Merge pull request #9885 from olemarkus/encryptionconfig-warn

Errors when encryptionConfig is enabled, but no encryptionconfig secret
2020-09-08 11:09:45 -07:00 · 2020-09-08 11:09:45 -07:00 · 68b2302b48
parent 3527d32b26 192d6a46f9
commit 68b2302b48
2 changed files with 17 additions and 2 deletions
--- a/nodeup/pkg/model/kube_apiserver.go
+++ b/nodeup/pkg/model/kube_apiserver.go
@ -71,8 +71,8 @@ func (b *KubeAPIServerBuilder) Build(c *fi.ModelBuilderContext) error {
 			}

 			key := "encryptionconfig"
-			encryptioncfg, _ := b.SecretStore.Secret(key)
-			if encryptioncfg != nil {
+			encryptioncfg, err := b.SecretStore.Secret(key)
+			if err == nil {
 				contents := string(encryptioncfg.Data)
 				t := &nodetasks.File{
 					Path:     *encryptionConfigPath,
@ -81,6 +81,8 @@ func (b *KubeAPIServerBuilder) Build(c *fi.ModelBuilderContext) error {
 					Type:     nodetasks.FileType_File,
 				}
 				c.AddTask(t)
+			} else {
+				return fmt.Errorf("encryptionConfig enabled, but could not load encryptionconfig secret: %v", err)
 			}
 		}
 	}
--- a/upup/pkg/fi/cloudup/apply_cluster.go
+++ b/upup/pkg/fi/cloudup/apply_cluster.go
@ -331,6 +331,19 @@ func (c *ApplyClusterCmd) Run(ctx context.Context) error {
 		}
 	}

+	if fi.BoolValue(c.Cluster.Spec.EncryptionConfig) {
+		secret, err := secretStore.FindSecret("encryptionconfig")
+		if err != nil {
+			return fmt.Errorf("could not load encryptionconfig secret: %v", err)
+		}
+		if secret == nil {
+			fmt.Println("")
+			fmt.Println("You have encryptionConfig enabled, but no encryptionconfig secret has been set.")
+			fmt.Println("See `kops create secret encryptionconfig -h` and https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/")
+			return fmt.Errorf("could not find encryptionconfig secret")
+		}
+	}
+
 	if err := c.addFileAssets(assetBuilder); err != nil {
 		return err
 	}