Set default volume encryption to "true" for etcd-manager volumes in AWS

cmd/kops/create_cluster.go

@@ -167,6 +167,7 @@ func NewCmdCreateCluster(f *util.Factory, out io.Writer) *cobra.Command {
 
 	sshPublicKey := ""
 	associatePublicIP := false
+	encryptEtcdStorage := false
 
 	cmd := &cobra.Command{
 		Use:     "cluster",
@@ -180,6 +181,10 @@ func NewCmdCreateCluster(f *util.Factory, out io.Writer) *cobra.Command {
 				options.AssociatePublicIP = &associatePublicIP
 			}
 
+			if cmd.Flag("encrypt-etcd-storage").Changed {
+				options.EncryptEtcdStorage = &encryptEtcdStorage
+			}
+
 			err := rootCommand.ProcessArgs(args)
 			if err != nil {
 				exitWithError(err)
@@ -244,7 +249,7 @@ func NewCmdCreateCluster(f *util.Factory, out io.Writer) *cobra.Command {
 	cmd.Flags().StringVar(&options.NetworkCIDR, "network-cidr", options.NetworkCIDR, "Set to override the default network CIDR")
 	cmd.Flags().BoolVar(&options.DisableSubnetTags, "disable-subnet-tags", options.DisableSubnetTags, "Set to disable automatic subnet tagging")
 
-	cmd.Flags().BoolVar(&options.EncryptEtcdStorage, "encrypt-etcd-storage", options.EncryptEtcdStorage, "Generate key in aws kms and use it for encrypt etcd volumes")
+	cmd.Flags().BoolVar(&encryptEtcdStorage, "encrypt-etcd-storage", false, "Generate key in aws kms and use it for encrypt etcd volumes")
 	cmd.Flags().StringVar(&options.EtcdStorageType, "etcd-storage-type", options.EtcdStorageType, "The default storage type for etc members")
 
 	cmd.Flags().StringVar(&options.Networking, "networking", options.Networking, "Networking mode to use.  kubenet, external, weave, flannel-vxlan (or flannel), flannel-udp, calico, canal, kube-router, amazonvpc, cilium, cilium-etcd, cni, lyftvpc.")

tests/integration/create_cluster/complex/expected-v1alpha2.yaml

@@ -15,13 +15,15 @@ spec:
   etcdClusters:
   - cpuRequest: 200m
     etcdMembers:
-    - instanceGroup: master-us-test-1a
+    - encryptedVolume: true
+      instanceGroup: master-us-test-1a
       name: a
     memoryRequest: 100Mi
     name: main
   - cpuRequest: 100m
     etcdMembers:
-    - instanceGroup: master-us-test-1a
+    - encryptedVolume: true
+      instanceGroup: master-us-test-1a
       name: a
     memoryRequest: 100Mi
     name: events

tests/integration/create_cluster/ha/expected-v1alpha2.yaml

@@ -15,21 +15,27 @@ spec:
   etcdClusters:
   - cpuRequest: 200m
     etcdMembers:
-    - instanceGroup: master-us-test-1a
+    - encryptedVolume: true
+      instanceGroup: master-us-test-1a
       name: a
-    - instanceGroup: master-us-test-1b
+    - encryptedVolume: true
+      instanceGroup: master-us-test-1b
       name: b
-    - instanceGroup: master-us-test-1c
+    - encryptedVolume: true
+      instanceGroup: master-us-test-1c
       name: c
     memoryRequest: 100Mi
     name: main
   - cpuRequest: 100m
     etcdMembers:
-    - instanceGroup: master-us-test-1a
+    - encryptedVolume: true
+      instanceGroup: master-us-test-1a
       name: a
-    - instanceGroup: master-us-test-1b
+    - encryptedVolume: true
+      instanceGroup: master-us-test-1b
       name: b
-    - instanceGroup: master-us-test-1c
+    - encryptedVolume: true
+      instanceGroup: master-us-test-1c
       name: c
     memoryRequest: 100Mi
     name: events

tests/integration/create_cluster/ha_shared_zone/expected-v1alpha2.yaml

@@ -15,21 +15,27 @@ spec:
   etcdClusters:
   - cpuRequest: 200m
     etcdMembers:
-    - instanceGroup: master-us-test-1a-1
+    - encryptedVolume: true
+      instanceGroup: master-us-test-1a-1
       name: etcd-1
-    - instanceGroup: master-us-test-1a-2
+    - encryptedVolume: true
+      instanceGroup: master-us-test-1a-2
       name: etcd-2
-    - instanceGroup: master-us-test-1a-3
+    - encryptedVolume: true
+      instanceGroup: master-us-test-1a-3
       name: etcd-3
     memoryRequest: 100Mi
     name: main
   - cpuRequest: 100m
     etcdMembers:
-    - instanceGroup: master-us-test-1a-1
+    - encryptedVolume: true
+      instanceGroup: master-us-test-1a-1
       name: etcd-1
-    - instanceGroup: master-us-test-1a-2
+    - encryptedVolume: true
+      instanceGroup: master-us-test-1a-2
       name: etcd-2
-    - instanceGroup: master-us-test-1a-3
+    - encryptedVolume: true
+      instanceGroup: master-us-test-1a-3
       name: etcd-3
     memoryRequest: 100Mi
     name: events

tests/integration/create_cluster/ha_shared_zones/expected-v1alpha2.yaml

@@ -15,29 +15,39 @@ spec:
   etcdClusters:
   - cpuRequest: 200m
     etcdMembers:
-    - instanceGroup: master-us-test-1a-1
+    - encryptedVolume: true
+      instanceGroup: master-us-test-1a-1
       name: a-1
-    - instanceGroup: master-us-test-1b-1
+    - encryptedVolume: true
+      instanceGroup: master-us-test-1b-1
       name: b-1
-    - instanceGroup: master-us-test-1a-2
+    - encryptedVolume: true
+      instanceGroup: master-us-test-1a-2
       name: a-2
-    - instanceGroup: master-us-test-1b-2
+    - encryptedVolume: true
+      instanceGroup: master-us-test-1b-2
       name: b-2
-    - instanceGroup: master-us-test-1a-3
+    - encryptedVolume: true
+      instanceGroup: master-us-test-1a-3
       name: a-3
     memoryRequest: 100Mi
     name: main
   - cpuRequest: 100m
     etcdMembers:
-    - instanceGroup: master-us-test-1a-1
+    - encryptedVolume: true
+      instanceGroup: master-us-test-1a-1
       name: a-1
-    - instanceGroup: master-us-test-1b-1
+    - encryptedVolume: true
+      instanceGroup: master-us-test-1b-1
       name: b-1
-    - instanceGroup: master-us-test-1a-2
+    - encryptedVolume: true
+      instanceGroup: master-us-test-1a-2
       name: a-2
-    - instanceGroup: master-us-test-1b-2
+    - encryptedVolume: true
+      instanceGroup: master-us-test-1b-2
       name: b-2
-    - instanceGroup: master-us-test-1a-3
+    - encryptedVolume: true
+      instanceGroup: master-us-test-1a-3
       name: a-3
     memoryRequest: 100Mi
     name: events

tests/integration/create_cluster/ingwspecified/expected-v1alpha2.yaml

@@ -17,13 +17,15 @@ spec:
   etcdClusters:
   - cpuRequest: 200m
     etcdMembers:
-    - instanceGroup: master-us-test-1a
+    - encryptedVolume: true
+      instanceGroup: master-us-test-1a
       name: a
     memoryRequest: 100Mi
     name: main
   - cpuRequest: 100m
     etcdMembers:
-    - instanceGroup: master-us-test-1a
+    - encryptedVolume: true
+      instanceGroup: master-us-test-1a
       name: a
     memoryRequest: 100Mi
     name: events

tests/integration/create_cluster/minimal/expected-v1alpha2.yaml

@@ -15,13 +15,15 @@ spec:
   etcdClusters:
   - cpuRequest: 200m
     etcdMembers:
-    - instanceGroup: master-us-test-1a
+    - encryptedVolume: true
+      instanceGroup: master-us-test-1a
       name: a
     memoryRequest: 100Mi
     name: main
   - cpuRequest: 100m
     etcdMembers:
-    - instanceGroup: master-us-test-1a
+    - encryptedVolume: true
+      instanceGroup: master-us-test-1a
       name: a
     memoryRequest: 100Mi
     name: events

tests/integration/create_cluster/ngwspecified/expected-v1alpha2.yaml

@@ -17,13 +17,15 @@ spec:
   etcdClusters:
   - cpuRequest: 200m
     etcdMembers:
-    - instanceGroup: master-us-test-1a
+    - encryptedVolume: true
+      instanceGroup: master-us-test-1a
       name: a
     memoryRequest: 100Mi
     name: main
   - cpuRequest: 100m
     etcdMembers:
-    - instanceGroup: master-us-test-1a
+    - encryptedVolume: true
+      instanceGroup: master-us-test-1a
       name: a
     memoryRequest: 100Mi
     name: events

tests/integration/create_cluster/overrides/expected-v1alpha2.yaml

@@ -15,13 +15,15 @@ spec:
   etcdClusters:
   - cpuRequest: 200m
     etcdMembers:
-    - instanceGroup: master-us-test-1a
+    - encryptedVolume: true
+      instanceGroup: master-us-test-1a
       name: a
     memoryRequest: 100Mi
     name: main
   - cpuRequest: 100m
     etcdMembers:
-    - instanceGroup: master-us-test-1a
+    - encryptedVolume: true
+      instanceGroup: master-us-test-1a
       name: a
     memoryRequest: 100Mi
     name: events

tests/integration/create_cluster/private/expected-v1alpha2.yaml

@@ -21,13 +21,15 @@ spec:
   etcdClusters:
   - cpuRequest: 200m
     etcdMembers:
-    - instanceGroup: master-us-test-1a
+    - encryptedVolume: true
+      instanceGroup: master-us-test-1a
       name: a
     memoryRequest: 100Mi
     name: main
   - cpuRequest: 100m
     etcdMembers:
-    - instanceGroup: master-us-test-1a
+    - encryptedVolume: true
+      instanceGroup: master-us-test-1a
       name: a
     memoryRequest: 100Mi
     name: events

tests/integration/create_cluster/private_shared_subnets/expected-v1alpha2.yaml

@@ -17,13 +17,15 @@ spec:
   etcdClusters:
   - cpuRequest: 200m
     etcdMembers:
-    - instanceGroup: master-us-test-1a
+    - encryptedVolume: true
+      instanceGroup: master-us-test-1a
       name: a
     memoryRequest: 100Mi
     name: main
   - cpuRequest: 100m
     etcdMembers:
-    - instanceGroup: master-us-test-1a
+    - encryptedVolume: true
+      instanceGroup: master-us-test-1a
       name: a
     memoryRequest: 100Mi
     name: events

tests/integration/create_cluster/shared_subnets/expected-v1alpha2.yaml

@@ -15,13 +15,15 @@ spec:
   etcdClusters:
   - cpuRequest: 200m
     etcdMembers:
-    - instanceGroup: master-us-test-1a
+    - encryptedVolume: true
+      instanceGroup: master-us-test-1a
       name: a
     memoryRequest: 100Mi
     name: main
   - cpuRequest: 100m
     etcdMembers:
-    - instanceGroup: master-us-test-1a
+    - encryptedVolume: true
+      instanceGroup: master-us-test-1a
       name: a
     memoryRequest: 100Mi
     name: events

tests/integration/create_cluster/shared_subnets_vpc_lookup/expected-v1alpha2.yaml

@@ -15,13 +15,15 @@ spec:
   etcdClusters:
   - cpuRequest: 200m
     etcdMembers:
-    - instanceGroup: master-us-test-1a
+    - encryptedVolume: true
+      instanceGroup: master-us-test-1a
       name: a
     memoryRequest: 100Mi
     name: main
   - cpuRequest: 100m
     etcdMembers:
-    - instanceGroup: master-us-test-1a
+    - encryptedVolume: true
+      instanceGroup: master-us-test-1a
       name: a
     memoryRequest: 100Mi
     name: events

tests/integration/create_cluster/shared_vpc/expected-v1alpha2.yaml

@@ -15,13 +15,15 @@ spec:
   etcdClusters:
   - cpuRequest: 200m
     etcdMembers:
-    - instanceGroup: master-us-test-1a
+    - encryptedVolume: true
+      instanceGroup: master-us-test-1a
       name: a
     memoryRequest: 100Mi
     name: main
   - cpuRequest: 100m
     etcdMembers:
-    - instanceGroup: master-us-test-1a
+    - encryptedVolume: true
+      instanceGroup: master-us-test-1a
       name: a
     memoryRequest: 100Mi
     name: events

upup/pkg/fi/cloudup/new_cluster.go

@@ -111,7 +111,7 @@ type NewClusterOptions struct {
 	// if MasterZones is explicitly nonempty, otherwise defaults to 1.
 	MasterCount int32
 	// EncryptEtcdStorage is whether to encrypt the etcd volumes.
-	EncryptEtcdStorage bool
+	EncryptEtcdStorage *bool
 	// EtcdStorageType is the underlying cloud storage class of the etcd volumes.
 	EtcdStorageType string
 
@@ -706,8 +706,14 @@ func setupMasters(opt *NewClusterOptions, cluster *api.Cluster, zoneToSubnetMap
 			clusters = append(clusters, "cilium")
 		}
 
+		encryptEtcdStorage := false
+		if opt.EncryptEtcdStorage != nil {
+			encryptEtcdStorage = fi.BoolValue(opt.EncryptEtcdStorage)
+		} else if api.CloudProviderID(cluster.Spec.CloudProvider) == api.CloudProviderAWS {
+			encryptEtcdStorage = true
+		}
 		for _, etcdCluster := range clusters {
-			etcd := createEtcdCluster(etcdCluster, masters, opt.EncryptEtcdStorage, opt.EtcdStorageType)
+			etcd := createEtcdCluster(etcdCluster, masters, encryptEtcdStorage, opt.EtcdStorageType)
 			cluster.Spec.EtcdClusters = append(cluster.Spec.EtcdClusters, etcd)
 		}
 	}