alt-orchestra/talos
1
0
Fork 0
Code Issues Pull Requests Actions 27 Packages Projects Releases Wiki Activity

fix(init): don't create the EncryptionConfig if it exists (#282)

Browse Source
This commit is contained in:
Andrew Rynhard 2018-12-05 19:02:30 -08:00 committed by GitHub
parent fa26c63f79
commit 0c32c95228
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 18 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/initramfs/cmd/init/pkg/constants/constants.go
View File

@ -83,6 +83,12 @@ const (
// VMwareGuestInfoUserDataKey is the guestinfo key used to provide a user data file.
VMwareGuestInfoUserDataKey = "talos.userdata"
// EncryptionConfigInitramfsPath is the path to the EncryptionConfig relative to initramfs.
EncryptionConfigInitramfsPath = "/var/etc/kubernetes/encryptionconfig.yaml"
// EncryptionConfigRootfsPath is the path to the EncryptionConfig relative to rootfs.
EncryptionConfigRootfsPath = "/etc/kubernetes/encryptionconfig.yaml"
)
// See https://linux.die.net/man/3/klogctl

15
src/initramfs/cmd/init/pkg/security/cis/cis.go
View File

@ -5,9 +5,12 @@ import (
"encoding/base64"
"io/ioutil"
"math/rand"
"os"
"text/template"
"time"
"github.com/autonomy/talos/src/initramfs/cmd/init/pkg/constants"
"k8s.io/api/core/v1"
kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
)
@ -51,6 +54,10 @@ func EnforceAuditingRequirements(cfg *kubeadmapi.InitConfiguration) error {
// EnforceSecretRequirements enforces CIS requirements for secrets.
func EnforceSecretRequirements(cfg *kubeadmapi.InitConfiguration) error {
if _, err := os.Stat(constants.EncryptionConfigInitramfsPath); !os.IsNotExist(err) {
return nil
}
random := func(min, max int) int {
return rand.Intn(max-min) + min
}
@ -80,14 +87,14 @@ func EnforceSecretRequirements(cfg *kubeadmapi.InitConfiguration) error {
if err := t.Execute(buf, aux); err != nil {
return err
}
if err := ioutil.WriteFile("/var/etc/kubernetes/encryptionconfig.yaml", buf.Bytes(), 0400); err != nil {
if err := ioutil.WriteFile(constants.EncryptionConfigInitramfsPath, buf.Bytes(), 0400); err != nil {
return err
}
cfg.APIServerExtraArgs["experimental-encryption-provider-config"] = "/etc/kubernetes/encryptionconfig.yaml"
cfg.APIServerExtraArgs["experimental-encryption-provider-config"] = constants.EncryptionConfigRootfsPath
vol := kubeadmapi.HostPathMount{
Name: "encryptionconfig",
HostPath: "/etc/kubernetes/encryptionconfig.yaml",
MountPath: "/etc/kubernetes/encryptionconfig.yaml",
HostPath: constants.EncryptionConfigRootfsPath,
MountPath: constants.EncryptionConfigRootfsPath,
Writable: false,
PathType: v1.HostPathFile,
}

2
src/initramfs/cmd/init/pkg/system/services/kubeadm.go
View File

@ -96,7 +96,7 @@ func (k *Kubeadm) PostFunc(data *userdata.UserData) error {
files := []string{
"/var/etc/kubernetes/audit-policy.yaml",
"/var/etc/kubernetes/encryptionconfig.yaml",
constants.EncryptionConfigInitramfsPath,
"/var/etc/kubernetes/pki/ca.crt",
"/var/etc/kubernetes/pki/ca.key",
"/var/etc/kubernetes/pki/sa.key",