From 0e0577cc216e62626bfa6bcdbde638a83041c09a Mon Sep 17 00:00:00 2001 From: zadjadr Date: Mon, 11 Sep 2023 13:15:15 +0200 Subject: [PATCH] Implement node encryption --- k8s/crds/kops.k8s.io_clusters.yaml | 4 ++++ pkg/apis/kops/networking.go | 3 +++ pkg/apis/kops/v1alpha2/networking.go | 3 +++ pkg/apis/kops/v1alpha2/zz_generated.conversion.go | 2 ++ pkg/apis/kops/v1alpha3/networking.go | 3 +++ pkg/apis/kops/v1alpha3/zz_generated.conversion.go | 2 ++ .../addons/networking.cilium.io/k8s-1.16-v1.13.yaml.template | 1 + 7 files changed, 18 insertions(+) diff --git a/k8s/crds/kops.k8s.io_clusters.yaml b/k8s/crds/kops.k8s.io_clusters.yaml index 4899d0df34630..e879f0075c8d7 100644 --- a/k8s/crds/kops.k8s.io_clusters.yaml +++ b/k8s/crds/kops.k8s.io_clusters.yaml @@ -5123,6 +5123,10 @@ spec: nat46Range: description: Nat46Range is unused. type: string + nodeEncryption: + description: 'NodeEncryption enables encryption for pure node + to node traffic. Default: false' + type: boolean nodeInitBootstrapFile: description: NodeInitBootstrapFile is unused. type: string diff --git a/pkg/apis/kops/networking.go b/pkg/apis/kops/networking.go index f6b70e3911c89..2ebb46c2ba7af 100644 --- a/pkg/apis/kops/networking.go +++ b/pkg/apis/kops/networking.go @@ -382,6 +382,9 @@ type CiliumNetworkingSpec struct { // EncryptionType specifies Cilium Encryption method ("ipsec", "wireguard"). // Default: ipsec EncryptionType CiliumEncryptionType `json:"encryptionType,omitempty"` + // NodeEncryption enables encryption for pure node to node traffic. + // Default: false + NodeEncryption bool `json:"nodeEncryption,omitempty"` // IdentityAllocationMode specifies in which backend identities are stored ("crd", "kvstore"). // Default: crd IdentityAllocationMode string `json:"identityAllocationMode,omitempty"` diff --git a/pkg/apis/kops/v1alpha2/networking.go b/pkg/apis/kops/v1alpha2/networking.go index 48e482b81459b..a811f9f380206 100644 --- a/pkg/apis/kops/v1alpha2/networking.go +++ b/pkg/apis/kops/v1alpha2/networking.go @@ -387,6 +387,9 @@ type CiliumNetworkingSpec struct { // EncryptionType specifies Cilium Encryption method ("ipsec", "wireguard"). // Default: ipsec EncryptionType CiliumEncryptionType `json:"encryptionType,omitempty"` + // NodeEncryption enables encryption for pure node to node traffic. + // Default: false + NodeEncryption bool `json:"nodeEncryption,omitempty"` // EnvoyLog is unused. // +k8s:conversion-gen=false EnvoyLog string `json:"envoyLog,omitempty"` diff --git a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go index 8ce73e48a6743..d39903fe53975 100644 --- a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go +++ b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go @@ -1937,6 +1937,7 @@ func autoConvert_v1alpha2_CiliumNetworkingSpec_To_kops_CiliumNetworkingSpec(in * out.EnablePrometheusMetrics = in.EnablePrometheusMetrics out.EnableEncryption = in.EnableEncryption out.EncryptionType = kops.CiliumEncryptionType(in.EncryptionType) + out.NodeEncryption = in.NodeEncryption // INFO: in.EnvoyLog opted out of conversion generation out.IdentityAllocationMode = in.IdentityAllocationMode out.IdentityChangeGracePeriod = in.IdentityChangeGracePeriod @@ -2037,6 +2038,7 @@ func autoConvert_kops_CiliumNetworkingSpec_To_v1alpha2_CiliumNetworkingSpec(in * out.EnablePrometheusMetrics = in.EnablePrometheusMetrics out.EnableEncryption = in.EnableEncryption out.EncryptionType = CiliumEncryptionType(in.EncryptionType) + out.NodeEncryption = in.NodeEncryption out.IdentityAllocationMode = in.IdentityAllocationMode out.IdentityChangeGracePeriod = in.IdentityChangeGracePeriod out.Masquerade = in.Masquerade diff --git a/pkg/apis/kops/v1alpha3/networking.go b/pkg/apis/kops/v1alpha3/networking.go index e0d76b8dcfe44..640610e052145 100644 --- a/pkg/apis/kops/v1alpha3/networking.go +++ b/pkg/apis/kops/v1alpha3/networking.go @@ -345,6 +345,9 @@ type CiliumNetworkingSpec struct { // EncryptionType specifies Cilium Encryption method ("ipsec", "wireguard"). // Default: ipsec EncryptionType CiliumEncryptionType `json:"encryptionType,omitempty"` + // NodeEncryption enables encryption for pure node to node traffic. + // Default: false + NodeEncryption bool `json:"nodeEncryption,omitempty"` // IdentityAllocationMode specifies in which backend identities are stored ("crd", "kvstore"). // Default: crd IdentityAllocationMode string `json:"identityAllocationMode,omitempty"` diff --git a/pkg/apis/kops/v1alpha3/zz_generated.conversion.go b/pkg/apis/kops/v1alpha3/zz_generated.conversion.go index 1f810f0ddb4e3..7f90d0847b4b9 100644 --- a/pkg/apis/kops/v1alpha3/zz_generated.conversion.go +++ b/pkg/apis/kops/v1alpha3/zz_generated.conversion.go @@ -2106,6 +2106,7 @@ func autoConvert_v1alpha3_CiliumNetworkingSpec_To_kops_CiliumNetworkingSpec(in * out.EnablePrometheusMetrics = in.EnablePrometheusMetrics out.EnableEncryption = in.EnableEncryption out.EncryptionType = kops.CiliumEncryptionType(in.EncryptionType) + out.NodeEncryption = in.NodeEncryption out.IdentityAllocationMode = in.IdentityAllocationMode out.IdentityChangeGracePeriod = in.IdentityChangeGracePeriod out.Masquerade = in.Masquerade @@ -2172,6 +2173,7 @@ func autoConvert_kops_CiliumNetworkingSpec_To_v1alpha3_CiliumNetworkingSpec(in * out.EnablePrometheusMetrics = in.EnablePrometheusMetrics out.EnableEncryption = in.EnableEncryption out.EncryptionType = CiliumEncryptionType(in.EncryptionType) + out.NodeEncryption = in.NodeEncryption out.IdentityAllocationMode = in.IdentityAllocationMode out.IdentityChangeGracePeriod = in.IdentityChangeGracePeriod out.Masquerade = in.Masquerade diff --git a/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.16-v1.13.yaml.template b/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.16-v1.13.yaml.template index 01281b2bea66c..a91c04d21043b 100644 --- a/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.16-v1.13.yaml.template +++ b/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.16-v1.13.yaml.template @@ -103,6 +103,7 @@ data: {{ else if eq .EncryptionType "wireguard" }} enable-wireguard: "true" {{ end }} + encrypt-node: "{{ .NodeEncryption }}" {{ end }} # Enable IPv4 addressing. If enabled, all endpoints are allocated an IPv4