Skip to content
This repository has been archived by the owner on Sep 30, 2020. It is now read-only.

etcdDataVolumeEncrypted not creating encrypted volumes #383

Closed
swestcott opened this issue Mar 6, 2017 · 7 comments · Fixed by #387
Closed

etcdDataVolumeEncrypted not creating encrypted volumes #383

swestcott opened this issue Mar 6, 2017 · 7 comments · Fixed by #387
Labels
kind/bug Categorizes issue or PR as related to a bug.
Milestone
v0.9.5-rc.2

Comments

@swestcott
Copy link
Contributor

I've set etcdDataVolumeEncrypted: true in my cluster.yaml file however the resulting volumes are marked as Encrypted: Not Encrypted in the AWS console.

From a initial look, I wonder if 341323e inadvertently removed the conditional logic around EtcdDataVolumeEncrypted in stack-template.json?
@swestcott
Copy link
Contributor Author

A potential secondary issue, after re-adding EtcdDataVolumeEncrypted, it seems that the EBS volumes are encrypted with the default aws/ebs key rather than the kms-key-arn passed in to kube-aws init.

@mumoshu
Copy link
Contributor

mumoshu commented Mar 6, 2017

@swestcott Thanks for the feedbacks 👍

From a initial look, I wonder if 341323e inadvertently removed the conditional logic around EtcdDataVolumeEncrypted in stack-template.json?

It certainly seems so 😢

it seems that the EBS volumes are encrypted with the default aws/ebs key rather than the kms-key-arn passed in to kube-aws init.

Good catch. Does it make sense to always use the kms key specified via kmsKeyArn for encrypting EBS volumes, or would you like an another configuration key like etcdDataVolumeEncryptionKmsKeyArn(very long 😄) for flexibility?

@mumoshu mumoshu added the kind/bug Categorizes issue or PR as related to a bug. label Mar 6, 2017
mumoshu added a commit to mumoshu/kube-aws that referenced this issue Mar 7, 2017
@mumoshu
fix: etcdDataVolumeEncrypted not creating encrypted volumes
78bf934 
fixes kubernetes-retired#383
@mumoshu mumoshu mentioned this issue Mar 7, 2017
Merged
@mumoshu
Copy link
Contributor

mumoshu commented Mar 7, 2017

@swestcott etcdDataVolumeEncrypted is fixed in #387 and included in v0.9.5-rc.2.
Could you confirm that it is now working?

@mumoshu mumoshu reopened this Mar 7, 2017
@mumoshu
Copy link
Contributor

mumoshu commented Mar 7, 2017

I'll keep this open until the second question in #383 (comment) is answered.

@swestcott
Copy link
Contributor Author

@mumoshu Reusing the existing kmsKeyArn value suites me. The core point for me is a kube-aws doesn't share it's key with anything else.

@swestcott
Copy link
Contributor Author

I've confirmed EtcdDataVolumeEncrypted is working on master

@mumoshu mumoshu mentioned this issue Mar 7, 2017
Closed
@mumoshu
Copy link
Contributor

mumoshu commented Mar 8, 2017

Thanks for the confirmation @swestcott!
I'm closing this as fixed but please feel free to reopen if necessary.
Btw I've opened an another issue #393 for your feature request.
Let's keep discussing there.

@mumoshu mumoshu closed this as completed Mar 8, 2017
@mumoshu mumoshu added this to the v0.9.5-rc.2 milestone Mar 8, 2017
@mumoshu mumoshu mentioned this issue Mar 27, 2017
Merged
camilb added a commit to camilb/kube-aws that referenced this issue Apr 5, 2017
@camilb
Merge remote-tracking branch 'kubernetes-incubator/master'
7f93c09 
* kubernetes-incubator/master: (29 commits)
  Emit errors when kube-aws sees unexpected keys in cluster.yaml Resolves kubernetes-retired#404
  Tag controller nodes appropriately with `kubernetes.io/role`. Resolves kubernetes-retired#370
  Make Container Linux AMI fetching a bit more reliable
  Stop locksmithd errors on etcd nodes
  Upgrade heapster to version 1.3.0 (kubernetes-retired#420)
  Auth token file support (kubernetes-retired#418)
  Update README.md
  Update README accordingly to the new git repo
  AWS China region support (kubernetes-retired#390)
  Conform as a Kubernetes Incubator Project
  Fixed typo in template
  upgrade aws-sdk to latest version Fix kubernetes-retired#388
  Upgrade Kubernetes version to v1.5.4
  Fix assumed public hostnames for EC2 instances in us-east-1
  Fix assumed public hostnames for EC2 instances in us-east-1
  typo
  fix: etcdDataVolumeEncrypted not creating encrypted volumes fixes kubernetes-retired#383
  Allow disabling wait signals fixes kubernetes-retired#371
  Update file paths in readme
  Fix an issue with glue security group documentation
  ...
redbaron pushed a commit to HotelsDotCom/kube-aws that referenced this issue Apr 6, 2017
@jollinshead
Merge pull request #1 in RUN/kube-aws from 0.9.5-rc.2 to hcom-flavour
6d5d9db 
* commit '09366deebc35f602e6d87ea69d7cb5e56d113a5f':
  fix: etcdDataVolumeEncrypted not creating encrypted volumes fixes kubernetes-retired#383
  Allow disabling wait signals fixes kubernetes-retired#371
  Update file paths in readme
  Fix an issue with glue security group documentation
  Update kubernetes-on-aws-prerequisites.md
  Add apiserver-count parameter in kube-apiserver config
kylehodgetts pushed a commit to HotelsDotCom/kube-aws that referenced this issue Mar 27, 2018
@mumoshu
fix: etcdDataVolumeEncrypted not creating encrypted volumes
c309e31 
fixes kubernetes-retired#383
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
v0.9.5-rc.2
Development

Successfully merging a pull request may close this issue.

fix: etcdDataVolumeEncrypted not creating encrypted volumes mumoshu/kube-aws
2 participants
@mumoshu @swestcott