Add support for Encryption Providers #1241
Conversation
kubermatic-bot
added
release-note
moelsayed
force-pushed
the
encryption_providers_1
branch
3 times, most recently
from
e35197f
to
1eb5c72
Compare
|
/assign |
There was a problem hiding this comment.
I did the first run and overall it looks good to me. I've left a bunch of comments, but I hope that most of them are minor. I still haven't reviewed everything and I might have some additional comments and questions, but I'll try to take a deeper look tomorrow.
moelsayed
force-pushed
the
encryption_providers_1
branch
from
1eb5c72
to
3b63fdd
Compare
kubermatic-bot
added
size/XL
moelsayed
force-pushed
the
encryption_providers_1
branch
2 times, most recently
from
5785e8d
to
2a84376
Compare
|
/retest |
1 similar comment
|
/retest |
pkg/tasks/encryption_providers.go
Outdated
| return err | ||
| } | ||
|
|
||
| func UploadIdentityFirstEncryptionConficguration(s *state.State) error { |
There was a problem hiding this comment.
Nit: typo.
| func UploadIdentityFirstEncryptionConficguration(s *state.State) error { | |
| func UploadIdentityFirstEncryptionConfiguration(s *state.State) error { |
| if opts.RotateEncryptionKey { | ||
| if !s.EncryptionEnabled() { | ||
| return errors.New("Encryption Providers support is not enabled for this cluster") | ||
| } | ||
|
|
||
| if s.Cluster.Features.EncryptionProviders != nil && | ||
| s.Cluster.Features.EncryptionProviders.CustomEncryptionConfiguration != "" { | ||
| return errors.New("key rotation of custom providers file is not supported") | ||
| } | ||
| return runApplyRotateKey(s, opts) | ||
| } |
There was a problem hiding this comment.
There two edge cases that might not be covered by this:
- What if we need to repair the cluster, but the
--rotate-encryption-keyflag is provided? Should we show a warning/error or do something? - What if the cluster is supposed to be upgraded, but the user also provided the
--rotate-encryption-keyflag? In that case, I'd expect that we do both if possible. Also, in that case, we don't need to require the--force-upgradeflag.
There was a problem hiding this comment.
What if we need to repair the cluster, but the --rotate-encryption-key flag is provided? Should we show a warning/error or do something?
I have added a check to error out if the cluster is not healthy.
What if the cluster is supposed to be upgraded, but the user also provided the --rotate-encryption-key flag? In that case, I'd expect that we do both if possible. Also, in that case, we don't need to require the --force-upgrade flag.
I did this to split the two operations. Both rotation and upgrade are disruptive operations. I think it makes sense to try to minimize these sort of operations in each run. I also used the --force-upgrade here as a sort of make-sure-you-know-what-you're-doing barrier the same why it's used to update the Features section configuration.
|
|
||
| fmt.Println("The following actions will be taken: ") | ||
| fmt.Println("Run with --verbose flag for more information.") | ||
| tasksToRun := tasks.WithRotateKey(nil) |
There was a problem hiding this comment.
How is this going to behave if a custom EncryptionConfiguration is used? I think that we should fail in that case and ask the user to do it manually.
There was a problem hiding this comment.
it's checked earlier here
pkg/features/encryption_providers.go
Outdated
| if feature == nil || !feature.Enable { | ||
| return | ||
| } | ||
| args.APIServer.ExtraArgs[apiServerEncryptionProviderFlag] = apiServerEncryptionProviderConfigPath |
There was a problem hiding this comment.
This is always going to set the flag to encryption-providers.yaml. How this works if we're using a custom EncryptionConfiguration? Isn't the file called custom-encryption-providers.yaml in that case?
pkg/tasks/encryption_providers.go
Outdated
| return err | ||
| } | ||
|
|
||
| func UploadIdentityFirstEncryptionConficguration(s *state.State) error { |
There was a problem hiding this comment.
Maybe we should safeguard this function that it can't be used if a custom EncryptionConfiguration is used.
moelsayed
force-pushed
the
encryption_providers_1
branch
from
1f5658b
to
502b6c4
Compare
kubermatic-bot
added
size/XXL
|
/test pull-kubeone-test |
kubermatic-bot
added
the
needs-rebase
moelsayed
force-pushed
the
encryption_providers_1
branch
from
a150919
to
66048aa
Compare
kubermatic-bot
removed
the
needs-rebase
|
/test pull-kubeone-test |
moelsayed
force-pushed
the
encryption_providers_1
branch
from
9933290
to
7ab297c
Compare
kubermatic-bot
removed
the
needs-rebase
| @@ -315,9 +339,20 @@ func runApplyUpgradeIfNeeded(s *state.State, opts *applyOpts) error { | |||
|
|
|||
| operations := []string{} | |||
|
|
|||
| tasksToRun := tasks.WithResources(nil) | |||
| var tasksToRun tasks.Tasks | |||
There was a problem hiding this comment.
But what tasks to run when upgradeNeeded || opts.ForceUpgrade is not true? We need to run tasks.WithResources in that case, but it will not happen this way.
There was a problem hiding this comment.
@kron4eg nice catch, updated 👍
moelsayed
force-pushed
the
encryption_providers_1
branch
from
1b65a75
to
4e9a7a1
Compare
|
/retest |
|
/test pull-kubeone-lint |
|
/test pull-kubeone-e2e-aws-upgrade-1.18-1.19 |
|
/retest |
|
/hold |
kubermatic-bot
added
the
do-not-merge/hold
moelsayed
force-pushed
the
encryption_providers_1
branch
from
4e9a7a1
to
8a99d99
Compare
moelsayed
force-pushed
the
encryption_providers_1
branch
from
8a99d99
to
ac73b9c
Compare
|
LGTM label has been added. Git tree hash: 1f36d0afd9f63a61476493af827360074faacbc1
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: kron4eg, moelsayed The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
kubermatic-bot
added
the
approved
|
/unhold |
kubermatic-bot
removed
the
do-not-merge/hold
What this PR does / why we need it:
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #1225
Special notes for your reviewer:
While this adds support for custom configuration, they wouldn't be effective yet in enabling KMS deployment as that would require adding external volumes to the KubeAPI container. That will be implemented separately.
Does this PR introduce a user-facing change?: