Enable configure-helper.sh to support two scenarios for etcd level encryption: decryption and adding encryption to existing clusters. #68379
Conversation
k8s-ci-robot
added
release-note-none
k8s-ci-robot
added
sig/cluster-lifecycle
|
/assign @mikedanese |
immutableT
force-pushed
the
kms-plugin-via-gke
branch
2 times, most recently
from
70bc500
to
6ee40cc
Compare
|
/ok-to-test |
k8s-ci-robot
removed
the
needs-ok-to-test
immutableT
force-pushed
the
kms-plugin-via-gke
branch
from
6ee40cc
to
bfda078
Compare
immutableT
changed the title
|
/assign @awly |
|
/test pull-kubernetes-verify |
| @@ -51,89 +55,138 @@ readonly DOCKER_REGISTRY="k8s.gcr.io" | |||
| readonly ENABLE_LEGACY_ABAC=false | |||
| readonly ETC_MANIFESTS=${KUBE_HOME}/etc/kubernetes/manifests | |||
| readonly KUBE_API_SERVER_DOCKER_TAG=v1.11.0-alpha.0.1808_3c7452dc11645d-dirty | |||
| readonly LOG_OWNER_USER=$(id -un) | |||
| readonly LOG_OWNER_USER=$(whoami) | |||
| kmsPluginManifestFileName = "kms-plugin-container.manifest" | ||
| kubeAPIServerStartFuncName = "start-kube-apiserver" | ||
| /* | ||
| encryptionProviderConfigForKMS is base64 encoded yaml below |
There was a problem hiding this comment.
Could you base64-encode it at runtime? Makes it easier to edit.
The YAML itself can still be a string
| } | ||
|
|
||
| func newKubeAPIServerManifestTestCase(t *testing.T) *kubeAPIServerManifestTestCase { | ||
| return &kubeAPIServerManifestTestCase{ | ||
| ManifestTestCase: newManifestTestCase(t, kubeAPIServerManifestFileName, kubeAPIServerStartFuncName, []string{kmsPluginManifestFileName}), | ||
| ManifestTestCase: newManifestTestCase(t, kubeAPIServerManifestFileName, kubeAPIServerStartFuncName, []string{}), |
| flag := fmt.Sprintf("%s=%s", encryptionConfigFlag, e.EncryptionProviderConfigPath) | ||
|
|
||
| switch { | ||
| case tc.wantFlag && !flagIsInArg: |
There was a problem hiding this comment.
case tc.wantFlag != flagIsInArg:
There was a problem hiding this comment.
This would save one case block, but will prevent me from providing a more informative error message.
| case !tc.wantFlag && flagIsInArg: | ||
| t.Fatalf("Got %q,\n do not want flags to contain %q", execArgs, encryptionConfigFlag) | ||
| case tc.wantFlag && flagIsInArg: | ||
| if !strings.Contains(execArgs, flag) { |
There was a problem hiding this comment.
Move this check into the case condition above
cluster/gce/gci/configure-helper.sh
Outdated
| # Assumes vars (supplied via kube-env): | ||
| # ENCRYPTION_PROVIDER_CONFIG | ||
| # CLOUD_KMS_INTEGRATION | ||
|
|
cluster/gce/gci/configure-helper.sh
Outdated
| # kms_socket_mnt is used by both kms_plugin and kube-apiserver - this is how these containers talk. | ||
| local kms_socket_mnt="{ \"name\": \"kmssocket\", \"mountPath\": \"${kms_socket_dir}\", \"readOnly\": false}" | ||
| local -n kube_api_server_params=$2 | ||
| local encryption_provider_config_path=${ENCRYPTION_PROVIDER_CONFIG_PATH:-/etc/srv/kubernetes/encryption-provider-config.yml} |
There was a problem hiding this comment.
Mention ENCRYPTION_PROVIDER_CONFIG_PATH in the function comment above
cluster/gce/gci/configure-helper.sh
Outdated
| # Assumes vars (supplied via kube-env): | ||
| # ENCRYPTION_PROVIDER_CONFIG_FORCE | ||
| function apply-encryption-config() { | ||
| if [[ -z "${ENCRYPTION_PROVIDER_CONFIG_FORCE:-}" ]] || [[ "${ENCRYPTION_PROVIDER_CONFIG_FORCE:-}" == "false" ]]; then |
There was a problem hiding this comment.
if [[ "${ENCRYPTION_PROVIDER_CONFIG_FORCE:-false}" == "false" ]];
cluster/gce/gci/configure-helper.sh
Outdated
| } " "${src_file}" | ||
| fi | ||
| # need kube-apiserver to be ready | ||
| until kubectl get secret |
There was a problem hiding this comment.
Hmm, what other startup steps are blocked by this? I wonder if this needs a timeout or maybe needs to run as the very last step of configure-helper
There was a problem hiding this comment.
If this block of code fails then we can safely assume that the cluster did not come-up, so I don't see much value in time-out.
I put this function into background to allow other things to continue.
There was a problem hiding this comment.
Hmm, when the parent shell exits (when rest of configure-helper is done) will it continue running?
And will there be a way to tell if/when it fails?
There was a problem hiding this comment.
I believe that the parent will not exit until that function is done.
Today, this is a weak spot - cluster creation times-out and users need to login to the master to investigate. In other words, the caller would not know why kube-up or cluster create fails.
I'd love if you took a look at these with shellcheck, working on a PR to make this a presubmit currently. |
|
@awly PTAL. |
|
@BenTheElder ran shellcheck and addressed issues it found in my changes. |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
Thanks!! |
immutableT
force-pushed
the
kms-plugin-via-gke
branch
from
5574218
to
34bc600
Compare
k8s-ci-robot
removed
the
lgtm
|
squashed |
| params+=" --experimental-encryption-provider-config=${ENCRYPTION_PROVIDER_CONFIG_PATH}" | ||
| fi | ||
| # params is passed by reference, so no "$" | ||
| setup-etcd-encryption "${src_file}" params |
There was a problem hiding this comment.
I'm confused. Isn't this params passed as a string?
There was a problem hiding this comment.
The idea is to allow setup-etcd-encryption function to modify params and the results of such modifications to be visible in start-kube-apiserver function. If I were to pass params as ${params} setup-etcd-encryption will get a copy of params.
cluster/gce/gci/configure-helper.sh
Outdated
| EOM | ||
| ) | ||
| fi | ||
| src_file="${src_dir}/kube-apiserver.manifest" |
There was a problem hiding this comment.
It is used in other places (ex. start-etcd-empty-dir-clean-up-pod).
There was a problem hiding this comment.
start-etcd-empty-dir-clean-up-pod declares src_file as local. Shouldn't we do the same here?
cluster/gce/gci/configure-helper.sh
Outdated
| # kms_socket_mnt is used by both kms_plugin and kube-apiserver - this is how these containers talk. | ||
| local kms_socket_mnt="{ \"name\": \"kmssocket\", \"mountPath\": \"${kms_socket_dir}\", \"readOnly\": false}" | ||
| kube_api_server_params=$2 | ||
| encryption_provider_config_path=${ENCRYPTION_PROVIDER_CONFIG_PATH:-/etc/srv/kubernetes/encryption-provider-config.yml} |
cluster/gce/gci/configure-helper.sh
Outdated
| # CLOUD_KMS_INTEGRATION | ||
| # ENCRYPTION_PROVIDER_CONFIG_PATH (will default to /etc/srv/kubernetes/encryption-provider-config.yml) | ||
| function setup-etcd-encryption { | ||
| local kube_apiserver_template_path |
There was a problem hiding this comment.
File uses two spaces for indent
cluster/gce/gci/configure-helper.sh
Outdated
| cp "${src_file}" "${ETC_MANIFESTS:-/etc/kubernetes/manifests}" | ||
| # forces all secrets to be re-written to etcd, and in the process either encrypting or decrypting them | ||
| # https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/ | ||
| kubectl get secrets --all-namespaces -o json | kubectl replace -f - |
There was a problem hiding this comment.
This seems like it will lose data if secrets are being modified while it runs.
immutableT
force-pushed
the
kms-plugin-via-gke
branch
2 times, most recently
from
33628ec
to
cffa2b9
Compare
|
@mikedanese PTAL. |
immutableT
force-pushed
the
kms-plugin-via-gke
branch
from
cffa2b9
to
ff89856
Compare
|
/retest |
cluster/gce/gci/configure-helper.sh
Outdated
| # need kube-apiserver to be ready | ||
| until kubectl get secret | ||
| do | ||
| sleep ${ENCRYPTION_PROVIDER_CONFIG_FORCE_DELAY:-5} |
cluster/gce/gci/configure-helper.sh
Outdated
| # ENCRYPTION_PROVIDER_CONFIG_FORCE | ||
| function apply-encryption-config() { | ||
| if [[ "${ENCRYPTION_PROVIDER_CONFIG_FORCE:-false}" == "false" ]]; then | ||
| return |
cluster/gce/gci/configure-helper.sh
Outdated
| cp "${src_file}" "${ETC_MANIFESTS:-/etc/kubernetes/manifests}" | ||
| # need kube-apiserver to be ready | ||
| until kubectl get secret | ||
| do |
There was a problem hiding this comment.
use single line until
https://google.github.io/styleguide/shell.xml?showone=Loops#Loops
cluster/gce/gci/configure-helper.sh
Outdated
| # else updated the secret in the middle of our update). | ||
| # TODO: Retry only on errors caused by a conflict. | ||
| until (( retries == 0 )) | ||
| do |
There was a problem hiding this comment.
|
/lgtm |
k8s-ci-robot
added
lgtm
immutableT
force-pushed
the
kms-plugin-via-gke
branch
from
e7d6909
to
4bc62be
Compare
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: awly, immutableT, mikedanese The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/test pull-kubernetes-integration |
|
/test pull-kubernetes-e2e-kops-aws |
|
/hold cancel |
k8s-ci-robot
removed
the
do-not-merge/hold
|
/retest Review the full test history for this PR. Silence the bot with an |
1 similar comment
|
/retest Review the full test history for this PR. Silence the bot with an |
|
/test pull-kubernetes-e2e-gke |
What this PR does / why we need it:
Adding encryption to an existing cluster
Decryption
Both of the above mentioned scenarios require that secrets be "touched" by the envelope transformer post cluster startup. This functionality is implemented in the apply-encryption-config function.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #
Special notes for your reviewer:
Release note: