Added secrets encryption at rest option

2020-03-28 12:58:58 +00:00 · 2020-03-28 12:58:58 +00:00 · e93b438ee0
parent f684f6d907
commit e93b438ee0
6 changed files with 17 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -80,6 +80,7 @@ consistency.
 | `k3s_datastore_certfile`         | Define the database TLS Cert file.                                                  | _NULL_                                  |
 | `k3s_datastore_keyfile`          | Define the database TLS Key file.                                                   | _NULL_                                  |
 | `k3s_dqlite_datastore`           | Use DQLite as the database backend for HA. (EXPERIMENTAL)                           | `false`                                 |
+| `k3s_secrets_encryption`         | Use secrets encryption at rest. (EXPERIMENTAL)                                      | `false`                                 |

 #### Important note about `k3s_release_version`

--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -95,3 +95,6 @@ k3s_disable_network_policy: false

 # Default local storage path for local provisioner storage class, if set to "false" we will use the default
 k3s_default_local_storage_path: false
+
+# Use secret encryption at rest (EXPERIMENTAL)
+k3s_secrets_encryption: false
--- a/molecule/highavailability/playbook-dqlite.yml
+++ b/molecule/highavailability/playbook-dqlite.yml
@ -5,6 +5,7 @@
  vars:
    molecule_is_test: true
    k3s_dqlite_datastore: true
+    k3s_secrets_encryption: true
    k3s_use_experimental: true
  pre_tasks:
    - name: Set each node to be a control node
--- a/tasks/validate/check-experimental-variables.yml
+++ b/tasks/validate/check-experimental-variables.yml
@ -8,3 +8,4 @@
    fail_msg: "Experimental variables have been configured. If you want to use them ensure you set k3s_use_experimental"
  when: (k3s_non_root is defined and k3s_non_root)
        or (k3s_dqlite_datastore is defined and k3s_dqlite_datastore)
+        or (k3s_secrets_encryption is defined and k3s_secrets_encryption)
--- a/tasks/validate/check-variables.yml
+++ b/tasks/validate/check-variables.yml
@ -213,3 +213,11 @@
    success_msg: "Local storage path supported in {{ k3s_release_version }}"
    fail_msg: "Local storage path are not supported in {{ k3s_release_version }}"
  when: k3s_default_local_storage_path is defined and k3s_default_local_storage_path
+
+- name: Check k3s_secrets_encryption against k3s version
+  assert:
+    that:
+      - (k3s_release_version | replace('v', '')) is version_compare('1.17.4', '>=')
+    success_msg: "Secrets encryption at rest supported in {{ k3s_release_version }}"
+    fail_msg: "Secrets encryption at rest is not supported in {{ k3s_release_version }}"
+  when: k3s_secrets_encryption is defined and k3s_secrets_encryption
--- a/templates/k3s.service.j2
+++ b/templates/k3s.service.j2
@ -77,6 +77,9 @@ ExecStart={{ k3s_install_dir }}/k3s
            --token {{ k3s_control_token }}
        {% endif %}
    {% endif %}
+    {% if k3s_secrets_encryption is defined and k3s_secrets_encryption %}
+        --secrets-encryption
+    {% endif %}
 {% else %}
    agent
    --server https://{{ k3s_control_node_address }}:{{ k3s_https_port }}