-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable configure-helper.sh to support two scenarios for etcd level encryption: decryption and adding encryption to existing clusters. #68379
Conversation
/assign @mikedanese |
70bc500
to
6ee40cc
Compare
/ok-to-test |
6ee40cc
to
bfda078
Compare
/assign @awly |
/test pull-kubernetes-verify |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's a lot of bash and sed,. Just to make sure have you successfully started a cluster with these changes?
@@ -51,89 +55,138 @@ readonly DOCKER_REGISTRY="k8s.gcr.io" | |||
readonly ENABLE_LEGACY_ABAC=false | |||
readonly ETC_MANIFESTS=${KUBE_HOME}/etc/kubernetes/manifests | |||
readonly KUBE_API_SERVER_DOCKER_TAG=v1.11.0-alpha.0.1808_3c7452dc11645d-dirty | |||
readonly LOG_OWNER_USER=$(id -un) | |||
readonly LOG_OWNER_USER=$(whoami) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's this change for?
kmsPluginManifestFileName = "kms-plugin-container.manifest" | ||
kubeAPIServerStartFuncName = "start-kube-apiserver" | ||
/* | ||
encryptionProviderConfigForKMS is base64 encoded yaml below |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you base64-encode it at runtime? Makes it easier to edit.
The YAML itself can still be a string
} | ||
|
||
func newKubeAPIServerManifestTestCase(t *testing.T) *kubeAPIServerManifestTestCase { | ||
return &kubeAPIServerManifestTestCase{ | ||
ManifestTestCase: newManifestTestCase(t, kubeAPIServerManifestFileName, kubeAPIServerStartFuncName, []string{kmsPluginManifestFileName}), | ||
ManifestTestCase: newManifestTestCase(t, kubeAPIServerManifestFileName, kubeAPIServerStartFuncName, []string{}), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nil
instead of []string{}
flag := fmt.Sprintf("%s=%s", encryptionConfigFlag, e.EncryptionProviderConfigPath) | ||
|
||
switch { | ||
case tc.wantFlag && !flagIsInArg: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
case tc.wantFlag != flagIsInArg:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This would save one case block, but will prevent me from providing a more informative error message.
case !tc.wantFlag && flagIsInArg: | ||
t.Fatalf("Got %q,\n do not want flags to contain %q", execArgs, encryptionConfigFlag) | ||
case tc.wantFlag && flagIsInArg: | ||
if !strings.Contains(execArgs, flag) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Move this check into the case condition above
cluster/gce/gci/configure-helper.sh
Outdated
# Assumes vars (supplied via kube-env): | ||
# ENCRYPTION_PROVIDER_CONFIG | ||
# CLOUD_KMS_INTEGRATION | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
remove newline
cluster/gce/gci/configure-helper.sh
Outdated
# kms_socket_mnt is used by both kms_plugin and kube-apiserver - this is how these containers talk. | ||
local kms_socket_mnt="{ \"name\": \"kmssocket\", \"mountPath\": \"${kms_socket_dir}\", \"readOnly\": false}" | ||
local -n kube_api_server_params=$2 | ||
local encryption_provider_config_path=${ENCRYPTION_PROVIDER_CONFIG_PATH:-/etc/srv/kubernetes/encryption-provider-config.yml} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Mention ENCRYPTION_PROVIDER_CONFIG_PATH
in the function comment above
cluster/gce/gci/configure-helper.sh
Outdated
# Assumes vars (supplied via kube-env): | ||
# ENCRYPTION_PROVIDER_CONFIG_FORCE | ||
function apply-encryption-config() { | ||
if [[ -z "${ENCRYPTION_PROVIDER_CONFIG_FORCE:-}" ]] || [[ "${ENCRYPTION_PROVIDER_CONFIG_FORCE:-}" == "false" ]]; then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if [[ "${ENCRYPTION_PROVIDER_CONFIG_FORCE:-false}" == "false" ]];
cluster/gce/gci/configure-helper.sh
Outdated
} " "${src_file}" | ||
fi | ||
# need kube-apiserver to be ready | ||
until kubectl get secret |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm, what other startup steps are blocked by this? I wonder if this needs a timeout or maybe needs to run as the very last step of configure-helper
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If this block of code fails then we can safely assume that the cluster did not come-up, so I don't see much value in time-out.
I put this function into background to allow other things to continue.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm, when the parent shell exits (when rest of configure-helper is done) will it continue running?
And will there be a way to tell if/when it fails?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe that the parent will not exit until that function is done.
Today, this is a weak spot - cluster creation times-out and users need to login to the master to investigate. In other words, the caller would not know why kube-up or cluster create fails.
I'd love if you took a look at these with shellcheck, working on a PR to make this a presubmit currently. |
@awly PTAL. |
@BenTheElder ran shellcheck and addressed issues it found in my changes. |
/lgtm |
Thanks!! |
5574218
to
34bc600
Compare
squashed |
params+=" --experimental-encryption-provider-config=${ENCRYPTION_PROVIDER_CONFIG_PATH}" | ||
fi | ||
# params is passed by reference, so no "$" | ||
setup-etcd-encryption "${src_file}" params |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm confused. Isn't this params passed as a string?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The idea is to allow setup-etcd-encryption function to modify params and the results of such modifications to be visible in start-kube-apiserver function. If I were to pass params as ${params} setup-etcd-encryption will get a copy of params.
cluster/gce/gci/configure-helper.sh
Outdated
EOM | ||
) | ||
fi | ||
src_file="${src_dir}/kube-apiserver.manifest" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
make local?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is used in other places (ex. start-etcd-empty-dir-clean-up-pod).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
start-etcd-empty-dir-clean-up-pod declares src_file as local. Shouldn't we do the same here?
cluster/gce/gci/configure-helper.sh
Outdated
# kms_socket_mnt is used by both kms_plugin and kube-apiserver - this is how these containers talk. | ||
local kms_socket_mnt="{ \"name\": \"kmssocket\", \"mountPath\": \"${kms_socket_dir}\", \"readOnly\": false}" | ||
kube_api_server_params=$2 | ||
encryption_provider_config_path=${ENCRYPTION_PROVIDER_CONFIG_PATH:-/etc/srv/kubernetes/encryption-provider-config.yml} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
quote bash variable
cluster/gce/gci/configure-helper.sh
Outdated
# CLOUD_KMS_INTEGRATION | ||
# ENCRYPTION_PROVIDER_CONFIG_PATH (will default to /etc/srv/kubernetes/encryption-provider-config.yml) | ||
function setup-etcd-encryption { | ||
local kube_apiserver_template_path |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
File uses two spaces for indent
cluster/gce/gci/configure-helper.sh
Outdated
cp "${src_file}" "${ETC_MANIFESTS:-/etc/kubernetes/manifests}" | ||
# forces all secrets to be re-written to etcd, and in the process either encrypting or decrypting them | ||
# https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/ | ||
kubectl get secrets --all-namespaces -o json | kubectl replace -f - |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This seems like it will lose data if secrets are being modified while it runs.
33628ec
to
cffa2b9
Compare
@mikedanese PTAL. |
cffa2b9
to
ff89856
Compare
/retest |
cluster/gce/gci/configure-helper.sh
Outdated
# need kube-apiserver to be ready | ||
until kubectl get secret | ||
do | ||
sleep ${ENCRYPTION_PROVIDER_CONFIG_FORCE_DELAY:-5} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fix indentation
cluster/gce/gci/configure-helper.sh
Outdated
# ENCRYPTION_PROVIDER_CONFIG_FORCE | ||
function apply-encryption-config() { | ||
if [[ "${ENCRYPTION_PROVIDER_CONFIG_FORCE:-false}" == "false" ]]; then | ||
return |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fix indentation
cluster/gce/gci/configure-helper.sh
Outdated
cp "${src_file}" "${ETC_MANIFESTS:-/etc/kubernetes/manifests}" | ||
# need kube-apiserver to be ready | ||
until kubectl get secret | ||
do |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
use single line until
https://google.github.io/styleguide/shell.xml?showone=Loops#Loops
cluster/gce/gci/configure-helper.sh
Outdated
# else updated the secret in the middle of our update). | ||
# TODO: Retry only on errors caused by a conflict. | ||
until (( retries == 0 )) | ||
do |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm |
e7d6909
to
4bc62be
Compare
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: awly, immutableT, mikedanese The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/test pull-kubernetes-integration |
/test pull-kubernetes-e2e-kops-aws |
/hold cancel |
/retest Review the full test history for this PR. Silence the bot with an |
1 similar comment
/retest Review the full test history for this PR. Silence the bot with an |
/test pull-kubernetes-e2e-gke |
What this PR does / why we need it:
Adding encryption to an existing cluster
Decryption
Both of the above mentioned scenarios require that secrets be "touched" by the envelope transformer post cluster startup. This functionality is implemented in the apply-encryption-config function.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when PR gets merged):Fixes #
Special notes for your reviewer:
Release note: