From 07b28940802f27ef7b8f7cd29cfe7f0d7d400994 Mon Sep 17 00:00:00 2001 From: Manuel Cintron <4176113+mcntrn@users.noreply.github.com> Date: Tue, 19 Feb 2019 09:31:45 -0600 Subject: [PATCH] Adding ability to maintain existing Encryption Secrets at Rest. (#4255) * Adding ability to maintain existing Encryption Secrets at Rest. If secrets_encryption.yaml is present it will not be overriten with a new kube_encrypt_token. This should allow for it to be set ahead of a playbook running or maintain it if cluster.yml is ran on the same cluster and the ansible host does not have access to the secrets. * Setting existing kube_encrypt_token across all master nodes in case it was missing in one or more nodes. --- .../kubernetes/master/defaults/main/main.yml | 2 ++ .../master/tasks/encrypt-at-rest.yml | 29 +++++++++++++++++++ 2 files changed, 31 insertions(+) diff --git a/roles/kubernetes/master/defaults/main/main.yml b/roles/kubernetes/master/defaults/main/main.yml index 92997d5ef..e2342217b 100644 --- a/roles/kubernetes/master/defaults/main/main.yml +++ b/roles/kubernetes/master/defaults/main/main.yml @@ -163,3 +163,5 @@ kube_override_hostname: >- {%- else -%} {{ inventory_hostname }} {%- endif -%} + +secrets_encryption_query: "resources[*].providers[0].{{kube_encryption_algorithm}}.keys[0].secret" diff --git a/roles/kubernetes/master/tasks/encrypt-at-rest.yml b/roles/kubernetes/master/tasks/encrypt-at-rest.yml index 332e622c7..192790039 100644 --- a/roles/kubernetes/master/tasks/encrypt-at-rest.yml +++ b/roles/kubernetes/master/tasks/encrypt-at-rest.yml @@ -1,4 +1,33 @@ --- +- name: Check if secret for encrypting data at rest already exist + stat: + path: "{{ kube_cert_dir }}/secrets_encryption.yaml" + register: secrets_encryption_file + +- name: Slurp secrets_encryption file if it exists + slurp: + src: "{{ kube_cert_dir }}/secrets_encryption.yaml" + register: secret_file_encoded + when: secrets_encryption_file.stat.exists + +- name: Base 64 Decode slurped secrets_encryption.yaml file + set_fact: + secret_file_decoded: "{{secret_file_encoded['content'] | b64decode | from_yaml}}" + when: secrets_encryption_file.stat.exists + +- name: Extract secret value from secrets_encryption.yaml + set_fact: + kube_encrypt_token_extracted: "{{ secret_file_decoded | json_query(secrets_encryption_query) | first | b64decode}}" + when: secrets_encryption_file.stat.exists + +- name: Set kube_encrypt_token across master nodes + set_fact: + kube_encrypt_token: "{{ kube_encrypt_token_extracted }}" + delegate_to: "{{ item }}" + delegate_facts: true + with_inventory_hostnames: kube-master + when: kube_encrypt_token_extracted is defined + - name: Write secrets for encrypting secret data at rest template: src: secrets_encryption.yaml.j2