Merge pull request #9793 from hakman/root-vol-encrypt

Add flag for root volume encryption

k8s/crds/kops.k8s.io_instancegroups.yaml

@@ -695,6 +695,10 @@ spec:
                   NOTE: This setting applies only to the Launch Configuration and
                   does not affect Launch Templates.'
                 type: boolean
+              rootVolumeEncryption:
+                description: RootVolumeEncryption enables EBS root volume encryption
+                  for an instance
+                type: boolean
               rootVolumeIops:
                 description: If volume type is io1, then we need to specify the number
                   of Iops.

pkg/apis/kops/instancegroup.go

@@ -106,6 +106,8 @@ type InstanceGroupSpec struct {
 	// The root volume is deleted by default. Cluster deletion does not remove retained root volumes.
 	// NOTE: This setting applies only to the Launch Configuration and does not affect Launch Templates.
 	RootVolumeDeleteOnTermination *bool `json:"rootVolumeDeleteOnTermination,omitempty"`
+	// RootVolumeEncryption enables EBS root volume encryption for an instance
+	RootVolumeEncryption *bool `json:"rootVolumeEncryption,omitempty"`
 	// Volumes is a collection of additional volumes to create for instances within this InstanceGroup
 	Volumes []*VolumeSpec `json:"volumes,omitempty"`
 	// VolumeMounts a collection of volume mounts

pkg/apis/kops/v1alpha2/instancegroup.go

@@ -103,6 +103,8 @@ type InstanceGroupSpec struct {
 	// The root volume is deleted by default. Cluster deletion does not remove retained root volumes.
 	// NOTE: This setting applies only to the Launch Configuration and does not affect Launch Templates.
 	RootVolumeDeleteOnTermination *bool `json:"rootVolumeDeleteOnTermination,omitempty"`
+	// RootVolumeEncryption enables EBS root volume encryption for an instance
+	RootVolumeEncryption *bool `json:"rootVolumeEncryption,omitempty"`
 	// Volumes is a collection of additional volumes to create for instances within this InstanceGroup
 	Volumes []*VolumeSpec `json:"volumes,omitempty"`
 	// VolumeMounts a collection of volume mounts

pkg/apis/kops/v1alpha2/zz_generated.conversion.go

@@ -3307,6 +3307,7 @@ func autoConvert_v1alpha2_InstanceGroupSpec_To_kops_InstanceGroupSpec(in *Instan
 	out.RootVolumeIops = in.RootVolumeIops
 	out.RootVolumeOptimization = in.RootVolumeOptimization
 	out.RootVolumeDeleteOnTermination = in.RootVolumeDeleteOnTermination
+	out.RootVolumeEncryption = in.RootVolumeEncryption
 	if in.Volumes != nil {
 		in, out := &in.Volumes, &out.Volumes
 		*out = make([]*kops.VolumeSpec, len(*in))
@@ -3446,6 +3447,7 @@ func autoConvert_kops_InstanceGroupSpec_To_v1alpha2_InstanceGroupSpec(in *kops.I
 	out.RootVolumeIops = in.RootVolumeIops
 	out.RootVolumeOptimization = in.RootVolumeOptimization
 	out.RootVolumeDeleteOnTermination = in.RootVolumeDeleteOnTermination
+	out.RootVolumeEncryption = in.RootVolumeEncryption
 	if in.Volumes != nil {
 		in, out := &in.Volumes, &out.Volumes
 		*out = make([]*VolumeSpec, len(*in))

pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go

@@ -1697,6 +1697,11 @@ func (in *InstanceGroupSpec) DeepCopyInto(out *InstanceGroupSpec) {
 		*out = new(bool)
 		**out = **in
 	}
+	if in.RootVolumeEncryption != nil {
+		in, out := &in.RootVolumeEncryption, &out.RootVolumeEncryption
+		*out = new(bool)
+		**out = **in
+	}
 	if in.Volumes != nil {
 		in, out := &in.Volumes, &out.Volumes
 		*out = make([]*VolumeSpec, len(*in))

pkg/apis/kops/zz_generated.deepcopy.go

@@ -1863,6 +1863,11 @@ func (in *InstanceGroupSpec) DeepCopyInto(out *InstanceGroupSpec) {
 		*out = new(bool)
 		**out = **in
 	}
+	if in.RootVolumeEncryption != nil {
+		in, out := &in.RootVolumeEncryption, &out.RootVolumeEncryption
+		*out = new(bool)
+		**out = **in
+	}
 	if in.Volumes != nil {
 		in, out := &in.Volumes, &out.Volumes
 		*out = make([]*VolumeSpec, len(*in))

pkg/model/awsmodel/autoscalinggroup.go

@@ -128,6 +128,7 @@ func (b *AutoscalingGroupModelBuilder) buildLaunchTemplateTask(c *fi.ModelBuilde
 		RootVolumeSize:         lc.RootVolumeSize,
 		RootVolumeIops:         lc.RootVolumeIops,
 		RootVolumeType:         lc.RootVolumeType,
+		RootVolumeEncryption:   lc.RootVolumeEncryption,
 		SSHKey:                 lc.SSHKey,
 		SecurityGroups:         lc.SecurityGroups,
 		Tags:                   tags,
@@ -199,6 +200,7 @@ func (b *AutoscalingGroupModelBuilder) buildLaunchConfigurationTask(c *fi.ModelB
 		RootVolumeOptimization:        ig.Spec.RootVolumeOptimization,
 		RootVolumeSize:                fi.Int64(int64(volumeSize)),
 		RootVolumeType:                fi.String(volumeType),
+		RootVolumeEncryption:          ig.Spec.RootVolumeEncryption,
 		SecurityGroups:                []*awstasks.SecurityGroup{sgLink},
 	}
 

tests/integration/update_cluster/complex/cloudformation.json

@@ -226,7 +226,8 @@
               "Ebs": {
                 "VolumeType": "gp2",
                 "VolumeSize": 64,
-                "DeleteOnTermination": true
+                "DeleteOnTermination": true,
+                "Encrypted": true
               }
             },
             {
@@ -336,7 +337,8 @@
               "Ebs": {
                 "VolumeType": "gp2",
                 "VolumeSize": 128,
-                "DeleteOnTermination": true
+                "DeleteOnTermination": true,
+                "Encrypted": true
               }
             },
             {

tests/integration/update_cluster/complex/in-legacy-v1alpha2.yaml

@@ -86,6 +86,7 @@ spec:
   - us-test-1a
   detailedInstanceMonitoring: true
   rootVolumeDeleteOnTermination: false
+  rootVolumeEncryption: true
   volumes:
   - device: /dev/xvdd
     deleteOnTermination: false
@@ -114,6 +115,7 @@ spec:
   maxSize: 1
   minSize: 1
   role: Master
+  rootVolumeEncryption: true
   subnets:
   - us-test-1a
   additionalUserData:

tests/integration/update_cluster/complex/in-v1alpha2.yaml

@@ -86,6 +86,7 @@ spec:
   - us-test-1a
   detailedInstanceMonitoring: true
   rootVolumeDeleteOnTermination: false
+  rootVolumeEncryption: true
   volumes:
   - device: /dev/xvdd
     deleteOnTermination: false
@@ -114,6 +115,7 @@ spec:
   maxSize: 1
   minSize: 1
   role: Master
+  rootVolumeEncryption: true
   subnets:
   - us-test-1a
   additionalUserData:

tests/integration/update_cluster/complex/kubernetes.tf

@@ -293,6 +293,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-complex-example-com" {
     device_name = "/dev/xvda"
     ebs {
       delete_on_termination = true
+      encrypted             = true
       volume_size           = 64
       volume_type           = "gp2"
     }
@@ -356,6 +357,7 @@ resource "aws_launch_template" "nodes-complex-example-com" {
     device_name = "/dev/xvda"
     ebs {
       delete_on_termination = true
+      encrypted             = true
       volume_size           = 128
       volume_type           = "gp2"
     }

upup/pkg/fi/cloudup/awstasks/launchconfiguration.go

@@ -80,6 +80,8 @@ type LaunchConfiguration struct {
 	RootVolumeSize *int64
 	// RootVolumeType is the type of the EBS root volume to use (e.g. gp2)
 	RootVolumeType *string
+	// RootVolumeEncryption enables EBS root volume encryption for an instance
+	RootVolumeEncryption *bool
 	// SSHKey is the ssh key for the instances
 	SSHKey *SSHKey
 	// SecurityGroups is a list of security group associated
@@ -201,6 +203,7 @@ func (e *LaunchConfiguration) Find(c *fi.Context) (*LaunchConfiguration, error)
 			actual.RootVolumeSize = b.Ebs.VolumeSize
 			actual.RootVolumeType = b.Ebs.VolumeType
 			actual.RootVolumeIops = b.Ebs.Iops
+			actual.RootVolumeEncryption = b.Ebs.Encrypted
 			actual.RootVolumeDeleteOnTermination = b.Ebs.DeleteOnTermination
 		} else {
 			_, d := BlockDeviceMappingFromAutoscaling(b)
@@ -386,6 +389,7 @@ func (t *LaunchConfiguration) buildRootDevice(cloud awsup.AWSCloud) (map[string]
 		EbsVolumeSize:          t.RootVolumeSize,
 		EbsVolumeType:          t.RootVolumeType,
 		EbsVolumeIops:          t.RootVolumeIops,
+		EbsEncrypted:           t.RootVolumeEncryption,
 	}
 
 	return bm, nil

upup/pkg/fi/cloudup/awstasks/launchtemplate.go

@@ -57,6 +57,8 @@ type LaunchTemplate struct {
 	RootVolumeSize *int64
 	// RootVolumeType is the type of the EBS root volume to use (e.g. gp2)
 	RootVolumeType *string
+	// RootVolumeEncryption enables EBS root volume encryption for an instance
+	RootVolumeEncryption *bool
 	// SSHKey is the ssh key for the instances
 	SSHKey *SSHKey
 	// SecurityGroups is a list of security group associated
@@ -113,6 +115,7 @@ func (t *LaunchTemplate) buildRootDevice(cloud awsup.AWSCloud) (map[string]*Bloc
 		EbsVolumeSize:          t.RootVolumeSize,
 		EbsVolumeType:          t.RootVolumeType,
 		EbsVolumeIops:          t.RootVolumeIops,
+		EbsEncrypted:           t.RootVolumeEncryption,
 	}
 
 	return bm, nil

upup/pkg/fi/cloudup/awstasks/launchtemplate_target_api.go

@@ -231,6 +231,7 @@ func (t *LaunchTemplate) Find(c *fi.Context) (*LaunchTemplate, error) {
 			actual.RootVolumeSize = b.Ebs.VolumeSize
 			actual.RootVolumeType = b.Ebs.VolumeType
 			actual.RootVolumeIops = b.Ebs.Iops
+			actual.RootVolumeEncryption = b.Ebs.Encrypted
 		} else {
 			_, d := BlockDeviceMappingFromLaunchTemplateBootDeviceRequest(b)
 			actual.BlockDeviceMappings = append(actual.BlockDeviceMappings, d)

upup/pkg/fi/cloudup/awstasks/launchtemplate_target_cloudformation.go

@@ -234,6 +234,7 @@ func (t *LaunchTemplate) RenderCloudformation(target *cloudformation.Cloudformat
 				IOPS:                x.EbsVolumeIops,
 				VolumeSize:          x.EbsVolumeSize,
 				VolumeType:          x.EbsVolumeType,
+				Encrypted:           x.EbsEncrypted,
 			},
 		})
 	}

upup/pkg/fi/cloudup/awstasks/launchtemplate_target_terraform.go

@@ -245,6 +245,7 @@ func (t *LaunchTemplate) RenderTerraform(target *terraform.TerraformTarget, a, e
 			EBS: []*terraformLaunchTemplateBlockDeviceEBS{
 				{
 					DeleteOnTermination: fi.Bool(true),
+					Encrypted:           x.EbsEncrypted,
 					IOPS:                x.EbsVolumeIops,
 					VolumeSize:          x.EbsVolumeSize,
 					VolumeType:          x.EbsVolumeType,