Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WIP - Upload encrypted certs on init #1374

Closed
fabriziopandini opened this issue Jan 30, 2019 · 3 comments · Fixed by kubernetes/kubernetes#73907
Closed

WIP - Upload encrypted certs on init #1374

fabriziopandini opened this issue Jan 30, 2019 · 3 comments · Fixed by kubernetes/kubernetes#73907
Assignees
@timothysc @neolit123 @fabriziopandini @yagonobre
Labels
area/HA area/UX help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/feature Categorizes issue or PR as related to a new feature. lifecycle/active Indicates that an issue or PR is actively being worked on by a contributor. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
Milestone
v1.14

Comments

@fabriziopandini
Copy link
Member

This issue defines implementation details for "Upload encrypted certs on init" activity defined in #1373

PR#1: Extend v1beta1 and internal config for managing the encryption key with:

  • add new field EncryptionKey string 'json:"encryptionKey,omitempty"' into the InitConfiguration object
  • add new field EncryptionKey string 'json:"encryptionKey,omitempty"' into the JoinControlPlane object
  • implement validation for the above fields (32bytes for key SHA-256 using AES-256/GCM as method)
  • add a new command for pre-generating an encryption-key (location TBD)

PR#2: Create a new phase in the init workflow named upload-certs with:

  • add new --experimental-upload-certs flag of type bool to kubeadm init
  • make initData generate a new encryption key if not already provided by the user
  • create a new phase named upload-certs
    • the phase should be executed after 'upload-config' only if --experimental-upload-certs is set;
    • the phase should create the TTL Token, The kubeadm-certssecret and related RBAC rules as described in the KEP
  • print encryption key + usage instructions at the end of the init workflow
  • allow hiding the encryption-key from the kubeadm output using the skip-token-print or (a similar flag)
@fabriziopandini fabriziopandini added help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. area/HA area/UX labels Jan 30, 2019
@fabriziopandini fabriziopandini added this to the v1.14 milestone Jan 30, 2019
@fabriziopandini fabriziopandini self-assigned this Jan 30, 2019
@fabriziopandini fabriziopandini mentioned this issue Jan 30, 2019
Closed
25 tasks
@yagonobre
Copy link
Member

I can take this

@fabriziopandini fabriziopandini added the kind/feature Categorizes issue or PR as related to a new feature. label Jan 30, 2019
@fabriziopandini
Copy link
Member Author

Thanks, @yagonobre! let's reach agreement on config changes before starting, so we can avoid some iteration on the PRs
/lifecycle active
/assign @yagonobre

@k8s-ci-robot k8s-ci-robot added the lifecycle/active Indicates that an issue or PR is actively being worked on by a contributor. label Jan 30, 2019
@yagonobre yagonobre mentioned this issue Feb 11, 2019
Merged
4 tasks
@fabriziopandini
Copy link
Member Author

NB, as discussed in kubeadm office hours, we are starting without changes to the config

@rosti rosti mentioned this issue Feb 26, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@timothysc timothysc

@neolit123 neolit123

@fabriziopandini fabriziopandini

@yagonobre yagonobre

Labels
area/HA area/UX help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/feature Categorizes issue or PR as related to a new feature. lifecycle/active Indicates that an issue or PR is actively being worked on by a contributor. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
Projects
None yet
Milestone
v1.14
Development

Successfully merging a pull request may close this issue.

Add kubeadm init upload encrypted certs phase yagonobre/kubernetes
5 participants
@timothysc @neolit123 @fabriziopandini @yagonobre @k8s-ci-robot