Skip to content
Snippets Groups Projects
Commit 3d6fd491 authored by Andreas Krüger's avatar Andreas Krüger Committed by Matthew Mosesohn
Browse files

Added option for encrypting secrets to etcd v.2 (#2428)

* Added option for encrypting secrets to etcd

* Fix keylength to 32

* Forgot the default

* Rename secrets.yaml to secrets_encryption.yaml

* Fix static path for secrets file to use ansible variable

* Rename secrets.yaml.j2 to secrets_encryption.yaml.j2

* Base64 encode the token

* Fixed merge error

* Changed path to credentials dir

* Update path to secrets file which is now readable inside the apiserver container. Set better file permissions

* Add encryption option to k8s-cluster.yml
parent d843e3d5
No related branches found
No related tags found
No related merge requests found
......@@ -113,6 +113,9 @@ kube_apiserver_insecure_port: 8080 # (http)
# Can be ipvs, iptables
kube_proxy_mode: iptables
## Encrypting Secret Data at Rest (experimental)
kube_encrypt_secret_data: false
# DNS configuration.
# Kubernetes cluster name, also will be used as DNS domain
cluster_name: cluster.local
......
......@@ -92,3 +92,8 @@ kube_kubeadm_scheduler_extra_args: {}
## Variable for influencing kube-scheduler behaviour
volume_cross_zone_attachment: false
## Encrypting Secret Data at Rest
kube_encrypt_secret_data: false
kube_encrypt_token: "{{ lookup('password', inventory_dir + '/credentials/kube_encrypt_token length=32 chars=ascii_letters,digits') }}"
kube_encryption_algorithm: "aescbc" # Must be either: aescbc, secretbox or aesgcm
---
- name: Write secrets for encrypting secret data at rest
template:
src: secrets_encryption.yaml.j2
dest: "{{ kube_config_dir }}/ssl/secrets_encryption.yaml"
owner: root
group: "{{ kube_cert_group }}"
mode: 0640
tags:
- kube-apiserver
......@@ -12,6 +12,9 @@
- import_tasks: users-file.yml
when: kube_basic_auth|default(true)
- import_tasks: encrypt-at-rest.yml
when: kube_encrypt_secret_data
- name: Compare host kubectl with hyperkube container
command: "{{ docker_bin_dir }}/docker run --rm -v {{ bin_dir }}:/systembindir {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} /usr/bin/cmp /hyperkube /systembindir/kubectl"
register: kubectl_task_compare_result
......
......@@ -52,6 +52,9 @@ apiServerExtraArgs:
{% if kube_oidc_groups_claim is defined %}
oidc-groups-claim: {{ kube_oidc_groups_claim }}
{% endif %}
{% endif %}
{% if kube_encrypt_secret_data %}
experimental-encryption-provider-config: {{ kube_config_dir }}/ssl/secrets_encryption.yaml
{% endif %}
storage-backend: {{ kube_apiserver_storage_backend }}
{% if kube_api_runtime_config is defined %}
......
......@@ -103,6 +103,9 @@ spec:
{% if authorization_modes %}
- --authorization-mode={{ authorization_modes|join(',') }}
{% endif %}
{% if kube_encrypt_secret_data %}
- --experimental-encryption-provider-config={{ kube_config_dir }}/ssl/secrets_encryption.yaml
{% endif %}
{% if kube_feature_gates %}
- --feature-gates={{ kube_feature_gates|join(',') }}
{% endif %}
......
kind: EncryptionConfig
apiVersion: v1
resources:
- resources:
- secrets
providers:
- {{ kube_encryption_algorithm }}:
keys:
- name: key
secret: {{ kube_encrypt_token | b64encode }}
- identity: {}
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment