From 82ecfefbb3fbcdbcb757d4598c08ea0879f2079d Mon Sep 17 00:00:00 2001 From: "W. Trevor King" Date: Mon, 5 Aug 2019 11:19:20 -0700 Subject: [PATCH 1/2] pkg/asset/machines/aws/machines: Request encrypted root volumes The AWS cluster-API provider just started respecting this property in openshift/cluster-api-provider-aws@99de8f2015 (Wire provider spec EBS volume Encrypted field into ec2.EbsBlockDevice.Encrypted field, 2019-08-05, openshift/cluster-api-provider-aws#245). By asking for it, we'll get encrypted root volumes for compute machines and remove the need for copy-and-encrypting the control-plane machines. --- pkg/asset/machines/aws/machines.go | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/asset/machines/aws/machines.go b/pkg/asset/machines/aws/machines.go index e0874d06520..04bbf6e8dfb 100644 --- a/pkg/asset/machines/aws/machines.go +++ b/pkg/asset/machines/aws/machines.go @@ -87,6 +87,7 @@ func provider(clusterID string, platform *aws.Platform, mpool *aws.MachinePool, VolumeType: pointer.StringPtr(mpool.Type), VolumeSize: pointer.Int64Ptr(int64(mpool.Size)), Iops: pointer.Int64Ptr(int64(mpool.IOPS)), + Encrypted: pointer.BoolPtr(true), }, }, }, From 58c641323b309e9fe0ea43143056d410060de19d Mon Sep 17 00:00:00 2001 From: "W. Trevor King" Date: Mon, 5 Aug 2019 11:23:46 -0700 Subject: [PATCH 2/2] data: Docs for encrypted volumes for compute machines Partially reverts 0c370dd811 (data/aws: Encrypt the AMI used by the bootstrap and master machines, 2019-02-22, #1296). This isn't a clean revert; for example, I left the ability to destroy images which are tagged as owned by the cluster. And we're still copy-and-encrypting for the bootstrap machine and control-plane machines until the AWS Terraform provider supports requesting encrypted root volumes [1]. But with this commit, we're now documenting the encryption in a way that covers both the previous AMI-based encryption used for bootstrap/control-plane and the new root-volume-based encryption used for the compute machines, because they come down to encrypted root volumes regardless of their approach. [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/8624 --- data/data/aws/variables-aws.tf | 2 +- docs/user/aws/install.md | 6 +----- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/data/data/aws/variables-aws.tf b/data/data/aws/variables-aws.tf index 149af1f161d..e946834fc4b 100644 --- a/data/data/aws/variables-aws.tf +++ b/data/data/aws/variables-aws.tf @@ -19,7 +19,7 @@ variable "aws_master_instance_type" { variable "aws_ami" { type = string - description = "AMI for all nodes. An encrypted copy of this AMI will be used. Example: `ami-foobar123`." + description = "AMI for all nodes. Example: `ami-foobar123`." } variable "aws_extra_tags" { diff --git a/docs/user/aws/install.md b/docs/user/aws/install.md index 29a573c6c98..f2f0d37cf2c 100644 --- a/docs/user/aws/install.md +++ b/docs/user/aws/install.md @@ -49,12 +49,9 @@ In EC2, there will be 6 running instances: ![EC2 instances after install](images/install_nodes.png) -The installation creates an encrypted AMI for the bootstrap and control-plane machines. -The encrypted AMI is [copied][encrypted-copy] from the AMI configured in the control-plane machine-API provider spec, -which is RHCOS by default. +Instance root volumes for the bootstrap and contro-plane machines are encrypted. The encryption uses the default EBS key for your target account and region (`aws kms describe-key --key-id alias/aws/ebs`). -The encrypted AMI is deregistered by `destroy cluster`. An architecture diagram for the AWS elements created by the full installation is as depicted: @@ -69,4 +66,3 @@ The OpenShift console is available via the kubeadmin login provided by the insta ![OpenShift web console](images/install_console.png) [cloud-install]: https://cloud.openshift.com/clusters/install -[encrypted-copy]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIEncryption.html#create-ami-encrypted-root-snapshot