Added etcd encryption support (#559)

wtripp180901 · web-flow · commit e35bbc8f8d04 · 2025-07-03T17:54:24.000+01:00
* added etcd encryption support

* now fails if encryption on but keys undefined

* fixed whitespace

* etcd keys now generated by hooks per cluster

* fixed service account not existing pre-install

* now enabled by default and hooks conditional on encryption

* renames + added default for CI

* rename

* typo

* allowed CI linting

* using default service account + keeps for debugging

* removed keeps

* debug

* removed hook, now depends on capi-operator secret

* etcd encryption now off by default
diff --git a/charts/openstack-cluster/templates/control-plane/kubeadm-control-plane.yaml b/charts/openstack-cluster/templates/control-plane/kubeadm-control-plane.yaml
@@ -69,6 +69,57 @@ mounts:
 {{- end }}
 {{- end }}
 
+{{- define "openstack-cluster.controlplane.kubeadmConfigSpec.etcdEncryption" -}}
+{{- if .Values.etcd.encryption.enabled }}
+preKubeadmCommands:
+  - mkdir -p /etc/kubernetes/enc
+  - mkdir -p /etc/kubernetes/patches
+initConfiguration:
+  patches:
+    directory: /etc/kubernetes/patches
+joinConfiguration:
+  patches:
+    directory: /etc/kubernetes/patches
+clusterConfiguration:
+  apiServer:
+    extraArgs:
+      encryption-provider-config: /etc/kubernetes/enc/enc.yaml
+files:
+  - path: /etc/kubernetes/patches/kube-apiserver1+strategic.yaml
+    permissions: "0644"
+    owner: root:root
+    content: |
+      spec:
+        containers:
+        - name: kube-apiserver
+          volumeMounts:
+          - mountPath: /etc/kubernetes/enc
+            name: kube-enc
+            readOnly: true
+        volumes:
+        - hostPath:
+            path: /etc/kubernetes/enc
+            type: DirectoryOrCreate
+          name: kube-enc
+  - path: /etc/kubernetes/enc/enc.yaml
+    content: |
+      apiVersion: apiserver.config.k8s.io/v1
+      kind: EncryptionConfiguration
+      resources:
+        - resources:
+            {{- .Values.etcd.encryption.resources | toYaml | nindent 10 }}
+          providers:
+            - {{ .Values.etcd.encryption.provider }}:
+                keys:
+                  - name: key1
+                    {{- $secret := (lookup "v1" "Secret" .Release.Namespace (print .Release.Name "-etcd-key")) -}}
+                    secret: {{ $secret.data.key }}
+            - identity: {} # fallback to allow reading unencrypted secrets e.g during initial migration
+    owner: root:root
+    permissions: "0644"
+{{- end }}
+{{- end -}}
+
 {{/*
   NOTE(mkjpryor)
   When Cilium is enabled with the kube-proxy replacement, we need to skip kube-proxy
@@ -146,6 +197,7 @@ spec:
           (include "openstack-cluster.controlplane.kubeadmConfigSpec.nodeLabels" . | fromYaml)
           (include "openstack-cluster.controlplane.kubeadmConfigSpec.oidc" . | fromYaml)
           (include "openstack-cluster.controlplane.kubeadmConfigSpec.etcd" . | fromYaml)
+          (include "openstack-cluster.controlplane.kubeadmConfigSpec.etcdEncryption" . | fromYaml)
           (include "openstack-cluster.controlplane.kubeadmConfigSpec.cilium" . | fromYaml)
           (include "openstack-cluster.controlplane.kubeadmConfigSpec.admissionConfigFile" . | fromYaml)
           (include "openstack-cluster.kubeadmConfigSpec" (list . .Values.controlPlane.kubeadmConfigSpec) | fromYaml)
diff --git a/charts/openstack-cluster/values.yaml b/charts/openstack-cluster/values.yaml
@@ -151,6 +151,14 @@ etcd:
     quota-backend-bytes: "4294967296"
     # Listen for metrics on 0.0.0.0 so Prometheus can collect them
     listen-metrics-urls: http://0.0.0.0:2381
+  # At-rest encryption settings
+  encryption:
+    enabled: false
+    # K8s resources to encrypt
+    resources:
+      - secrets
+    # Encyption provider, see https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/#providers
+    provider: secretbox
   # The block device configuration for etcd
   # If not specified, the root device is used
   blockDevice:
