Przeglądaj źródła

Adding disk encryption to storageclasses and to openshift registry

Kenny Woodson 7 lat temu
rodzic
commit
54fc9c9d8f

+ 7 - 0
inventory/byo/hosts.origin.example

@@ -464,6 +464,8 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',
 # S3 bucket must already exist.
 #openshift_hosted_registry_storage_kind=object
 #openshift_hosted_registry_storage_provider=s3
+#openshift_hosted_registry_storage_s3_encrypt=false
+#openshift_hosted_registry_storage_s3_kmskeyid=aws_kms_key_id
 #openshift_hosted_registry_storage_s3_accesskey=aws_access_key_id
 #openshift_hosted_registry_storage_s3_secretkey=aws_secret_access_key
 #openshift_hosted_registry_storage_s3_bucket=bucket_name
@@ -548,6 +550,11 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',
 # Configure the prefix and version for the component images
 #openshift_hosted_metrics_deployer_prefix=docker.io/openshift/origin-
 #openshift_hosted_metrics_deployer_version=3.6.0
+#
+# StorageClass
+# openshift_storageclass_name=gp2
+# openshift_storageclass_parameters={'type': 'gp2', 'encrypted': false}
+#
 
 # Logging deployment
 #

+ 7 - 0
inventory/byo/hosts.ose.example

@@ -464,6 +464,8 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',
 # S3 bucket must already exist.
 #openshift_hosted_registry_storage_kind=object
 #openshift_hosted_registry_storage_provider=s3
+#openshift_hosted_registry_storage_s3_encrypt=false
+#openshift_hosted_registry_storage_s3_kmskeyid=aws_kms_key_id
 #openshift_hosted_registry_storage_s3_accesskey=aws_access_key_id
 #openshift_hosted_registry_storage_s3_secretkey=aws_secret_access_key
 #openshift_hosted_registry_storage_s3_bucket=bucket_name
@@ -548,6 +550,11 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',
 # Configure the prefix and version for the component images
 #openshift_hosted_metrics_deployer_prefix=registry.example.com:8888/openshift3/
 #openshift_hosted_metrics_deployer_version=3.6.0
+#
+# StorageClass
+# openshift_storageclass_name=gp2
+# openshift_storageclass_parameters={'type': 'gp2', 'encrypted': false}
+#
 
 # Logging deployment
 #

+ 9 - 2
roles/openshift_default_storage_class/README.md

@@ -3,6 +3,8 @@ openshift_master_storage_class
 
 A role that deploys configuratons for Openshift StorageClass
 
+Documentation: https://kubernetes.io/docs/concepts/storage/persistent-volumes/
+
 Requirements
 ------------
 
@@ -13,7 +15,8 @@ Role Variables
 
 openshift_storageclass_name: Name of the storage class to create
 openshift_storageclass_provisioner: The kubernetes provisioner to use
-openshift_storageclass_type: type of storage to use. This is different among clouds/providers
+openshift_storageclass_parameters: Paramters to pass to the storageclass parameters section
+
 
 Dependencies
 ------------
@@ -22,10 +25,14 @@ Dependencies
 Example Playbook
 ----------------
 
+  # aws specific
 - role: openshift_default_storage_class
   openshift_storageclass_name: awsEBS
   openshift_storageclass_provisioner: kubernetes.io/aws-ebs
-  openshift_storageclass_type: gp2
+  openshift_storageclass_parameters:
+    type: gp2
+    encripted: true
+
 
 
 License

+ 5 - 3
roles/openshift_default_storage_class/defaults/main.yml

@@ -3,12 +3,14 @@ openshift_storageclass_defaults:
   aws:
     name: gp2
     provisioner: kubernetes.io/aws-ebs
-    type: gp2
+    parameters:
+      type: gp2
   gce:
     name: standard
     provisioner: kubernetes.io/gce-pd
-    type: pd-standard
+    parameters:
+      type: pd-standard
 
 openshift_storageclass_name: "{{ openshift_storageclass_defaults[openshift_cloudprovider_kind]['name'] }}"
 openshift_storageclass_provisioner: "{{ openshift_storageclass_defaults[openshift_cloudprovider_kind]['provisioner'] }}"
-openshift_storageclass_type: "{{ openshift_storageclass_defaults[openshift_cloudprovider_kind]['type'] }}"
+openshift_storageclass_parameters: "{{ openshift_storageclass_defaults[openshift_cloudprovider_kind]['parameters'] }}"

+ 1 - 2
roles/openshift_default_storage_class/tasks/main.yml

@@ -14,6 +14,5 @@
           annotations:
             storageclass.beta.kubernetes.io/is-default-class: "true"
         provisioner: "{{ openshift_storageclass_provisioner }}"
-        parameters:
-          type: "{{ openshift_storageclass_type }}"
+        parameters: "{{ openshift_storageclass_parameters }}"
   run_once: true

+ 4 - 1
roles/openshift_hosted/templates/registry_config.j2

@@ -21,7 +21,10 @@ storage:
     regionendpoint: {{ openshift_hosted_registry_storage_s3_regionendpoint }}
 {%   endif %}
     bucket: {{ openshift_hosted_registry_storage_s3_bucket }}
-    encrypt: false
+    encrypt: {{ openshift_hosted_registry_storage_s3_encrypt | default(false) }}
+{% if openshift_hosted_registry_storage_s3_kmskeyid %}
+    keyid: {{ openshift_hosted_registry_storage_s3_kmskeyid }}
+{% endif %}
     secure: true
     v4auth: true
     rootdirectory: {{ openshift_hosted_registry_storage_s3_rootdirectory | default('/registry') }}