airship/promenade
Code Issues Proposed changes

apiserver support for etcd encryption

Browse Source 
- Support encrypting data persisted to etcd
  by kube-apiserver

Change-Id: I47ca634961e66e48dadc8f13d1c84748ab4e2fb9
This commit is contained in:
Scott Hussey 2019-01-10 16:39:30 -06:00 committed by Scott Hussey
parent 2741ea1f90
commit 6475efd5da
7 changed files with 72 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
examples/basic/EncryptionPolicy.yaml
View File

@ -8,6 +8,14 @@ metadata:
layer: site
storagePolicy: cleartext
data:
etcd:
- resources:
- 'secrets'
providers:
- secretbox:
keys:
- name: key1
secret: Xw2UcbjILTJM6QiFZ0WPSbUvjtoT8OJC/Nl8qqYWjGk=
scripts:
genesis:
gpg: {}

8
examples/basic/Genesis.yaml
View File

@ -7,6 +7,13 @@ metadata:
abstract: false
layer: site
storagePolicy: cleartext
substitutions:
- src:
schema: promenade/EncryptionPolicy/v1
name: encryption-policy
path: .etcd
dest:
path: .apiserver.encryption
data:
hostname: n0
ip: 192.168.77.10
@ -20,6 +27,7 @@ data:
# NOTE(mark-burnett): This flag is removed in Kubernetes 1.11
- --repair-malformed-updates=false
- --admission-control-config-file=/etc/kubernetes/apiserver/acconfig.yaml
- --experimental-encryption-provider-config=/etc/kubernetes/apiserver/encryption_provider.yaml
- --v=3
armada:
target_manifest: cluster-bootstrap

14
examples/basic/armada-resources.yaml
View File

@ -711,6 +711,12 @@ metadata:
dest:
path: .values.secrets.service_account.public_key
- src:
schema: promenade/EncryptionPolicy/v1
name: encryption-policy
path: .etcd
dest:
path: $.values.conf.encryption_provider.content.resources
data:
chart_name: apiserver
release: kubernetes-apiserver
@ -722,6 +728,14 @@ data:
upgrade:
no_hooks: true
values:
conf:
encryption_provider:
file: encryption_provider.yaml
command_options:
- '--experimental-encryption-provider-config=/etc/kubernetes/apiserver/encryption_provider.yaml'
content:
kind: EncryptionConfig
apiVersion: v1
apiserver:
etcd:
endpoints: https://127.0.0.1:2378

7
promenade/renderer.py
View File

@ -109,6 +109,7 @@ def _build_env():
env.filters['b64enc'] = _base64_encode
env.filters['fill_no_proxy'] = _fill_no_proxy
env.filters['yaml_safe_dump_all'] = _yaml_safe_dump_all
env.filters['toyaml'] = _yaml_safe_dump_arg
return env
@ -155,3 +156,9 @@ def _yaml_safe_dump_all(documents):
f = io.StringIO()
yaml.safe_dump_all(documents, f)
return f.getvalue()
def _yaml_safe_dump_arg(data):
f = io.StringIO()
yaml.safe_dump(data, f, explicit_start=False, explicit_end=False)
return f.getvalue()

17
promenade/schemas/EncryptionPolicy.yaml
View File

@ -13,6 +13,21 @@ data:
oneof:
- { $ref: '#/definitions/encryption_method_gpg' }
etcd_encryption:
type: array
items:
type: object
additionalProperties: false
properties:
resources:
type: array
items:
type: string
providers:
type: array
items:
type: object
additionalProperties: true
encryption_method_gpg:
properties:
gpg:
@ -23,6 +38,8 @@ data:
additionalProperties: false
properties:
etcd:
$ref: '#/definitions/etcd_encryption'
scripts:
properties:
genesis:

14
promenade/schemas/Genesis.yaml
View File

@ -75,6 +75,20 @@ data:
type: array
items:
type: string
encryption:
type: array
items:
type: object
properties:
resources:
type: array
items:
type: string
providers:
type: array
items:
type: object
additionalProperties: true
additionalProperties: false
files:

4
promenade/templates/roles/genesis/etc/genesis/apiserver/encryption_provider.yaml Normal file
View File

@ -0,0 +1,4 @@
kind: EncryptionConfig
apiVersion: v1
resources:
{{ config.get_path('Genesis:apiserver.encryption', {}) | toyaml | indent(2, true) }}