryptionconfig.yaml"))
kubeAPIServer.EncryptionProviderConfig = encryptionConfigPath
kubeAPIServer.EncryptionProviderConfig = encryptionConfigPath
key := "encryptionconfig"
encryptioncfg, err := b.SecretStore.Secret(key)
if err == nil {
contents := string(encryptioncfg.Data)
t := &nodetasks.File{
Path: *encryptionConfigPath,
Contents: fi.NewStringResource(contents),
Mode: fi.String("600"),
Type: nodetasks.FileType_File,
}
c.AddTask(t)
} else {
return fmt.Errorf("encryptionConfig enabled, but could not load encryptionconfig secret: %v", err)
key := "encryptionconfig"
encryptioncfg, err := b.SecretStore.Secret(key)
if err == nil {
contents := string(encryptioncfg.Data)
t := &nodetasks.File{
Path: *encryptionConfigPath,
Contents: fi.NewStringResource(contents),
Mode: fi.String("600"),
Type: nodetasks.FileType_File,
}
c.AddTask(t)
} else {
return fmt.Errorf("encryptionConfig enabled, but could not load encryptionconfig secret: %v", err)
}
}
{

4
pkg/apis/nodeup/config.go
View File

@ -123,6 +123,10 @@ type StaticManifest struct {
type APIServerConfig struct {
// KubeAPIServer is a copy of the KubeAPIServerConfig from the cluster spec.
KubeAPIServer *kops.KubeAPIServerConfig
// EncryptionConfigSecretHash is a hash of the encryptionconfig secret.
// It is empty if EncryptionConfig is not enabled.
// TODO: give secrets IDs and look them up like we do keypairs.
EncryptionConfigSecretHash string `json:",omitempty"`
}
func NewConfig(cluster *kops.Cluster, instanceGroup *kops.InstanceGroup) (*Config, *BootConfig) {

49
upup/pkg/fi/cloudup/apply_cluster.go
View File

@ -19,6 +19,8 @@ package cloudup
import (
"bytes"
"context"
"crypto/sha256"
"encoding/base64"
"fmt"
"io"
"net"
@ -333,6 +335,7 @@ func (c *ApplyClusterCmd) Run(ctx context.Context) error {
}
}
encryptionConfigSecretHash := ""
if fi.BoolValue(c.Cluster.Spec.EncryptionConfig) {
secret, err := secretStore.FindSecret("encryptionconfig")
if err != nil {
@ -344,6 +347,8 @@ func (c *ApplyClusterCmd) Run(ctx context.Context) error {
fmt.Println("See `kops create secret encryptionconfig -h` and https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/")
return fmt.Errorf("could not find encryptionconfig secret")
}
hashBytes := sha256.Sum256(secret.Data)
encryptionConfigSecretHash = base64.URLEncoding.EncodeToString(hashBytes[:])
}
ciliumSpec := c.Cluster.Spec.Networking.Cilium
@ -487,7 +492,7 @@ func (c *ApplyClusterCmd) Run(ctx context.Context) error {
cloud: cloud,
}
configBuilder, err := newNodeUpConfigBuilder(cluster, assetBuilder, c.Assets)
configBuilder, err := newNodeUpConfigBuilder(cluster, assetBuilder, c.Assets, encryptionConfigSecretHash)
if err != nil {
return err
}
@ -1139,17 +1144,18 @@ type nodeUpConfigBuilder struct {
// url with hash: <hex>@http://... or <hex>@https://...
assets map[architectures.Architecture][]*mirrors.MirroredAsset
assetBuilder *assets.AssetBuilder
channels []string
configBase vfs.Path
cluster *kops.Cluster
etcdManifests map[kops.InstanceGroupRole][]string
images map[kops.InstanceGroupRole]map[architectures.Architecture][]*nodeup.Image
protokubeAsset map[architectures.Architecture][]*mirrors.MirroredAsset
channelsAsset map[architectures.Architecture][]*mirrors.MirroredAsset
assetBuilder *assets.AssetBuilder
channels []string
configBase vfs.Path
cluster *kops.Cluster
etcdManifests map[kops.InstanceGroupRole][]string
images map[kops.InstanceGroupRole]map[architectures.Architecture][]*nodeup.Image
protokubeAsset map[architectures.Architecture][]*mirrors.MirroredAsset
channelsAsset map[architectures.Architecture][]*mirrors.MirroredAsset
encryptionConfigSecretHash string
}
func newNodeUpConfigBuilder(cluster *kops.Cluster, assetBuilder *assets.AssetBuilder, assets map[architectures.Architecture][]*mirrors.MirroredAsset) (model.NodeUpConfigBuilder, error) {
func newNodeUpConfigBuilder(cluster *kops.Cluster, assetBuilder *assets.AssetBuilder, assets map[architectures.Architecture][]*mirrors.MirroredAsset, encryptionConfigSecretHash string) (model.NodeUpConfigBuilder, error) {
configBase, err := vfs.Context.BuildVfsPath(cluster.Spec.ConfigBase)
if err != nil {
return nil, fmt.Errorf("error parsing config base %q: %v", cluster.Spec.ConfigBase, err)
@ -1282,15 +1288,16 @@ func newNodeUpConfigBuilder(cluster *kops.Cluster, assetBuilder *assets.AssetBui
}
configBuilder := nodeUpConfigBuilder{
assetBuilder: assetBuilder,
assets: assets,
channels: channels,
configBase: configBase,
cluster: cluster,
etcdManifests: etcdManifests,
images: images,
protokubeAsset: protokubeAsset,
channelsAsset: channelsAsset,
assetBuilder: assetBuilder,
assets: assets,
channels: channels,
configBase: configBase,
cluster: cluster,
etcdManifests: etcdManifests,
images: images,
protokubeAsset: protokubeAsset,
channelsAsset: channelsAsset,
encryptionConfigSecretHash: encryptionConfigSecretHash,
}
return &configBuilder, nil
@ -1344,6 +1351,10 @@ func (n *nodeUpConfigBuilder) BuildConfig(ig *kops.InstanceGroup, apiserverAddit
}
}
if isMaster || role == kops.InstanceGroupRoleAPIServer {
config.APIServerConfig.EncryptionConfigSecretHash = n.encryptionConfigSecretHash
}
if isMaster || useGossip {
for _, arch := range architectures.GetSupported() {
for _, a := range n.protokubeAsset[arch] {