Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat!: update docker machine and encrypt all EBS #1204

Merged
merged 10 commits into from
Nov 27, 2024

Conversation

jonmcewen
Copy link
Contributor

@jonmcewen jonmcewen commented Nov 4, 2024

Description

  • updates the docker-machine to 0.16.2-gitlab.19-cki.5 to set the encryption key for the instances
  • fleet: creates new instances with encrypted volumes

Migrations required

This could be a breaking change as you might have to change the key policy for the encryption key to allow EBS to access the key.

       {
            "Sid": "Allow access through EBS for all principals in the account that are authorized to use EBS",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:CreateGrant",
                "kms:DescribeKey"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "kms:CallerAccount": "990563477234",
                    "kms:ViaService": "ec2.eu-central-1.amazonaws.com"
                }
            }
        }

Verification

Manually tested the new version.

Copy link
Contributor

github-actions bot commented Nov 4, 2024

Hey @jonmcewen! 👋

Thank you for your contribution to the project. Please refer to the contribution rules for a quick overview of the process.

Make sure that this PR clearly explains:

  • the problem being solved
  • the best way a reviewer and you can test your changes

With submitting this PR you confirm that you hold the rights of the code added and agree that it will published under this LICENSE.

The following ChatOps commands are supported:

  • /help: notifies a maintainer to help you out

Simply add a comment with the command in the first line. If you need to pass more information, separate it with a blank line from the command.

This message was generated automatically. You are welcome to improve it.

@jonmcewen jonmcewen changed the title Update docker machine to allow setting encrypted EBS option feat: Update docker machine to allow setting encrypted EBS option Nov 4, 2024
@kayman-mk
Copy link
Collaborator

https://gitlab.com/cki-project/mirror/docker-machine/-/commit/27ff34dcf7a67101c98fa978f63899aca36dc8aa

--amazonec2-volume-encrypted`: Encrypt Amazon EBS volume attached to the instance.
--amazonec2-volume-kms-key`: The KMS Key ID/ARN/Alias to be used to encrypt the volume.

@kayman-mk
Copy link
Collaborator

Great! I was already looking for that option but didn't find it.

As we have the KMS keys, ... available in the module, we should go a little further and pass them to the docker machine. Could you add this please to the PR, @jonmcewen?

@kayman-mk kayman-mk changed the title feat: Update docker machine to allow setting encrypted EBS option feat: update docker machine and pass encryption settings for EBS Nov 21, 2024
@kayman-mk
Copy link
Collaborator

I guess we have to fix the key policy to allow spot instances.

@kayman-mk kayman-mk changed the title feat: update docker machine and pass encryption settings for EBS feat!: update docker machine and encryfpass encryption settings for EBS Nov 27, 2024
@kayman-mk kayman-mk changed the title feat!: update docker machine and encryfpass encryption settings for EBS feat!: update docker machine and encrypt all EBS Nov 27, 2024
@kayman-mk kayman-mk merged commit 7bfe8f7 into cattle-ops:main Nov 27, 2024
21 checks passed
kayman-mk pushed a commit that referenced this pull request Nov 27, 2024
🤖 I have created a release *beep* *boop*
---


##
[8.0.0](7.15.0...8.0.0)
(2024-11-27)


### ⚠ BREAKING CHANGES

* update docker machine and encrypt all EBS
([#1204](#1204))

### Features

* update docker machine and encrypt all EBS
([#1204](#1204))
([7bfe8f7](7bfe8f7))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

---------

Co-authored-by: cattle-ops-releaser-2[bot] <134548870+cattle-ops-releaser-2[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
@jonmcewen
Copy link
Contributor Author

Thanks @kayman-mk . Sorry I wasn't around to help finish this off

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants