Merge pull request #9793 from hakman/root-vol-encrypt

Add flag for root volume encryption
kubernetes · Aug 21, 2020 · 6c5150f · 6c5150f
2 parents 076df5e + 2880e22
commit 6c5150f
Show file tree

Hide file tree

Showing 16 changed files with 42 additions and 2 deletions.
diff --git a/k8s/crds/kops.k8s.io_instancegroups.yaml b/k8s/crds/kops.k8s.io_instancegroups.yaml
@@ -695,6 +695,10 @@ spec:
                   NOTE: This setting applies only to the Launch Configuration and
                   does not affect Launch Templates.'
                 type: boolean
+              rootVolumeEncryption:
+                description: RootVolumeEncryption enables EBS root volume encryption
+                  for an instance
+                type: boolean
               rootVolumeIops:
                 description: If volume type is io1, then we need to specify the number
                   of Iops.

diff --git a/pkg/apis/kops/instancegroup.go b/pkg/apis/kops/instancegroup.go
@@ -106,6 +106,8 @@ type InstanceGroupSpec struct {
 	// The root volume is deleted by default. Cluster deletion does not remove retained root volumes.
 	// NOTE: This setting applies only to the Launch Configuration and does not affect Launch Templates.
 	RootVolumeDeleteOnTermination *bool `json:"rootVolumeDeleteOnTermination,omitempty"`
+	// RootVolumeEncryption enables EBS root volume encryption for an instance
+	RootVolumeEncryption *bool `json:"rootVolumeEncryption,omitempty"`
 	// Volumes is a collection of additional volumes to create for instances within this InstanceGroup
 	Volumes []*VolumeSpec `json:"volumes,omitempty"`
 	// VolumeMounts a collection of volume mounts

diff --git a/pkg/apis/kops/v1alpha2/instancegroup.go b/pkg/apis/kops/v1alpha2/instancegroup.go
@@ -103,6 +103,8 @@ type InstanceGroupSpec struct {
 	// The root volume is deleted by default. Cluster deletion does not remove retained root volumes.
 	// NOTE: This setting applies only to the Launch Configuration and does not affect Launch Templates.
 	RootVolumeDeleteOnTermination *bool `json:"rootVolumeDeleteOnTermination,omitempty"`
+	// RootVolumeEncryption enables EBS root volume encryption for an instance
+	RootVolumeEncryption *bool `json:"rootVolumeEncryption,omitempty"`
 	// Volumes is a collection of additional volumes to create for instances within this InstanceGroup
 	Volumes []*VolumeSpec `json:"volumes,omitempty"`
 	// VolumeMounts a collection of volume mounts

diff --git a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go
diff --git a/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go b/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go
diff --git a/pkg/apis/kops/zz_generated.deepcopy.go b/pkg/apis/kops/zz_generated.deepcopy.go
diff --git a/pkg/model/awsmodel/autoscalinggroup.go b/pkg/model/awsmodel/autoscalinggroup.go
@@ -128,6 +128,7 @@ func (b *AutoscalingGroupModelBuilder) buildLaunchTemplateTask(c *fi.ModelBuilde
 		RootVolumeSize:         lc.RootVolumeSize,
 		RootVolumeIops:         lc.RootVolumeIops,
 		RootVolumeType:         lc.RootVolumeType,
+		RootVolumeEncryption:   lc.RootVolumeEncryption,
 		SSHKey:                 lc.SSHKey,
 		SecurityGroups:         lc.SecurityGroups,
 		Tags:                   tags,
@@ -199,6 +200,7 @@ func (b *AutoscalingGroupModelBuilder) buildLaunchConfigurationTask(c *fi.ModelB
 		RootVolumeOptimization:        ig.Spec.RootVolumeOptimization,
 		RootVolumeSize:                fi.Int64(int64(volumeSize)),
 		RootVolumeType:                fi.String(volumeType),
+		RootVolumeEncryption:          ig.Spec.RootVolumeEncryption,
 		SecurityGroups:                []*awstasks.SecurityGroup{sgLink},
 	}
 

diff --git a/tests/integration/update_cluster/complex/cloudformation.json b/tests/integration/update_cluster/complex/cloudformation.json
@@ -226,7 +226,8 @@
               "Ebs": {
                 "VolumeType": "gp2",
                 "VolumeSize": 64,
-                "DeleteOnTermination": true
+                "DeleteOnTermination": true,
+                "Encrypted": true
               }
             },
             {
@@ -336,7 +337,8 @@
               "Ebs": {
                 "VolumeType": "gp2",
                 "VolumeSize": 128,
-                "DeleteOnTermination": true
+                "DeleteOnTermination": true,
+                "Encrypted": true
               }
             },
             {

diff --git a/tests/integration/update_cluster/complex/in-legacy-v1alpha2.yaml b/tests/integration/update_cluster/complex/in-legacy-v1alpha2.yaml
@@ -86,6 +86,7 @@ spec:
   - us-test-1a
   detailedInstanceMonitoring: true
   rootVolumeDeleteOnTermination: false
+  rootVolumeEncryption: true
   volumes:
   - device: /dev/xvdd
     deleteOnTermination: false
@@ -114,6 +115,7 @@ spec:
   maxSize: 1
   minSize: 1
   role: Master
+  rootVolumeEncryption: true
   subnets:
   - us-test-1a
   additionalUserData:

diff --git a/tests/integration/update_cluster/complex/in-v1alpha2.yaml b/tests/integration/update_cluster/complex/in-v1alpha2.yaml
@@ -86,6 +86,7 @@ spec:
   - us-test-1a
   detailedInstanceMonitoring: true
   rootVolumeDeleteOnTermination: false
+  rootVolumeEncryption: true
   volumes:
   - device: /dev/xvdd
     deleteOnTermination: false
@@ -114,6 +115,7 @@ spec:
   maxSize: 1
   minSize: 1
   role: Master
+  rootVolumeEncryption: true
   subnets:
   - us-test-1a
   additionalUserData:

diff --git a/tests/integration/update_cluster/complex/kubernetes.tf b/tests/integration/update_cluster/complex/kubernetes.tf
@@ -293,6 +293,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-complex-example-com" {
     device_name = "/dev/xvda"
     ebs {
       delete_on_termination = true
+      encrypted             = true
       volume_size           = 64
       volume_type           = "gp2"
     }
@@ -356,6 +357,7 @@ resource "aws_launch_template" "nodes-complex-example-com" {
     device_name = "/dev/xvda"
     ebs {
       delete_on_termination = true
+      encrypted             = true
       volume_size           = 128
       volume_type           = "gp2"
     }

diff --git a/upup/pkg/fi/cloudup/awstasks/launchconfiguration.go b/upup/pkg/fi/cloudup/awstasks/launchconfiguration.go
@@ -80,6 +80,8 @@ type LaunchConfiguration struct {
 	RootVolumeSize *int64
 	// RootVolumeType is the type of the EBS root volume to use (e.g. gp2)
 	RootVolumeType *string
+	// RootVolumeEncryption enables EBS root volume encryption for an instance
+	RootVolumeEncryption *bool
 	// SSHKey is the ssh key for the instances
 	SSHKey *SSHKey
 	// SecurityGroups is a list of security group associated
@@ -201,6 +203,7 @@ func (e *LaunchConfiguration) Find(c *fi.Context) (*LaunchConfiguration, error)
 			actual.RootVolumeSize = b.Ebs.VolumeSize
 			actual.RootVolumeType = b.Ebs.VolumeType
 			actual.RootVolumeIops = b.Ebs.Iops
+			actual.RootVolumeEncryption = b.Ebs.Encrypted
 			actual.RootVolumeDeleteOnTermination = b.Ebs.DeleteOnTermination
 		} else {
 			_, d := BlockDeviceMappingFromAutoscaling(b)
@@ -386,6 +389,7 @@ func (t *LaunchConfiguration) buildRootDevice(cloud awsup.AWSCloud) (map[string]
 		EbsVolumeSize:          t.RootVolumeSize,
 		EbsVolumeType:          t.RootVolumeType,
 		EbsVolumeIops:          t.RootVolumeIops,
+		EbsEncrypted:           t.RootVolumeEncryption,
 	}
 
 	return bm, nil

diff --git a/upup/pkg/fi/cloudup/awstasks/launchtemplate.go b/upup/pkg/fi/cloudup/awstasks/launchtemplate.go
@@ -57,6 +57,8 @@ type LaunchTemplate struct {
 	RootVolumeSize *int64
 	// RootVolumeType is the type of the EBS root volume to use (e.g. gp2)
 	RootVolumeType *string
+	// RootVolumeEncryption enables EBS root volume encryption for an instance
+	RootVolumeEncryption *bool
 	// SSHKey is the ssh key for the instances
 	SSHKey *SSHKey
 	// SecurityGroups is a list of security group associated
@@ -113,6 +115,7 @@ func (t *LaunchTemplate) buildRootDevice(cloud awsup.AWSCloud) (map[string]*Bloc
 		EbsVolumeSize:          t.RootVolumeSize,
 		EbsVolumeType:          t.RootVolumeType,
 		EbsVolumeIops:          t.RootVolumeIops,
+		EbsEncrypted:           t.RootVolumeEncryption,
 	}
 
 	return bm, nil

diff --git a/upup/pkg/fi/cloudup/awstasks/launchtemplate_target_api.go b/upup/pkg/fi/cloudup/awstasks/launchtemplate_target_api.go
@@ -231,6 +231,7 @@ func (t *LaunchTemplate) Find(c *fi.Context) (*LaunchTemplate, error) {
 			actual.RootVolumeSize = b.Ebs.VolumeSize
 			actual.RootVolumeType = b.Ebs.VolumeType
 			actual.RootVolumeIops = b.Ebs.Iops
+			actual.RootVolumeEncryption = b.Ebs.Encrypted
 		} else {
 			_, d := BlockDeviceMappingFromLaunchTemplateBootDeviceRequest(b)
 			actual.BlockDeviceMappings = append(actual.BlockDeviceMappings, d)

diff --git a/upup/pkg/fi/cloudup/awstasks/launchtemplate_target_cloudformation.go b/upup/pkg/fi/cloudup/awstasks/launchtemplate_target_cloudformation.go
@@ -234,6 +234,7 @@ func (t *LaunchTemplate) RenderCloudformation(target *cloudformation.Cloudformat
 				IOPS:                x.EbsVolumeIops,
 				VolumeSize:          x.EbsVolumeSize,
 				VolumeType:          x.EbsVolumeType,
+				Encrypted:           x.EbsEncrypted,
 			},
 		})
 	}

diff --git a/upup/pkg/fi/cloudup/awstasks/launchtemplate_target_terraform.go b/upup/pkg/fi/cloudup/awstasks/launchtemplate_target_terraform.go
@@ -245,6 +245,7 @@ func (t *LaunchTemplate) RenderTerraform(target *terraform.TerraformTarget, a, e
 			EBS: []*terraformLaunchTemplateBlockDeviceEBS{
 				{
 					DeleteOnTermination: fi.Bool(true),
+					Encrypted:           x.EbsEncrypted,
 					IOPS:                x.EbsVolumeIops,
 					VolumeSize:          x.EbsVolumeSize,
 					VolumeType:          x.EbsVolumeType,