apiserver support for etcd encryption
- Support encrypting data persisted to etcd by kube-apiserver Change-Id: I47ca634961e66e48dadc8f13d1c84748ab4e2fb9
This commit is contained in:
parent
2741ea1f90
commit
6475efd5da
|
@ -8,6 +8,14 @@ metadata:
|
||||||
layer: site
|
layer: site
|
||||||
storagePolicy: cleartext
|
storagePolicy: cleartext
|
||||||
data:
|
data:
|
||||||
|
etcd:
|
||||||
|
- resources:
|
||||||
|
- 'secrets'
|
||||||
|
providers:
|
||||||
|
- secretbox:
|
||||||
|
keys:
|
||||||
|
- name: key1
|
||||||
|
secret: Xw2UcbjILTJM6QiFZ0WPSbUvjtoT8OJC/Nl8qqYWjGk=
|
||||||
scripts:
|
scripts:
|
||||||
genesis:
|
genesis:
|
||||||
gpg: {}
|
gpg: {}
|
||||||
|
|
|
@ -7,6 +7,13 @@ metadata:
|
||||||
abstract: false
|
abstract: false
|
||||||
layer: site
|
layer: site
|
||||||
storagePolicy: cleartext
|
storagePolicy: cleartext
|
||||||
|
substitutions:
|
||||||
|
- src:
|
||||||
|
schema: promenade/EncryptionPolicy/v1
|
||||||
|
name: encryption-policy
|
||||||
|
path: .etcd
|
||||||
|
dest:
|
||||||
|
path: .apiserver.encryption
|
||||||
data:
|
data:
|
||||||
hostname: n0
|
hostname: n0
|
||||||
ip: 192.168.77.10
|
ip: 192.168.77.10
|
||||||
|
@ -20,6 +27,7 @@ data:
|
||||||
# NOTE(mark-burnett): This flag is removed in Kubernetes 1.11
|
# NOTE(mark-burnett): This flag is removed in Kubernetes 1.11
|
||||||
- --repair-malformed-updates=false
|
- --repair-malformed-updates=false
|
||||||
- --admission-control-config-file=/etc/kubernetes/apiserver/acconfig.yaml
|
- --admission-control-config-file=/etc/kubernetes/apiserver/acconfig.yaml
|
||||||
|
- --experimental-encryption-provider-config=/etc/kubernetes/apiserver/encryption_provider.yaml
|
||||||
- --v=3
|
- --v=3
|
||||||
armada:
|
armada:
|
||||||
target_manifest: cluster-bootstrap
|
target_manifest: cluster-bootstrap
|
||||||
|
|
|
@ -711,6 +711,12 @@ metadata:
|
||||||
dest:
|
dest:
|
||||||
path: .values.secrets.service_account.public_key
|
path: .values.secrets.service_account.public_key
|
||||||
|
|
||||||
|
- src:
|
||||||
|
schema: promenade/EncryptionPolicy/v1
|
||||||
|
name: encryption-policy
|
||||||
|
path: .etcd
|
||||||
|
dest:
|
||||||
|
path: $.values.conf.encryption_provider.content.resources
|
||||||
data:
|
data:
|
||||||
chart_name: apiserver
|
chart_name: apiserver
|
||||||
release: kubernetes-apiserver
|
release: kubernetes-apiserver
|
||||||
|
@ -722,6 +728,14 @@ data:
|
||||||
upgrade:
|
upgrade:
|
||||||
no_hooks: true
|
no_hooks: true
|
||||||
values:
|
values:
|
||||||
|
conf:
|
||||||
|
encryption_provider:
|
||||||
|
file: encryption_provider.yaml
|
||||||
|
command_options:
|
||||||
|
- '--experimental-encryption-provider-config=/etc/kubernetes/apiserver/encryption_provider.yaml'
|
||||||
|
content:
|
||||||
|
kind: EncryptionConfig
|
||||||
|
apiVersion: v1
|
||||||
apiserver:
|
apiserver:
|
||||||
etcd:
|
etcd:
|
||||||
endpoints: https://127.0.0.1:2378
|
endpoints: https://127.0.0.1:2378
|
||||||
|
|
|
@ -109,6 +109,7 @@ def _build_env():
|
||||||
env.filters['b64enc'] = _base64_encode
|
env.filters['b64enc'] = _base64_encode
|
||||||
env.filters['fill_no_proxy'] = _fill_no_proxy
|
env.filters['fill_no_proxy'] = _fill_no_proxy
|
||||||
env.filters['yaml_safe_dump_all'] = _yaml_safe_dump_all
|
env.filters['yaml_safe_dump_all'] = _yaml_safe_dump_all
|
||||||
|
env.filters['toyaml'] = _yaml_safe_dump_arg
|
||||||
return env
|
return env
|
||||||
|
|
||||||
|
|
||||||
|
@ -155,3 +156,9 @@ def _yaml_safe_dump_all(documents):
|
||||||
f = io.StringIO()
|
f = io.StringIO()
|
||||||
yaml.safe_dump_all(documents, f)
|
yaml.safe_dump_all(documents, f)
|
||||||
return f.getvalue()
|
return f.getvalue()
|
||||||
|
|
||||||
|
|
||||||
|
def _yaml_safe_dump_arg(data):
|
||||||
|
f = io.StringIO()
|
||||||
|
yaml.safe_dump(data, f, explicit_start=False, explicit_end=False)
|
||||||
|
return f.getvalue()
|
||||||
|
|
|
@ -13,6 +13,21 @@ data:
|
||||||
oneof:
|
oneof:
|
||||||
- { $ref: '#/definitions/encryption_method_gpg' }
|
- { $ref: '#/definitions/encryption_method_gpg' }
|
||||||
|
|
||||||
|
etcd_encryption:
|
||||||
|
type: array
|
||||||
|
items:
|
||||||
|
type: object
|
||||||
|
additionalProperties: false
|
||||||
|
properties:
|
||||||
|
resources:
|
||||||
|
type: array
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
providers:
|
||||||
|
type: array
|
||||||
|
items:
|
||||||
|
type: object
|
||||||
|
additionalProperties: true
|
||||||
encryption_method_gpg:
|
encryption_method_gpg:
|
||||||
properties:
|
properties:
|
||||||
gpg:
|
gpg:
|
||||||
|
@ -23,6 +38,8 @@ data:
|
||||||
additionalProperties: false
|
additionalProperties: false
|
||||||
|
|
||||||
properties:
|
properties:
|
||||||
|
etcd:
|
||||||
|
$ref: '#/definitions/etcd_encryption'
|
||||||
scripts:
|
scripts:
|
||||||
properties:
|
properties:
|
||||||
genesis:
|
genesis:
|
||||||
|
|
|
@ -75,6 +75,20 @@ data:
|
||||||
type: array
|
type: array
|
||||||
items:
|
items:
|
||||||
type: string
|
type: string
|
||||||
|
encryption:
|
||||||
|
type: array
|
||||||
|
items:
|
||||||
|
type: object
|
||||||
|
properties:
|
||||||
|
resources:
|
||||||
|
type: array
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
providers:
|
||||||
|
type: array
|
||||||
|
items:
|
||||||
|
type: object
|
||||||
|
additionalProperties: true
|
||||||
additionalProperties: false
|
additionalProperties: false
|
||||||
|
|
||||||
files:
|
files:
|
||||||
|
|
|
@ -0,0 +1,4 @@
|
||||||
|
kind: EncryptionConfig
|
||||||
|
apiVersion: v1
|
||||||
|
resources:
|
||||||
|
{{ config.get_path('Genesis:apiserver.encryption', {}) | toyaml | indent(2, true) }}
|
Loading…
Reference in New Issue