AWS: replace aws copy for encryption with encrypted EBS volumes #3293
Commits on Mar 16, 2020
-
vendor update cluster-provider-aws
``` $ go version go version go1.14 linux/amd64 $ go mod edit -replace sigs.k8s.io/cluster-api-provider-aws=github.com/openshift/cluster-api-provider-aws@master $ go mod tidy warning: ignoring symlink /home/adahiya/go/src/github.com/openshift/installer/pkg/asset/store/data go: downloading github.com/openshift/cluster-api-provider-aws v0.2.1-0.20200316201703-923caeb1d0d8 go: downloading github.com/openshift/machine-api-operator v0.2.1-0.20200310180732-c63fa2b143f0 $ go mod vendor ```
-
data/aws: replace aws copy for encryption with encrypted EBS volumes
Amazon supports using encrypted root EBS volumes [1]. So instead of copying the AMI and encrypting in the process we can use the encypted EBS volumes instead which saves us making the AMI copy during install. The change also allows the user to provide KMS key to the terraform instead of the default KMS key. Using this change the instance boots with public RHCOS AMI, and the EBS volume is encrypted with default KMS key for the account and region. ```console [4:42:15] ➜ installer git:(ami_no_copy) ✗ AWS_PROFILE=openshift-dev aws ec2 describe-volumes --region ca-central-1 --volume-ids vol-09ceb58bc9ac93602 { "Volumes": [ { "Attachments": [ { "AttachTime": "2020-03-13T23:30:09.000Z", "Device": "/dev/xvda", "InstanceId": "i-0bdec7b64f2b9a607", "State": "attached", "VolumeId": "vol-09ceb58bc9ac93602", "DeleteOnTermination": true } ], "AvailabilityZone": "ca-central-1b", "CreateTime": "2020-03-13T23:30:09.789Z", "Encrypted": true, "KmsKeyId": "arn:aws:kms:ca-central-1:<REDACTED>:key/1ffbfa61-7250-42de-9a75-cac64a8f0e4d", "Size": 120, "SnapshotId": "snap-0c8421bbe06f5f69d", "State": "in-use", "VolumeId": "vol-09ceb58bc9ac93602", "Iops": 360, "Tags": [ { "Key": "kubernetes.io/cluster/adahiya-1-djk4q", "Value": "owned" }, { "Key": "Name", "Value": "adahiya-1-djk4q-master-1-vol" } ], "VolumeType": "gp2" } ] } [4:42:28] ➜ installer git:(ami_no_copy) ✗ AWS_PROFILE=openshift-dev aws ec2 describe-instances --region ca-central-1 --instance-ids i-0bdec7b64f2b9a607 { "Reservations": [ { "Groups": [], "Instances": [ { "AmiLaunchIndex": 0, "ImageId": "ami-0d235b4920e9def96", "InstanceId": "i-0bdec7b64f2b9a607", "InstanceType": "m4.xlarge", "LaunchTime": "2020-03-13T23:30:09.000Z", ... "BlockDeviceMappings": [ { "DeviceName": "/dev/xvda", "Ebs": { "AttachTime": "2020-03-13T23:30:09.000Z", "DeleteOnTermination": true, "Status": "attached", "VolumeId": "vol-09ceb58bc9ac93602" } } ], ... "Tags": [ { "Key": "Name", "Value": "adahiya-1-djk4q-master-1" }, { "Key": "kubernetes.io/cluster/adahiya-1-djk4q", "Value": "owned" } ], ... } ] } [4:44:31] ➜ installer git:(ami_no_copy) ✗ ``` the bootstrap host is always encrypted with either the default KMS key or using the user specified KMS key. [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html -
aws: allow users to set the KMS key id for encrypting EBS volumes
Users can provide the KMS Key ARN which should be used to encrypt the EBS volumes otherwise the default KMS key for the region will be used.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.