add support for Encryption Providers

docs/api_reference/v1beta1.en.md

@@ -1,6 +1,6 @@
 +++
 title = "v1beta1 API Reference"
-date = 2020-12-08T12:31:41+02:00
+date = 2021-01-17T17:46:19+01:00
 weight = 11
 +++
 ## v1beta1
@@ -23,6 +23,7 @@ weight = 11
 * [DigitalOceanSpec](#digitaloceanspec)
 * [DynamicAuditLog](#dynamicauditlog)
 * [DynamicWorkerConfig](#dynamicworkerconfig)
+* [EncryptionProviders](#encryptionproviders)
 * [ExternalCNISpec](#externalcnispec)
 * [Features](#features)
 * [GCESpec](#gcespec)
@@ -261,6 +262,16 @@ DynamicWorkerConfig describes a set of worker machines
 
 [Back to Group](#v1beta1)
 
+### EncryptionProviders
+
+Encryption Providers feature flag
+
+| Field | Description | Scheme | Required |
+| ----- | ----------- | ------ | -------- |
+| enable | Enable | bool | true |
+
+[Back to Group](#v1beta1)
+
 ### ExternalCNISpec
 
 ExternalCNISpec defines the external CNI plugin.
@@ -284,6 +295,7 @@ Features controls what features will be enabled on the cluster
 | dynamicAuditLog | DynamicAuditLog | *[DynamicAuditLog](#dynamicauditlog) | false |
 | metricsServer | MetricsServer | *[MetricsServer](#metricsserver) | false |
 | openidConnect | OpenIDConnect | *[OpenIDConnect](#openidconnect) | false |
+| encryptionProviders | Encryption Providers | *[EncryptionProviders](#encryptionproviders) | false |
 
 [Back to Group](#v1beta1)
 

docs/proposals/20210112-encryption-roviders.md

@@ -40,7 +40,7 @@ kind: KubeOneCluster
 features:
   encryptionProviders:
     enabled: true
-    customProvidersFile: |
+    customEncryptionConfiguration: |
       apiVersion: apiserver.config.k8s.io/v1
       kind: EncryptionConfiguration
       resources:

go.mod

@@ -28,6 +28,7 @@ require (
 	k8s.io/api v0.19.4
 	k8s.io/apiextensions-apiserver v0.19.4
 	k8s.io/apimachinery v0.19.4
+	k8s.io/apiserver v0.19.4
 	k8s.io/client-go v12.0.0+incompatible
 	k8s.io/cluster-bootstrap v0.19.4
 	k8s.io/code-generator v0.19.4

go.sum

@@ -1189,6 +1189,7 @@ k8s.io/apimachinery v0.19.4/go.mod h1:DnPGDnARWFvYa3pMHgSxtbZb7gpzzAZ1pTfaUNDVlm
 k8s.io/apiserver v0.0.0-20190918160949-bfa5e2e684ad/go.mod h1:XPCXEwhjaFN29a8NldXA901ElnKeKLrLtREO9ZhFyhg=
 k8s.io/apiserver v0.16.4/go.mod h1:kbLJOak655g6W7C+muqu1F76u9wnEycfKMqbVaXIdAc=
 k8s.io/apiserver v0.19.2/go.mod h1:FreAq0bJ2vtZFj9Ago/X0oNGC51GfubKK/ViOKfVAOA=
+k8s.io/apiserver v0.19.4 h1:X40UuyVt6DcYWIh2olcePkyKO0LRJFvxWC0kLxYvkZU=
 k8s.io/apiserver v0.19.4/go.mod h1:X8WRHCR1UGZDd7HpV0QDc1h/6VbbpAeAGyxSh8yzZXw=
 k8s.io/client-go v0.19.4 h1:85D3mDNoLF+xqpyE9Dh/OtrJDyJrSRKkHmDXIbEzer8=
 k8s.io/client-go v0.19.4/go.mod h1:ZrEy7+wj9PjH5VMBCuu/BDlvtUAku0oVFk4MmnW9mWA=

pkg/apis/kubeone/types.go

@@ -363,6 +363,9 @@ type Features struct {
 	MetricsServer *MetricsServer `json:"metricsServer,omitempty"`
 	// OpenIDConnect
 	OpenIDConnect *OpenIDConnect `json:"openidConnect,omitempty"`
+	// Encryption Providers
+	// +k8s:conversion-gen=false
+	EncryptionProviders *EncryptionProviders `json:"encryptionProviders,omitempty"`
 }
 
 // SystemPackages controls configurations of APT/YUM
@@ -568,3 +571,11 @@ type Addons struct {
 	// Path on the local file system to the directory with addons manifests.
 	Path string `json:"path"`
 }
+
+// Encryption Providers feature flag
+type EncryptionProviders struct {
+	// Enable
+	Enable bool `json:"enable"`
+	// CustomEncryptionConfiguration
+	CustomEncryptionConfiguration string `json:"customEncryptionConfiguration"`
+}

pkg/apis/kubeone/v1beta1/types.go

@@ -363,6 +363,8 @@ type Features struct {
 	MetricsServer *MetricsServer `json:"metricsServer,omitempty"`
 	// OpenIDConnect
 	OpenIDConnect *OpenIDConnect `json:"openidConnect,omitempty"`
+	// Encryption Providers
+	EncryptionProviders *EncryptionProviders `json:"encryptionProviders,omitempty"`
 }
 
 // SystemPackages controls configurations of APT/YUM
@@ -568,3 +570,11 @@ type Addons struct {
 	// Path on the local file system to the directory with addons manifests.
 	Path string `json:"path"`
 }
+
+// Encryption Providers feature flag
+type EncryptionProviders struct {
+	// Enable
+	Enable bool `json:"enable"`
+	// CustomEncryptionConfiguration
+	CustomEncryptionConfiguration string `json:"customEncryptionConfiguration"`
+}

pkg/cmd/apply.go

@@ -45,6 +45,7 @@ type applyOpts struct {
 	// Upgrade flags
 	ForceUpgrade              bool `longflag:"force-upgrade"`
 	UpgradeMachineDeployments bool `longflag:"upgrade-machine-deployments"`
+	RotateEncryptionKey       bool `longflag:"rotate-encryption-key"`
 }
 
 func (opts *applyOpts) BuildState() (*state.State, error) {
@@ -147,6 +148,12 @@ func applyCmd(rootFlags *pflag.FlagSet) *cobra.Command {
 		false,
 		"upgrade MachineDeployments objects")
 
+	cmd.Flags().BoolVar(
+		&opts.RotateEncryptionKey,
+		longFlagName(opts, "RotateEncryptionKey"),
+		false,
+		"rotate Encryption Provider encryption key")
+
 	return cmd
 }
 
@@ -187,6 +194,11 @@ func runApply(opts *applyOpts) error {
 	}
 
 	if !s.LiveCluster.Healthy() {
+		if opts.RotateEncryptionKey {
+			s.Logger.Errorln("cluster is not healthy, encryption key rotation is not supported")
+			return errors.New("cluster is not healthy, encryption key rotation is not supported")
+		}
+
 		brokenHosts := s.LiveCluster.BrokenHosts()
 		if len(brokenHosts) > 0 {
 			for _, node := range brokenHosts {
@@ -244,6 +256,18 @@ func runApply(opts *applyOpts) error {
 		return nil
 	}
 
+	if opts.RotateEncryptionKey {
+		if !s.EncryptionEnabled() {
+			return errors.New("Encryption Providers support is not enabled for this cluster")
+		}
+
+		if s.Cluster.Features.EncryptionProviders != nil &&
+			s.Cluster.Features.EncryptionProviders.CustomEncryptionConfiguration != "" {
+			return errors.New("key rotation of custom providers file is not supported")
+		}
+		return runApplyRotateKey(s, opts)
+	}
+
 	return runApplyUpgradeIfNeeded(s, opts)
 }
 
@@ -314,9 +338,18 @@ func runApplyUpgradeIfNeeded(s *state.State, opts *applyOpts) error {
 	}
 
 	operations := []string{}
-
 	if upgradeNeeded || opts.ForceUpgrade {
-		tasksToRun = tasks.WithUpgrade(nil)
+		// disable case, we do this as early as possible.
+		if s.ShouldDisableEncryption() {
+			tasksToRun = tasks.WithDisableEncryptionProviders(nil, s.LiveCluster.EncryptionConfiguration.Custom)
+		}
+
+		tasksToRun = tasks.WithUpgrade(tasksToRun)
+
+		if s.ShouldEnableEncryption() {
+			operations = append(operations, "enable Encryption Provider support")
+			tasksToRun = tasks.WithRewriteSecrets(tasksToRun)
+		}
 
 		for _, node := range s.LiveCluster.ControlPlane {
 			forceFlag := ""
@@ -347,7 +380,7 @@ func runApplyUpgradeIfNeeded(s *state.State, opts *applyOpts) error {
 					s.Cluster.Versions.Kubernetes))
 		}
 	} else {
-		tasksToRun = tasks.WithRefreshResources(nil)
+		tasksToRun = tasks.WithRefreshResources(tasksToRun)
 	}
 
 	fmt.Println()
@@ -373,6 +406,37 @@ func runApplyUpgradeIfNeeded(s *state.State, opts *applyOpts) error {
 	return errors.Wrap(tasksToRun.Run(s), "failed to reconcile the cluster")
 }
 
+func runApplyRotateKey(s *state.State, opts *applyOpts) error {
+	if !opts.ForceUpgrade {
+		s.Logger.Error("rotating encryption keys requires the --force-upgrade flag")
+		return errors.New("rotating encryption keys requires the --force-upgrade flag")
+	}
+	if !s.EncryptionEnabled() {
+		s.Logger.Error("rotating encryption keys failed: Encryption Providers support is not enabled")
+		return errors.New("rotating encryption keys failed: Encryption Providers support is not enabled")
+	}
+
+	fmt.Println("The following actions will be taken: ")
+	fmt.Println("Run with --verbose flag for more information.")
+	tasksToRun := tasks.WithRotateKey(nil)
+
+	for _, op := range tasksToRun.Descriptions(s) {
+		fmt.Printf("\t~ %s\n", op)
+	}
+
+	fmt.Println()
+	confirm, err := confirmApply(opts.AutoApprove)
+	if err != nil {
+		return err
+	}
+
+	if !confirm {
+		s.Logger.Println("Operation canceled.")
+		return nil
+	}
+	return errors.Wrap(tasksToRun.Run(s), "failed to reconcile the cluster")
+}
+
 func confirmApply(autoApprove bool) (bool, error) {
 	if autoApprove {
 		return true, nil