Add secret encryption configuration

pull/1192/head
galal-hussein 5 years ago
parent d4959d53af
commit 388cd9c4e8

@ -42,6 +42,7 @@ type Server struct {
DisableNPC bool
ClusterInit bool
ClusterReset bool
EncryptSecrets bool
}
var ServerConfig Server
@ -262,6 +263,11 @@ func NewServerCommand(action func(*cli.Context) error) cli.Command {
EnvVar: "K3S_CLUSTER_RESET",
Destination: &ServerConfig.ClusterReset,
},
cli.BoolFlag{
Name: "secrets-encryption",
Usage: "(experimental) Enable Secret encryption at rest",
Destination: &ServerConfig.EncryptSecrets,
},
// Hidden/Deprecated flags below

@ -100,6 +100,7 @@ func run(app *cli.Context, cfg *cmds.Server) error {
serverConfig.ControlConfig.DisableNPC = cfg.DisableNPC
serverConfig.ControlConfig.ClusterInit = cfg.ClusterInit
serverConfig.ControlConfig.ClusterReset = cfg.ClusterReset
serverConfig.ControlConfig.EncryptSecrets = cfg.EncryptSecrets
if cmds.AgentConfig.FlannelIface != "" && cmds.AgentConfig.NodeIP == "" {
cmds.AgentConfig.NodeIP = netutil.GetIPFromInterface(cmds.AgentConfig.FlannelIface)

@ -111,6 +111,7 @@ type Control struct {
DisableNPC bool
ClusterInit bool
ClusterReset bool
EncryptSecrets bool
BindAddress string
SANs []string
@ -128,6 +129,7 @@ type ControlRuntimeBootstrap struct {
RequestHeaderCA string
RequestHeaderCAKey string
IPSECKey string
EncryptionConfig string
}
type ControlRuntime struct {

@ -3,9 +3,11 @@ package control
import (
"context"
"crypto"
cryptorand "crypto/rand"
"crypto/x509"
b64 "encoding/base64"
"encoding/json"
"fmt"
"html/template"
"io/ioutil"
"math/rand"
"net"
@ -15,6 +17,7 @@ import (
"path/filepath"
"strconv"
"strings"
"text/template"
"time"
// registering k3s cloud provider
@ -29,6 +32,8 @@ import (
"github.com/rancher/wrangler-api/pkg/generated/controllers/rbac"
"github.com/sirupsen/logrus"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
apiserverconfigv1 "k8s.io/apiserver/pkg/apis/config/v1"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/tools/clientcmd"
@ -70,8 +75,9 @@ users:
)
const (
userTokenSize = 16
userTokenSize = 8
ipsecTokenSize = 48
aescbcKeySize = 32
)
func Server(ctx context.Context, cfg *config.Control) error {
@ -201,7 +207,9 @@ func apiServer(ctx context.Context, cfg *config.Control, runtime *config.Control
argsMap["client-ca-file"] = runtime.ClientCA
argsMap["enable-admission-plugins"] = "NodeRestriction"
argsMap["anonymous-auth"] = "false"
if cfg.EncryptSecrets {
argsMap["encryption-provider-config"] = runtime.EncryptionConfig
}
args := config.GetArgsList(argsMap, cfg.ExtraAPIArgs)
command := app.NewAPIServerCommand(ctx.Done())
@ -308,6 +316,10 @@ func prepare(ctx context.Context, config *config.Control, runtime *config.Contro
runtime.ClientAuthProxyCert = path.Join(config.DataDir, "tls", "client-auth-proxy.crt")
runtime.ClientAuthProxyKey = path.Join(config.DataDir, "tls", "client-auth-proxy.key")
if config.EncryptSecrets {
runtime.EncryptionConfig = path.Join(config.DataDir, "cred", "encryption-config.json")
}
cluster := cluster.New(config)
if err := cluster.Join(ctx); err != nil {
@ -330,6 +342,10 @@ func prepare(ctx context.Context, config *config.Control, runtime *config.Contro
return err
}
if err := genEncryptionConfig(config, runtime); err != nil {
return err
}
if err := readTokens(runtime); err != nil {
return err
}
@ -861,3 +877,51 @@ func promise(f func() error) <-chan error {
}()
return c
}
func genEncryptionConfig(controlConfig *config.Control, runtime *config.ControlRuntime) error {
if !controlConfig.EncryptSecrets {
return nil
}
if s, err := os.Stat(runtime.EncryptionConfig); err == nil && s.Size() > 0 {
return nil
}
aescbcKey := make([]byte, aescbcKeySize, aescbcKeySize)
_, err := cryptorand.Read(aescbcKey)
if err != nil {
return err
}
encodedKey := b64.StdEncoding.EncodeToString(aescbcKey)
encConfig := apiserverconfigv1.EncryptionConfiguration{
TypeMeta: metav1.TypeMeta{
Kind: "EncryptionConfiguration",
APIVersion: "apiserver.config.k8s.io/v1",
},
Resources: []apiserverconfigv1.ResourceConfiguration{
{
Resources: []string{"secrets"},
Providers: []apiserverconfigv1.ProviderConfiguration{
{
AESCBC: &apiserverconfigv1.AESConfiguration{
Keys: []apiserverconfigv1.Key{
{
Name: "aescbckey",
Secret: encodedKey,
},
},
},
},
{
Identity: &apiserverconfigv1.IdentityConfiguration{},
},
},
},
},
}
jsonfile, err := json.Marshal(encConfig)
if err != nil {
return err
}
return ioutil.WriteFile(runtime.EncryptionConfig, jsonfile, 0600)
}

Loading…
Cancel
Save