Merge pull request #292 from charlieegan3/encryption-config

Enable secrets and configMaps encryption in etcd rest on the apiserver

CHANGELOG.md

@@ -22,7 +22,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 | Vault       |                    | `0.9.5`  |
 | Kubernetes  | `>= 1.7 && < 1.11` | `1.9.7`  |
 | Calico      |                    | `3.1.1`  |
-| Vault Helper|                    | `0.9.7`  |
+| Vault Helper|                    | `0.9.12` |
 | Etcd        |                    | `3.2.17` |
 
 ## [0.3.0]: 0.3.0 - 2018-02-20

Gopkg.toml

@@ -48,7 +48,7 @@ required = [
 
 [[constraint]]
   name = "github.com/jetstack/vault-helper"
-  version = "0.9.10"
+  version = "0.9.12"
 
 [[constraint]]
   name = "github.com/cenkalti/backoff"

puppet/modules/kubernetes/manifests/apiserver.pp

@@ -8,6 +8,7 @@
   $admission_control = undef,
   $count = 1,
   $storage_backend = undef,
+  Optional[String] $encryption_config_file = undef,
   $etcd_nodes = ['localhost'],
   $etcd_port = 2379,
   $etcd_events_port = undef,

puppet/modules/kubernetes/manifests/init.pp

@@ -105,6 +105,7 @@
     $_service_account_key_file = $service_account_key_file
   }
 
+
   if $cluster_dns == undef {
     $_sir_parts = $service_ip_range_network.split('\.')
     $_cluster_dns = "${_sir_parts[0]}.${_sir_parts[1]}.${_sir_parts[2]}.10"

puppet/modules/kubernetes/templates/kube-apiserver.service.erb

@@ -82,6 +82,9 @@ ExecStart=<%= scope['kubernetes::_dest_dir'] %>/apiserver \
 <%- if scope['kubernetes::_service_account_key_file'] -%>
   --service-account-key-file=<%= scope['kubernetes::_service_account_key_file'] %> \
 <% end -%>
+<%- if @post_1_7 and @encryption_config_file -%>
+  --experimental-encryption-provider-config=<%= @encryption_config_file %> \
+<% end -%>
 <%- if scope.function_versioncmp([scope['kubernetes::version'], '1.9.0']) >= 0 -%>
   --endpoint-reconciler-type=lease \
 <%- else -%>

puppet/modules/tarmak/manifests/master.pp

@@ -31,6 +31,14 @@
     uid         => $::tarmak::kubernetes_uid,
   }
 
+  $encryption_config_file = "${::tarmak::kubernetes_config_dir}/encryption-config.yaml"
+  vault_client::secret_service { 'kube-encryption-config-file':
+    field       => 'content',
+    secret_path => "${::tarmak::cluster_name}/secrets/encryption-config",
+    dest_path   => $encryption_config_file,
+    uid         => $::tarmak::kubernetes_uid,
+  }
+
   $controller_manager_base_path = "${::tarmak::kubernetes_ssl_dir}/kube-controller-manager"
   vault_client::cert_service { 'kube-controller-manager':
     base_path   => $controller_manager_base_path,
@@ -132,6 +140,7 @@
       requestheader_client_ca_file => $requestheader_client_ca_file,
       proxy_client_cert_file       => $proxy_client_cert_file ,
       proxy_client_key_file        => $proxy_client_key_file,
+      encryption_config_file       => $encryption_config_file,
   }
 
   class { 'kubernetes::controller_manager':

puppet/modules/tarmak/spec/acceptance/single_node_spec.rb

@@ -40,8 +40,6 @@
   kubernetes_version            => '#{kubernetes_version}',
   kubernetes_authorization_mode => #{kubernetes_authorization_mode},
 }
-
-
 "
     end
 

puppet/modules/tarmak/spec/spec_helper_acceptance.rb

@@ -34,8 +34,6 @@
 
       # install myself
       install_dev_puppet_module_on(host, :source => module_root, :module_name => 'tarmak', :target_module_path => $module_path)
-
-
     end
   end
 end

puppet/modules/vault_client/files/vault-add-hostname.sh

@@ -5,4 +5,4 @@ set -ex
 export VAULT_ADDR=http://127.0.0.1:8200
 export VAULT_TOKEN=root-token-dev
 
-vault read -format=json test/pki/k8s/roles/kubelet | python -c "import socket, sys, json; v=json.load(sys.stdin); v=v['data']; k='allowed_domains'; d=v[k].split(','); d.append(socket.gethostname()); v[k] = ','.join(list(set(d))); print json.dumps(v)" | vault write test/pki/k8s/roles/kubelet -
+vault read -format=json test/pki/k8s/roles/kubelet | python -c "import socket, sys, json; v=json.load(sys.stdin); v=v['data']; k='allowed_domains'; d=v[k]; d.append(socket.gethostname()); v[k] = ','.join(list(set(d))); print json.dumps(v)" | vault write test/pki/k8s/roles/kubelet -

puppet/modules/vault_client/files/vault-dev-server.service

@@ -3,8 +3,9 @@ Description=vault dev server for acceptance tests
 
 [Service]
 Type=notify
+Environment=VAULT_VERSION=0.9.5
+Environment=VAULT_HELPER_VERSION=0.9.12
 Environment=VAULT_CMD=/opt/bin/vault-helper
-Environment=VAULT_HELPER_VERSION=0.9.7
 Environment=VAULT_ADDR=http://127.0.0.1:8200
 ExecStart=/bin/bash /etc/puppetlabs/code/modules/vault_client/files/vault-dev-server.sh
 ExecStartPost=/etc/puppetlabs/code/modules/vault_client/files/vault-add-hostname.sh

puppet/modules/vault_client/files/vault-dev-server.sh

@@ -7,7 +7,7 @@ export VAULT_ADDR=http://127.0.0.1:8200
 
 #Download vault binary
 if [ ! -x /bin/vault  ]; then
-    curl -sL -o /tmp/vault-dev.zip https://releases.hashicorp.com/vault/0.7.2/vault_0.7.2_linux_amd64.zip
+    curl -sL -o /tmp/vault-dev.zip https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip
     unzip /tmp/vault-dev.zip -d /tmp
     mv /tmp/vault /bin/vault
     chmod +x /bin/vault

puppet/modules/vault_client/manifests/params.pp

@@ -5,7 +5,7 @@
 #
 class vault_client::params {
   $app_name = 'vault-helper'
-  $version = '0.9.10'
+  $version = '0.9.12'
   $bin_dir = '/opt/bin'
   $dest_dir = '/opt'
   $config_dir = '/etc/vault'