From 6475efd5da55a8984c970a4146509eb9f3e6a01b Mon Sep 17 00:00:00 2001 From: Scott Hussey Date: Thu, 10 Jan 2019 16:39:30 -0600 Subject: [PATCH] apiserver support for etcd encryption - Support encrypting data persisted to etcd by kube-apiserver Change-Id: I47ca634961e66e48dadc8f13d1c84748ab4e2fb9 --- examples/basic/EncryptionPolicy.yaml | 8 ++++++++ examples/basic/Genesis.yaml | 8 ++++++++ examples/basic/armada-resources.yaml | 14 ++++++++++++++ promenade/renderer.py | 7 +++++++ promenade/schemas/EncryptionPolicy.yaml | 17 +++++++++++++++++ promenade/schemas/Genesis.yaml | 14 ++++++++++++++ .../genesis/apiserver/encryption_provider.yaml | 4 ++++ 7 files changed, 72 insertions(+) create mode 100644 promenade/templates/roles/genesis/etc/genesis/apiserver/encryption_provider.yaml diff --git a/examples/basic/EncryptionPolicy.yaml b/examples/basic/EncryptionPolicy.yaml index a7b66ce1..a9064b30 100644 --- a/examples/basic/EncryptionPolicy.yaml +++ b/examples/basic/EncryptionPolicy.yaml @@ -8,6 +8,14 @@ metadata: layer: site storagePolicy: cleartext data: + etcd: + - resources: + - 'secrets' + providers: + - secretbox: + keys: + - name: key1 + secret: Xw2UcbjILTJM6QiFZ0WPSbUvjtoT8OJC/Nl8qqYWjGk= scripts: genesis: gpg: {} diff --git a/examples/basic/Genesis.yaml b/examples/basic/Genesis.yaml index 560b057e..bdad2bb8 100644 --- a/examples/basic/Genesis.yaml +++ b/examples/basic/Genesis.yaml @@ -7,6 +7,13 @@ metadata: abstract: false layer: site storagePolicy: cleartext + substitutions: + - src: + schema: promenade/EncryptionPolicy/v1 + name: encryption-policy + path: .etcd + dest: + path: .apiserver.encryption data: hostname: n0 ip: 192.168.77.10 @@ -20,6 +27,7 @@ data: # NOTE(mark-burnett): This flag is removed in Kubernetes 1.11 - --repair-malformed-updates=false - --admission-control-config-file=/etc/kubernetes/apiserver/acconfig.yaml + - --experimental-encryption-provider-config=/etc/kubernetes/apiserver/encryption_provider.yaml - --v=3 armada: target_manifest: cluster-bootstrap diff --git a/examples/basic/armada-resources.yaml b/examples/basic/armada-resources.yaml index 3a7b7927..f8fde869 100644 --- a/examples/basic/armada-resources.yaml +++ b/examples/basic/armada-resources.yaml @@ -711,6 +711,12 @@ metadata: dest: path: .values.secrets.service_account.public_key + - src: + schema: promenade/EncryptionPolicy/v1 + name: encryption-policy + path: .etcd + dest: + path: $.values.conf.encryption_provider.content.resources data: chart_name: apiserver release: kubernetes-apiserver @@ -722,6 +728,14 @@ data: upgrade: no_hooks: true values: + conf: + encryption_provider: + file: encryption_provider.yaml + command_options: + - '--experimental-encryption-provider-config=/etc/kubernetes/apiserver/encryption_provider.yaml' + content: + kind: EncryptionConfig + apiVersion: v1 apiserver: etcd: endpoints: https://127.0.0.1:2378 diff --git a/promenade/renderer.py b/promenade/renderer.py index a3d3fa3f..676e8f2f 100644 --- a/promenade/renderer.py +++ b/promenade/renderer.py @@ -109,6 +109,7 @@ def _build_env(): env.filters['b64enc'] = _base64_encode env.filters['fill_no_proxy'] = _fill_no_proxy env.filters['yaml_safe_dump_all'] = _yaml_safe_dump_all + env.filters['toyaml'] = _yaml_safe_dump_arg return env @@ -155,3 +156,9 @@ def _yaml_safe_dump_all(documents): f = io.StringIO() yaml.safe_dump_all(documents, f) return f.getvalue() + + +def _yaml_safe_dump_arg(data): + f = io.StringIO() + yaml.safe_dump(data, f, explicit_start=False, explicit_end=False) + return f.getvalue() diff --git a/promenade/schemas/EncryptionPolicy.yaml b/promenade/schemas/EncryptionPolicy.yaml index 3a1d9aca..03569ab3 100644 --- a/promenade/schemas/EncryptionPolicy.yaml +++ b/promenade/schemas/EncryptionPolicy.yaml @@ -13,6 +13,21 @@ data: oneof: - { $ref: '#/definitions/encryption_method_gpg' } + etcd_encryption: + type: array + items: + type: object + additionalProperties: false + properties: + resources: + type: array + items: + type: string + providers: + type: array + items: + type: object + additionalProperties: true encryption_method_gpg: properties: gpg: @@ -23,6 +38,8 @@ data: additionalProperties: false properties: + etcd: + $ref: '#/definitions/etcd_encryption' scripts: properties: genesis: diff --git a/promenade/schemas/Genesis.yaml b/promenade/schemas/Genesis.yaml index f5d12db6..573eacb5 100644 --- a/promenade/schemas/Genesis.yaml +++ b/promenade/schemas/Genesis.yaml @@ -75,6 +75,20 @@ data: type: array items: type: string + encryption: + type: array + items: + type: object + properties: + resources: + type: array + items: + type: string + providers: + type: array + items: + type: object + additionalProperties: true additionalProperties: false files: diff --git a/promenade/templates/roles/genesis/etc/genesis/apiserver/encryption_provider.yaml b/promenade/templates/roles/genesis/etc/genesis/apiserver/encryption_provider.yaml new file mode 100644 index 00000000..3aab7fa7 --- /dev/null +++ b/promenade/templates/roles/genesis/etc/genesis/apiserver/encryption_provider.yaml @@ -0,0 +1,4 @@ +kind: EncryptionConfig +apiVersion: v1 +resources: +{{ config.get_path('Genesis:apiserver.encryption', {}) | toyaml | indent(2, true) }}