Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secrets-encryption rotation #4372

Merged
merged 71 commits into from
Dec 7, 2021
Merged

Secrets-encryption rotation #4372

merged 71 commits into from
Dec 7, 2021

Conversation

dereknola
Copy link
Member

@dereknola dereknola commented Nov 1, 2021
edited
Loading

Proposed Changes

Introduces new feature: secrets-encryption keys rotation and enable/disable of encryption. The is all controlled via a new sub command k3s secrets-encrypt. Documentation can be found at https://rancher.com/docs/k3s/latest/en/security/secrets_encryption/

NAME:
   k3s secrets-encrypt - Control secrets encryption and keys rotation

USAGE:
   k3s secrets-encrypt command [command options] [arguments...]

COMMANDS:
   status     Print current status of secrets encryption
   enable    Enable secrets encryption
   disable   Disable secrets encryption
   prepare   Prepare for encryption keys rotation
   rotate     Rotate secrets encryption keys
   reencrypt  Reencrypt all data with new encryption key

Types of Changes

New Feature
New Integration Test (covers single node)

Verification

Formal documentation to follow:
You can run k3s secrets-encrypt status at any time to see the current stage/state of encryption
For a single node cluster:

  • Start server with k3s server --secrets-encryption
  • Create a secret to check
kubectl create secret generic secret1 -n default --from-literal=mykey=mydata
kubectl describe secret secret1 -n default
  • Call k3s secrets-encrypt prepare
  • Call k3s secrets-encrypt status, note, the addition of a new key
  • Kill k3s server and restart with same arguments
  • Call k3s secrets-encrypt rotate
  • Call k3s secrets-encrypt status, note the keys swap
  • Kill k3s server, restart with same arguments
  • Call k3s secrets-encrypt reencrypt
  • Check that secret is still encrypted
kubectl create secret generic secret1 -n default --from-literal=mykey=mydata
kubectl describe secret secret1 -n default

For external DB:

  • Start up a external DB (I used mySQL for this)

  • Start up 3 K3s servers joined to mySQL
    k3s server --secrets-encryption --datastore-endpoint "mysql://root:mysql@tcp(192.168.1.200:3306)/k3s"

  • Select ONE server (S1 going forward) to perform the rotate on (doing any stage on any server is supported)

  • Run k3s secrets-encrypt prepare on S1

  • Restart S1 with same arguments

  • Once S1 is back up, restart the other two servers

  • Call k3s secrets-encrypt status on S1 and S2, info should be the same on both

  • Run k3s secrets-encrypt rotate on S1

  • Restart S1

  • Once S1 is back up, restart the other two servers

  • Call k3s secrets-encrypt status on S1 and S2, info should be the same on both

  • Run k3s secrets-encrypt reencrypt on S1

  • Restart S1

  • Once S1 is back up, restart the other two servers

  • Call k3s secrets-encrypt status on S1 and S2, info should be the same on both

Linked Issues

#4254
#3407

User-Facing Change

A CLI subcommand to control secrets encryption. Supports key rotation and enabled/disable of secrets encryption.

Further Comments

  • Documentation to follow in next PR.
  • This feature works on all 3 DB types (single node, HA with embedded etcd, HA with external DB)

dereknola added 29 commits October 8, 2021 14:41
@dereknola
Initial encrypt files
f8085b6 
Signed-off-by: dereknola <[email protected]>
@dereknola
Regular CLI framework for encrypt commands
ddfb505 
Signed-off-by: dereknola <[email protected]>
@dereknola
Fix internalCLIAction
dddddea 
Signed-off-by: dereknola <[email protected]>
@dereknola
Build k3s-encrypt binary
becae1c 
Signed-off-by: dereknola <[email protected]>
@dereknola
Add encrypt to server binary
2bb7fd6 
Signed-off-by: dereknola <[email protected]>
@dereknola
Initial status command complete
07c5c4e 
Signed-off-by: dereknola <[email protected]>
@dereknola
Initial Prepare command
0c603f0 
Signed-off-by: dereknola <[email protected]>
@dereknola
Added status subcommand
f6fb0da 
Signed-off-by: dereknola <[email protected]>
@dereknola
Swapped hashing to rotate prevention
1967a0b 
Signed-off-by: dereknola <[email protected]>
@dereknola
Change package to secretsencrypt
81dbc18 
Signed-off-by: dereknola <[email protected]>
@dereknola
Merge branch 'k3s-io:master' into encryption_app
333fe07
@dereknola
Implemented reencryption
dc4c190 
Signed-off-by: dereknola <[email protected]>
@dereknola
Add encryption toggle to main command
ba10167 
Signed-off-by: dereknola <[email protected]>
@dereknola
Convert to server-side includes, implement state checks
28233e4 
Signed-off-by: dereknola <[email protected]>
@dereknola
Remove Hash annotation checks
6c3fd2b 
Signed-off-by: dereknola <[email protected]>
@dereknola
Converted prepare and status to server-side commands
3762d85 
Signed-off-by: dereknola <[email protected]>
@dereknola
Merge branch 'k3s-io:master' into encryption_app
bbadf13
@dereknola
Converted reencrypt to server-side call
19a9155 
Signed-off-by: dereknola <[email protected]>
@dereknola
Add encryption enable/disable, Cleanup CLI
7809022 
Signed-off-by: dereknola <[email protected]>
@dereknola
Cleanup main command
eb9f3b2 
Signed-off-by: dereknola <[email protected]>
@dereknola
Added hash encryption verification
dac53da 
Signed-off-by: dereknola <[email protected]>
@dereknola
Added back encryption hash annotations
775f5be 
Signed-off-by: dereknola <[email protected]>
@dereknola
Initial integration test
d32582b 
Signed-off-by: dereknola <[email protected]>
@dereknola
Merge branch 'k3s-io:master' into encryption_app
7ec3a63
@dereknola
Merge branch 'encryption_app' of https://github.com/dereknola/k3s int…
a711faf 
…o encryption_app
@dereknola
Merge remote-tracking branch 'upstream/master' into encryption_app
e52cd99 
Signed-off-by: dereknola <[email protected]>
@dereknola
Finished integration test
eb979ae 
Signed-off-by: dereknola <[email protected]>
@dereknola
Added encryption disable to test
743ff56 
Signed-off-by: dereknola <[email protected]>
@dereknola
Merge branch 'k3s-io:master' into encryption_app
5935edb
@dereknola dereknola requested a review from a team as a code owner November 1, 2021 18:19
brandond
brandond requested changes Dec 7, 2021
View reviewed changes
pkg/cluster/cluster.go Show resolved Hide resolved
pkg/cluster/storage.go Show resolved Hide resolved
pkg/secretsencrypt/controller.go Outdated Show resolved Hide resolved
@dereknola
golang-lintci fix
f0b8a57 
Signed-off-by: Derek Nola <[email protected]>
@dereknola
codespell
e239ee5 
Signed-off-by: Derek Nola <[email protected]>
brandond
brandond requested changes Dec 7, 2021
View reviewed changes
pkg/server/server.go Outdated Show resolved Hide resolved
pkg/secretsencrypt/controller.go Outdated Show resolved Hide resolved
pkg/cluster/storage.go Show resolved Hide resolved
pkg/cluster/cluster.go Show resolved Hide resolved
brandond
brandond requested changes Dec 7, 2021
View reviewed changes
pkg/util/api.go Outdated Show resolved Hide resolved
pkg/deploy/controller.go Outdated Show resolved Hide resolved
@dereknola
Consolidate node name
d83ae1b 
Signed-off-by: Derek Nola <[email protected]>
@dereknola dereknola merged commit bcb6629 into k3s-io:master Dec 7, 2021
dereknola added a commit to dereknola/k3s that referenced this pull request Dec 7, 2021
@dereknola
Backport of k3s-io#4372
2dfad6f 
Signed-off-by: Derek Nola <[email protected]>
@dereknola dereknola mentioned this pull request Dec 7, 2021
Merged
dereknola added a commit that referenced this pull request Dec 7, 2021
@dereknola
Backport of #4372 (#4654)
2561285 
Signed-off-by: Derek Nola <[email protected]>
This was referenced Dec 7, 2021
Merged
Merged
@dereknola dereknola deleted the encryption_app branch December 15, 2021 16:38
@mdrahman-suse
Copy link

Verified in k3s with master commit d71b335 and RC with single node and 3 node cluster following the steps described in the ticket and observed the expected test results

3 node cluster

kubectl get nodes,pods -A -o wide
NAME                    STATUS   ROLES                       AGE   VERSION            INTERNAL-IP     EXTERNAL-IP     OS-IMAGE           KERNEL-VERSION   CONTAINER-RUNTIME
node/s1   Ready    <none>                      73m   v1.22.4-rc3+k3s2   <REDACTED>      <REDACTED>     Ubuntu 20.04 LTS   5.4.0-1009-aws   containerd://1.5.8-k3s1
node/s2   Ready    control-plane,etcd,master   77m   v1.22.4-rc3+k3s2   <REDACTED>      <REDACTED>    Ubuntu 20.04 LTS   5.4.0-1009-aws   containerd://1.5.8-k3s1
node/s3   Ready    control-plane,etcd,master   74m   v1.22.4-rc3+k3s2   <REDACTED>      <REDACTED>     Ubuntu 20.04 LTS   5.4.0-1009-aws   containerd://1.5.8-k3s1
node/a1   Ready    control-plane,etcd,master   74m   v1.22.4-rc3+k3s2   <REDACTED>      <REDACTED>   Ubuntu 20.04 LTS   5.4.0-1009-aws   containerd://1.5.8-k3s1

Prepare stage: k3s secrets-encrypt prepare on s1

prepare completed successfully
$ sudo k3s secrets-encrypt status
Encryption Status: Enabled
Current Rotation Stage: prepare
Server Encryption Hashes: hash does not match between s1 and s2

Active  Key Type  Name
------  --------  ----
 *      AES-CBC   aescbckey
        AES-CBC   aescbckey-2021-12-15T22:20:54Z

After restarts on all 3 nodes

$ sudo k3s secrets-encrypt status
Encryption Status: Enabled
Current Rotation Stage: prepare
Server Encryption Hashes: All hashes match

Active  Key Type  Name
------  --------  ----
 *      AES-CBC   aescbckey
        AES-CBC   aescbckey-2021-12-15T22:20:54Z

Rotate stage: k3s secrets-encrypt rotate on s1

rotate completed successfully
$ sudo k3s secrets-encrypt status
Encryption Status: Enabled
Current Rotation Stage: rotate
Server Encryption Hashes: hash does not match between s1 and s2

Active  Key Type  Name
------  --------  ----
 *      AES-CBC   aescbckey-2021-12-15T22:20:54Z
        AES-CBC   aescbckey

After restarts on all 3 nodes

$ sudo k3s secrets-encrypt status
Encryption Status: Enabled
Current Rotation Stage: rotate
Server Encryption Hashes: All hashes match

Active  Key Type  Name
------  --------  ----
 *      AES-CBC   aescbckey-2021-12-15T22:20:54Z
        AES-CBC   aescbckey

Reencrypt stage: k3s secrets-encrypt reencrypt on s1

reencryption started
$ sudo k3s secrets-encrypt status
Encryption Status: Enabled
Current Rotation Stage: reencrypt_active
Server Encryption Hashes: hash does not match between s1 and s2

Active  Key Type  Name
------  --------  ----
 *      AES-CBC   aescbckey-2021-12-15T22:20:54Z
        AES-CBC   aescbckey

$ sudo k3s secrets-encrypt status
Encryption Status: Enabled
Current Rotation Stage: reencrypt_finished
Server Encryption Hashes: hash does not match between s1 and s2

Active  Key Type  Name
------  --------  ----
 *      AES-CBC   aescbckey-2021-12-15T22:20:54Z

After restarts on all 3 nodes

$ sudo k3s secrets-encrypt status
Encryption Status: Enabled
Current Rotation Stage: reencrypt_finished
Server Encryption Hashes: All hashes match

Active  Key Type  Name
------  --------  ----
 *      AES-CBC   aescbckey-2021-12-15T22:20:54Z

This was referenced Dec 15, 2021
Closed
Closed
Closed
@dereknola dereknola mentioned this pull request Dec 22, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@briandowns briandowns briandowns approved these changes

@brandond brandond brandond approved these changes

Assignees

@dereknola dereknola

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@dereknola @codecov-commenter @mdrahman-suse @brandond @briandowns