Add support for EBS volume encryption (#663)

* add support for EBS volume encryption Signed-off-by: Moath Qasim <[email protected]> * addressing PR review Signed-off-by: Moath Qasim <[email protected]> Signed-off-by: Moath Qasim <[email protected]>
kubermatic · Dec 18, 2019 · 3243593 · 3243593
1 parent 2b8a521
commit 3243593
Show file tree

Hide file tree

Showing 7 changed files with 148 additions and 37 deletions.
diff --git a/.prow.yaml b/.prow.yaml
@@ -0,0 +1,23 @@
+presubmits:
+
+  - name: pull-machine-controller-e2e-aws-ebs-encryption-enabled
+    always_run: true
+    decorate: true
+    error_on_eviction: true
+    clone_uri: 'ssh://[email protected]/kubermatic/machine-controller.git'
+    labels:
+      preset-aws: "true"
+      preset-hetzner: "true"
+      preset-e2e-ssh: "true"
+    spec:
+      containers:
+        # Uses go1.11.1
+        - image: quay.io/kubermatic/dep:0.5.4-2
+          command:
+            - "./hack/ci-e2e-test.sh"
+          args:
+            - "TestAWSProvisioningE2EWithEbsEncryptionEnabled"
+          resources:
+            requests:
+              memory: 1Gi
+              cpu: 500m
diff --git a/examples/aws-machinedeployment.yaml b/examples/aws-machinedeployment.yaml
@@ -58,6 +58,7 @@ spec:
             instanceProfile: "kubernetes-v1"
             diskSize: 50
             diskType: "gp2"
+            ebsVolumeEncrypted: false
             ## Only application if diskType = io1
             diskIops: 500
             # Assign a public IP to this instance. Default: true

diff --git a/pkg/cloudprovider/provider/aws/provider.go b/pkg/cloudprovider/provider/aws/provider.go
@@ -47,6 +47,7 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/klog"
+	"k8s.io/utils/pointer"
 )
 
 var (
@@ -117,20 +118,21 @@ type Config struct {
 	AccessKeyID     string
 	SecretAccessKey string
 
-	Region           string
-	AvailabilityZone string
-	VpcID            string
-	SubnetID         string
-	SecurityGroupIDs []string
-	InstanceProfile  string
-	IsSpotInstance   *bool
-	InstanceType     string
-	AMI              string
-	DiskSize         int64
-	DiskType         string
-	DiskIops         *int64
-	Tags             map[string]string
-	AssignPublicIP   *bool
+	Region             string
+	AvailabilityZone   string
+	VpcID              string
+	SubnetID           string
+	SecurityGroupIDs   []string
+	InstanceProfile    string
+	IsSpotInstance     *bool
+	InstanceType       string
+	AMI                string
+	DiskSize           int64
+	DiskType           string
+	DiskIops           *int64
+	EBSVolumeEncrypted bool
+	Tags               map[string]string
+	AssignPublicIP     *bool
 }
 
 type amiFilter struct {
@@ -293,7 +295,10 @@ func (p *provider) getConfig(s v1alpha1.ProviderSpec) (*Config, *providerconfigt
 
 		c.DiskIops = rawConfig.DiskIops
 	}
-
+	c.EBSVolumeEncrypted, err = p.configVarResolver.GetConfigVarBoolValue(rawConfig.EBSVolumeEncrypted)
+	if err != nil {
+		return nil, nil, nil, fmt.Errorf("failed to get ebsVolumeEncrypted value: %v", err)
+	}
 	c.Tags = rawConfig.Tags
 	c.IsSpotInstance = rawConfig.IsSpotInstance
 	c.AssignPublicIP = rawConfig.AssignPublicIP
@@ -509,6 +514,7 @@ func (p *provider) Create(machine *v1alpha1.Machine, data *cloudprovidertypes.Pr
 					DeleteOnTermination: aws.Bool(true),
 					VolumeType:          aws.String(config.DiskType),
 					Iops:                config.DiskIops,
+					Encrypted:           pointer.BoolPtr(config.EBSVolumeEncrypted),
 				},
 			},
 		},

diff --git a/pkg/cloudprovider/provider/aws/types/types.go b/pkg/cloudprovider/provider/aws/types/types.go
@@ -24,18 +24,19 @@ type RawConfig struct {
 	AccessKeyID     providerconfigtypes.ConfigVarString `json:"accessKeyId,omitempty"`
 	SecretAccessKey providerconfigtypes.ConfigVarString `json:"secretAccessKey,omitempty"`
 
-	Region           providerconfigtypes.ConfigVarString   `json:"region"`
-	AvailabilityZone providerconfigtypes.ConfigVarString   `json:"availabilityZone,omitempty"`
-	VpcID            providerconfigtypes.ConfigVarString   `json:"vpcId"`
-	SubnetID         providerconfigtypes.ConfigVarString   `json:"subnetId"`
-	SecurityGroupIDs []providerconfigtypes.ConfigVarString `json:"securityGroupIDs,omitempty"`
-	InstanceProfile  providerconfigtypes.ConfigVarString   `json:"instanceProfile,omitempty"`
-	IsSpotInstance   *bool                                 `json:"isSpotInstance,omitempty"`
-	InstanceType     providerconfigtypes.ConfigVarString   `json:"instanceType,omitempty"`
-	AMI              providerconfigtypes.ConfigVarString   `json:"ami,omitempty"`
-	DiskSize         int64                                 `json:"diskSize"`
-	DiskType         providerconfigtypes.ConfigVarString   `json:"diskType,omitempty"`
-	DiskIops         *int64                                `json:"diskIops,omitempty"`
-	Tags             map[string]string                     `json:"tags,omitempty"`
-	AssignPublicIP   *bool                                 `json:"assignPublicIP,omitempty"`
+	Region             providerconfigtypes.ConfigVarString   `json:"region"`
+	AvailabilityZone   providerconfigtypes.ConfigVarString   `json:"availabilityZone,omitempty"`
+	VpcID              providerconfigtypes.ConfigVarString   `json:"vpcId"`
+	SubnetID           providerconfigtypes.ConfigVarString   `json:"subnetId"`
+	SecurityGroupIDs   []providerconfigtypes.ConfigVarString `json:"securityGroupIDs,omitempty"`
+	InstanceProfile    providerconfigtypes.ConfigVarString   `json:"instanceProfile,omitempty"`
+	IsSpotInstance     *bool                                 `json:"isSpotInstance,omitempty"`
+	InstanceType       providerconfigtypes.ConfigVarString   `json:"instanceType,omitempty"`
+	AMI                providerconfigtypes.ConfigVarString   `json:"ami,omitempty"`
+	DiskSize           int64                                 `json:"diskSize"`
+	DiskType           providerconfigtypes.ConfigVarString   `json:"diskType,omitempty"`
+	DiskIops           *int64                                `json:"diskIops,omitempty"`
+	EBSVolumeEncrypted providerconfigtypes.ConfigVarBool     `json:"ebsVolumeEncrypted"`
+	Tags               map[string]string                     `json:"tags,omitempty"`
+	AssignPublicIP     *bool                                 `json:"assignPublicIP,omitempty"`
 }
diff --git a/test/e2e/provisioning/all_e2e_test.go b/test/e2e/provisioning/all_e2e_test.go
@@ -37,14 +37,15 @@ func init() {
 }
 
 const (
-	DOManifest      = "./testdata/machinedeployment-digitalocean.yaml"
-	AWSManifest     = "./testdata/machinedeployment-aws.yaml"
-	AzureManifest   = "./testdata/machinedeployment-azure.yaml"
-	GCEManifest     = "./testdata/machinedeployment-gce.yaml"
-	HZManifest      = "./testdata/machinedeployment-hetzner.yaml"
-	PacketManifest  = "./testdata/machinedeployment-packet.yaml"
-	LinodeManifest  = "./testdata/machinedeployment-linode.yaml"
-	VSPhereManifest = "./testdata/machinedeployment-vsphere.yaml"
+	DOManifest              = "./testdata/machinedeployment-digitalocean.yaml"
+	AWSManifest             = "./testdata/machinedeployment-aws.yaml"
+	AWSEBSEncryptedManifest = "./testdata/machinedeployment-aws-ebs-encryption-enabled.yaml"
+	AzureManifest           = "./testdata/machinedeployment-azure.yaml"
+	GCEManifest             = "./testdata/machinedeployment-gce.yaml"
+	HZManifest              = "./testdata/machinedeployment-hetzner.yaml"
+	PacketManifest          = "./testdata/machinedeployment-packet.yaml"
+	LinodeManifest          = "./testdata/machinedeployment-linode.yaml"
+	VSPhereManifest         = "./testdata/machinedeployment-vsphere.yaml"
 	//	vssip_manifest         = "./testdata/machinedeployment-vsphere-static-ip.yaml"
 	OSManifest             = "./testdata/machinedeployment-openstack.yaml"
 	OSUpgradeManifest      = "./testdata/machinedeployment-openstack-upgrade.yml"
@@ -150,6 +151,33 @@ func TestAWSProvisioningE2E(t *testing.T) {
 	runScenarios(t, nil, params, AWSManifest, fmt.Sprintf("aws-%s", *testRunIdentifier))
 }
 
+// TestAWSProvisioningE2EWithEbsEncryptionEnabled - a test suite that exercises AWS provider with ebs encryption enabled
+// by requesting nodes with different combination of container runtime type, container runtime version and the OS flavour.
+func TestAWSProvisioningE2EWithEbsEncryptionEnabled(t *testing.T) {
+	t.Parallel()
+
+	// test data
+	awsKeyID := os.Getenv("AWS_E2E_TESTS_KEY_ID")
+	awsSecret := os.Getenv("AWS_E2E_TESTS_SECRET")
+	if len(awsKeyID) == 0 || len(awsSecret) == 0 {
+		t.Fatal("unable to run the test suite, AWS_E2E_TESTS_KEY_ID or AWS_E2E_TESTS_SECRET environment variables cannot be empty")
+	}
+
+	// act
+	params := []string{fmt.Sprintf("<< AWS_ACCESS_KEY_ID >>=%s", awsKeyID),
+		fmt.Sprintf("<< AWS_SECRET_ACCESS_KEY >>=%s", awsSecret),
+	}
+
+	scenario := scenario{
+		name:              "Ubuntu",
+		osName:            "ubuntu",
+		containerRuntime:  "docker",
+		kubernetesVersion: "v1.15.6",
+		executor:          verifyCreateAndDelete,
+	}
+	testScenario(t, scenario, fmt.Sprintf("aws-%s", *testRunIdentifier), params, AWSEBSEncryptedManifest, false)
+}
+
 // TestAzureProvisioningE2E - a test suite that exercises Azure provider
 // by requesting nodes with different combination of container runtime type, container runtime version and the OS flavour.
 func TestAzureProvisioningE2E(t *testing.T) {

diff --git a/test/e2e/provisioning/testdata/machinedeployment-aws-ebs-encryption-enabled.yaml b/test/e2e/provisioning/testdata/machinedeployment-aws-ebs-encryption-enabled.yaml
@@ -0,0 +1,51 @@
+apiVersion: "cluster.k8s.io/v1alpha1"
+kind: MachineDeployment
+metadata:
+  name: << MACHINE_NAME >>
+  namespace: kube-system
+spec:
+  replicas: 1
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
+  selector:
+    matchLabels:
+      name: << MACHINE_NAME >>
+  template:
+    metadata:
+      labels:
+        name: << MACHINE_NAME >>
+    spec:
+      providerSpec:
+        value:
+          sshPublicKeys:
+            - "<< YOUR_PUBLIC_KEY >>"
+          cloudProvider: "aws"
+          cloudProviderSpec:
+            accessKeyId: << AWS_ACCESS_KEY_ID >>
+            secretAccessKey: << AWS_SECRET_ACCESS_KEY >>
+            region: "eu-central-1"
+            availabilityZone: "eu-central-1a"
+            vpcId: "vpc-819f62e9"
+            instanceType: "t2.medium"
+            instanceProfile: "kubernetes-v1"
+            diskSize: 50
+            diskType: "gp2"
+            ebsVolumeEncrypted: true
+            securityGroupIDs:
+            - "sg-a2c195ca"
+            tags:
+            # you have to set this flag to real clusterID when running against our dev or prod
+            # otherwise you might have issues with your nodes not joining the cluster
+              "KubernetesCluster": "randomString"
+            # Disabling the public IP assignment requires a private subnet with internet access.
+            assignPublicIP: true
+          # Can be 'ubuntu', 'coreos' or 'centos'
+          operatingSystem: "<< OS_NAME >>"
+          operatingSystemSpec:
+            distUpgradeOnBoot: false
+            disableAutoUpdate: true
+      versions:
+        kubelet: "<< KUBERNETES_VERSION >>"
diff --git a/test/e2e/provisioning/testdata/machinedeployment-aws.yaml b/test/e2e/provisioning/testdata/machinedeployment-aws.yaml
@@ -33,6 +33,7 @@ spec:
             instanceProfile: "kubernetes-v1"
             diskSize: 50
             diskType: "gp2"
+            ebsVolumeEncrypted: false
             securityGroupIDs:
             - "sg-a2c195ca"
             tags: