From d08799ca098c6143ceaa4aa1c0ae800aa5c3a105 Mon Sep 17 00:00:00 2001 From: immutablet Date: Wed, 28 Feb 2018 10:21:04 -0800 Subject: [PATCH] Enable AESGCM encryption of secrets in etcd by default. --- cluster/gce/config-default.sh | 19 +++++++++++++++++++ cluster/gce/util.sh | 1 + 2 files changed, 20 insertions(+) diff --git a/cluster/gce/config-default.sh b/cluster/gce/config-default.sh index 7d9c6215c3b63..8083bc456963b 100755 --- a/cluster/gce/config-default.sh +++ b/cluster/gce/config-default.sh @@ -194,6 +194,25 @@ if [[ ${ENABLE_METADATA_CONCEALMENT:-} == "true" ]]; then PROVIDER_VARS="${PROVIDER_VARS:-} ENABLE_METADATA_CONCEALMENT METADATA_CONCEALMENT_NO_FIREWALL" fi + +# Enable AESGCM encryption of secrets by default. +ENCRYPTION_PROVIDER_CONFIG="${ENCRYPTION_PROVIDER_CONFIG:-}" +if [[ -z "${ENCRYPTION_PROVIDER_CONFIG}" ]]; then + ENCRYPTION_PROVIDER_CONFIG=$(cat << EOM | base64 | tr -d '\r\n' +kind: EncryptionConfig +apiVersion: v1 +resources: + - resources: + - secrets + providers: + - aesgcm: + keys: + - name: key1 + secret: $(dd if=/dev/random bs=32 count=1 status=none | base64 | tr -d '\r\n') +EOM +) +fi + # Optional: Enable node logging. ENABLE_NODE_LOGGING="${KUBE_ENABLE_NODE_LOGGING:-true}" LOGGING_DESTINATION="${KUBE_LOGGING_DESTINATION:-gcp}" # options: elasticsearch, gcp diff --git a/cluster/gce/util.sh b/cluster/gce/util.sh index 5838ec052a539..4fb398ceb4588 100755 --- a/cluster/gce/util.sh +++ b/cluster/gce/util.sh @@ -834,6 +834,7 @@ ETCD_CA_KEY: $(yaml-quote ${ETCD_CA_KEY_BASE64:-}) ETCD_CA_CERT: $(yaml-quote ${ETCD_CA_CERT_BASE64:-}) ETCD_PEER_KEY: $(yaml-quote ${ETCD_PEER_KEY_BASE64:-}) ETCD_PEER_CERT: $(yaml-quote ${ETCD_PEER_CERT_BASE64:-}) +ENCRYPTION_PROVIDER_CONFIG: $(yaml-quote ${ENCRYPTION_PROVIDER_CONFIG:-}) EOF if [[ "${ENABLE_TOKENREQUEST:-}" == "true" ]]; then cat >>$file <