From e93b438ee0b570cb0eea91c43c94175ee58b7a22 Mon Sep 17 00:00:00 2001 From: Xan Manning Date: Sat, 28 Mar 2020 12:58:58 +0000 Subject: [PATCH] Added secrets encryption at rest option --- README.md | 1 + defaults/main.yml | 3 +++ molecule/highavailability/playbook-dqlite.yml | 1 + tasks/validate/check-experimental-variables.yml | 1 + tasks/validate/check-variables.yml | 8 ++++++++ templates/k3s.service.j2 | 3 +++ 6 files changed, 17 insertions(+) diff --git a/README.md b/README.md index f0a1f9e..5b17fdb 100644 --- a/README.md +++ b/README.md @@ -80,6 +80,7 @@ consistency. | `k3s_datastore_certfile` | Define the database TLS Cert file. | _NULL_ | | `k3s_datastore_keyfile` | Define the database TLS Key file. | _NULL_ | | `k3s_dqlite_datastore` | Use DQLite as the database backend for HA. (EXPERIMENTAL) | `false` | +| `k3s_secrets_encryption` | Use secrets encryption at rest. (EXPERIMENTAL) | `false` | #### Important note about `k3s_release_version` diff --git a/defaults/main.yml b/defaults/main.yml index def2848..ad6928b 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -95,3 +95,6 @@ k3s_disable_network_policy: false # Default local storage path for local provisioner storage class, if set to "false" we will use the default k3s_default_local_storage_path: false + +# Use secret encryption at rest (EXPERIMENTAL) +k3s_secrets_encryption: false diff --git a/molecule/highavailability/playbook-dqlite.yml b/molecule/highavailability/playbook-dqlite.yml index 4d41510..786caf7 100644 --- a/molecule/highavailability/playbook-dqlite.yml +++ b/molecule/highavailability/playbook-dqlite.yml @@ -5,6 +5,7 @@ vars: molecule_is_test: true k3s_dqlite_datastore: true + k3s_secrets_encryption: true k3s_use_experimental: true pre_tasks: - name: Set each node to be a control node diff --git a/tasks/validate/check-experimental-variables.yml b/tasks/validate/check-experimental-variables.yml index 0132564..f7f349c 100644 --- a/tasks/validate/check-experimental-variables.yml +++ b/tasks/validate/check-experimental-variables.yml @@ -8,3 +8,4 @@ fail_msg: "Experimental variables have been configured. If you want to use them ensure you set k3s_use_experimental" when: (k3s_non_root is defined and k3s_non_root) or (k3s_dqlite_datastore is defined and k3s_dqlite_datastore) + or (k3s_secrets_encryption is defined and k3s_secrets_encryption) diff --git a/tasks/validate/check-variables.yml b/tasks/validate/check-variables.yml index 60c954d..b9b26a7 100644 --- a/tasks/validate/check-variables.yml +++ b/tasks/validate/check-variables.yml @@ -213,3 +213,11 @@ success_msg: "Local storage path supported in {{ k3s_release_version }}" fail_msg: "Local storage path are not supported in {{ k3s_release_version }}" when: k3s_default_local_storage_path is defined and k3s_default_local_storage_path + +- name: Check k3s_secrets_encryption against k3s version + assert: + that: + - (k3s_release_version | replace('v', '')) is version_compare('1.17.4', '>=') + success_msg: "Secrets encryption at rest supported in {{ k3s_release_version }}" + fail_msg: "Secrets encryption at rest is not supported in {{ k3s_release_version }}" + when: k3s_secrets_encryption is defined and k3s_secrets_encryption diff --git a/templates/k3s.service.j2 b/templates/k3s.service.j2 index 3ea880c..334a531 100644 --- a/templates/k3s.service.j2 +++ b/templates/k3s.service.j2 @@ -77,6 +77,9 @@ ExecStart={{ k3s_install_dir }}/k3s --token {{ k3s_control_token }} {% endif %} {% endif %} + {% if k3s_secrets_encryption is defined and k3s_secrets_encryption %} + --secrets-encryption + {% endif %} {% else %} agent --server https://{{ k3s_control_node_address }}:{{ k3s_https_port }}