Secrets-encryption rotation by dereknola · Pull Request #4372 · k3s-io/k3s

dereknola · 2021-11-01T18:19:24Z

Proposed Changes

Introduces new feature: secrets-encryption keys rotation and enable/disable of encryption. The is all controlled via a new sub command k3s secrets-encrypt. Documentation can be found at https://rancher.com/docs/k3s/latest/en/security/secrets_encryption/

NAME:
   k3s secrets-encrypt - Control secrets encryption and keys rotation

USAGE:
   k3s secrets-encrypt command [command options] [arguments...]

COMMANDS:
   status     Print current status of secrets encryption
   enable    Enable secrets encryption
   disable   Disable secrets encryption
   prepare   Prepare for encryption keys rotation
   rotate     Rotate secrets encryption keys
   reencrypt  Reencrypt all data with new encryption key

Types of Changes

New Feature
New Integration Test (covers single node)

Verification

Formal documentation to follow:
You can run k3s secrets-encrypt status at any time to see the current stage/state of encryption
For a single node cluster:

Start server with k3s server --secrets-encryption
Create a secret to check

kubectl create secret generic secret1 -n default --from-literal=mykey=mydata
kubectl describe secret secret1 -n default

Call k3s secrets-encrypt prepare
Call k3s secrets-encrypt status, note, the addition of a new key
Kill k3s server and restart with same arguments
Call k3s secrets-encrypt rotate
Call k3s secrets-encrypt status, note the keys swap
Kill k3s server, restart with same arguments
Call k3s secrets-encrypt reencrypt
Check that secret is still encrypted

kubectl create secret generic secret1 -n default --from-literal=mykey=mydata
kubectl describe secret secret1 -n default

For external DB:

Start up a external DB (I used mySQL for this)
Start up 3 K3s servers joined to mySQL
k3s server --secrets-encryption --datastore-endpoint "mysql://root:mysql@tcp(192.168.1.200:3306)/k3s"
Select ONE server (S1 going forward) to perform the rotate on (doing any stage on any server is supported)
Run k3s secrets-encrypt prepare on S1
Restart S1 with same arguments
Once S1 is back up, restart the other two servers
Call k3s secrets-encrypt status on S1 and S2, info should be the same on both
Run k3s secrets-encrypt rotate on S1
Restart S1
Once S1 is back up, restart the other two servers
Call k3s secrets-encrypt status on S1 and S2, info should be the same on both
Run k3s secrets-encrypt reencrypt on S1
Restart S1
Once S1 is back up, restart the other two servers
Call k3s secrets-encrypt status on S1 and S2, info should be the same on both

Linked Issues

#4254
#3407

User-Facing Change

A CLI subcommand to control secrets encryption. Supports key rotation and enabled/disable of secrets encryption.

Further Comments

Documentation to follow in next PR.
This feature works on all 3 DB types (single node, HA with embedded etcd, HA with external DB)

Signed-off-by: dereknola <derek.nola@suse.com>

…o encryption_app

Signed-off-by: dereknola <derek.nola@suse.com>

Signed-off-by: Derek Nola <derek.nola@suse.com>

mdrahman-suse · 2021-12-15T23:42:34Z

Verified in k3s with master commit d71b335 and RC with single node and 3 node cluster following the steps described in the ticket and observed the expected test results

3 node cluster

kubectl get nodes,pods -A -o wide
NAME                    STATUS   ROLES                       AGE   VERSION            INTERNAL-IP     EXTERNAL-IP     OS-IMAGE           KERNEL-VERSION   CONTAINER-RUNTIME
node/s1   Ready    <none>                      73m   v1.22.4-rc3+k3s2   <REDACTED>      <REDACTED>     Ubuntu 20.04 LTS   5.4.0-1009-aws   containerd://1.5.8-k3s1
node/s2   Ready    control-plane,etcd,master   77m   v1.22.4-rc3+k3s2   <REDACTED>      <REDACTED>    Ubuntu 20.04 LTS   5.4.0-1009-aws   containerd://1.5.8-k3s1
node/s3   Ready    control-plane,etcd,master   74m   v1.22.4-rc3+k3s2   <REDACTED>      <REDACTED>     Ubuntu 20.04 LTS   5.4.0-1009-aws   containerd://1.5.8-k3s1
node/a1   Ready    control-plane,etcd,master   74m   v1.22.4-rc3+k3s2   <REDACTED>      <REDACTED>   Ubuntu 20.04 LTS   5.4.0-1009-aws   containerd://1.5.8-k3s1

Prepare stage: k3s secrets-encrypt prepare on s1

prepare completed successfully
$ sudo k3s secrets-encrypt status
Encryption Status: Enabled
Current Rotation Stage: prepare
Server Encryption Hashes: hash does not match between s1 and s2

Active  Key Type  Name
------  --------  ----
 *      AES-CBC   aescbckey
        AES-CBC   aescbckey-2021-12-15T22:20:54Z

After restarts on all 3 nodes

$ sudo k3s secrets-encrypt status
Encryption Status: Enabled
Current Rotation Stage: prepare
Server Encryption Hashes: All hashes match

Active  Key Type  Name
------  --------  ----
 *      AES-CBC   aescbckey
        AES-CBC   aescbckey-2021-12-15T22:20:54Z

Rotate stage: k3s secrets-encrypt rotate on s1

rotate completed successfully
$ sudo k3s secrets-encrypt status
Encryption Status: Enabled
Current Rotation Stage: rotate
Server Encryption Hashes: hash does not match between s1 and s2

Active  Key Type  Name
------  --------  ----
 *      AES-CBC   aescbckey-2021-12-15T22:20:54Z
        AES-CBC   aescbckey

After restarts on all 3 nodes

$ sudo k3s secrets-encrypt status
Encryption Status: Enabled
Current Rotation Stage: rotate
Server Encryption Hashes: All hashes match

Active  Key Type  Name
------  --------  ----
 *      AES-CBC   aescbckey-2021-12-15T22:20:54Z
        AES-CBC   aescbckey

Reencrypt stage: k3s secrets-encrypt reencrypt on s1

reencryption started
$ sudo k3s secrets-encrypt status
Encryption Status: Enabled
Current Rotation Stage: reencrypt_active
Server Encryption Hashes: hash does not match between s1 and s2

Active  Key Type  Name
------  --------  ----
 *      AES-CBC   aescbckey-2021-12-15T22:20:54Z
        AES-CBC   aescbckey

$ sudo k3s secrets-encrypt status
Encryption Status: Enabled
Current Rotation Stage: reencrypt_finished
Server Encryption Hashes: hash does not match between s1 and s2

Active  Key Type  Name
------  --------  ----
 *      AES-CBC   aescbckey-2021-12-15T22:20:54Z

After restarts on all 3 nodes

$ sudo k3s secrets-encrypt status
Encryption Status: Enabled
Current Rotation Stage: reencrypt_finished
Server Encryption Hashes: All hashes match

Active  Key Type  Name
------  --------  ----
 *      AES-CBC   aescbckey-2021-12-15T22:20:54Z

dereknola added 29 commits October 8, 2021 14:41

Initial encrypt files

f8085b6

Signed-off-by: dereknola <derek.nola@suse.com>

Regular CLI framework for encrypt commands

ddfb505

Signed-off-by: dereknola <derek.nola@suse.com>

Fix internalCLIAction

dddddea

Signed-off-by: dereknola <derek.nola@suse.com>

Build k3s-encrypt binary

becae1c

Signed-off-by: dereknola <derek.nola@suse.com>

Add encrypt to server binary

2bb7fd6

Signed-off-by: dereknola <derek.nola@suse.com>

Initial status command complete

07c5c4e

Signed-off-by: dereknola <derek.nola@suse.com>

Initial Prepare command

0c603f0

Signed-off-by: dereknola <derek.nola@suse.com>

Added status subcommand

f6fb0da

Signed-off-by: dereknola <derek.nola@suse.com>

Swapped hashing to rotate prevention

1967a0b

Signed-off-by: dereknola <derek.nola@suse.com>

Change package to secretsencrypt

81dbc18

Signed-off-by: dereknola <derek.nola@suse.com>

Merge branch 'k3s-io:master' into encryption_app

333fe07

Implemented reencryption

dc4c190

Signed-off-by: dereknola <derek.nola@suse.com>

Add encryption toggle to main command

ba10167

Signed-off-by: dereknola <derek.nola@suse.com>

Convert to server-side includes, implement state checks

28233e4

Signed-off-by: dereknola <derek.nola@suse.com>

Remove Hash annotation checks

6c3fd2b

Signed-off-by: dereknola <derek.nola@suse.com>

Converted prepare and status to server-side commands

3762d85

Signed-off-by: dereknola <derek.nola@suse.com>

Merge branch 'k3s-io:master' into encryption_app

bbadf13

Converted reencrypt to server-side call

19a9155

Signed-off-by: dereknola <derek.nola@suse.com>

Add encryption enable/disable, Cleanup CLI

7809022

Signed-off-by: dereknola <derek.nola@suse.com>

Cleanup main command

eb9f3b2

Signed-off-by: dereknola <derek.nola@suse.com>

Added hash encryption verification

dac53da

Signed-off-by: dereknola <derek.nola@suse.com>

Added back encryption hash annotations

775f5be

Signed-off-by: dereknola <derek.nola@suse.com>

Initial integration test

d32582b

Signed-off-by: dereknola <derek.nola@suse.com>

Merge branch 'k3s-io:master' into encryption_app

7ec3a63

Merge branch 'encryption_app' of https://github.com/dereknola/k3s int…

a711faf

…o encryption_app

Merge remote-tracking branch 'upstream/master' into encryption_app

e52cd99

Signed-off-by: dereknola <derek.nola@suse.com>

Finished integration test

eb979ae

Signed-off-by: dereknola <derek.nola@suse.com>

Added encryption disable to test

743ff56

Signed-off-by: dereknola <derek.nola@suse.com>

Merge branch 'k3s-io:master' into encryption_app

5935edb

dereknola requested a review from a team as a code owner November 1, 2021 18:19

dereknola force-pushed the encryption_app branch from 8ca7cda to 757b464 Compare November 30, 2021 22:53

brandond reviewed Nov 30, 2021

View reviewed changes

Comment thread pkg/server/secrets-encrypt.go Outdated

dereknola added 6 commits December 2, 2021 16:56

Reworked encrytion state file and combined with annotation

0c1ba7a

Signed-off-by: Derek Nola <derek.nola@suse.com>

Initial controller rework

6ef8f2b

Signed-off-by: Derek Nola <derek.nola@suse.com>

Update node before applying annontation

a9843a4

Signed-off-by: Derek Nola <derek.nola@suse.com>

Finished controller, update int test

d137c80

Signed-off-by: Derek Nola <derek.nola@suse.com>

Merge branch 'master' into encryption_app

f3eeb6c

Signed-off-by: Derek Nola <derek.nola@suse.com>

Fix bootstrap on embedded etcd

6085de3

Signed-off-by: Derek Nola <derek.nola@suse.com>

brandond requested changes Dec 7, 2021

View reviewed changes

Comment thread pkg/cluster/cluster.go

Comment thread pkg/cluster/storage.go

Comment thread pkg/secretsencrypt/controller.go Outdated

dereknola added 2 commits December 7, 2021 10:12

golang-lintci fix

f0b8a57

Signed-off-by: Derek Nola <derek.nola@suse.com>

codespell

e239ee5

Signed-off-by: Derek Nola <derek.nola@suse.com>

brandond requested changes Dec 7, 2021

View reviewed changes

Comment thread pkg/server/server.go Outdated

Comment thread pkg/secretsencrypt/controller.go Outdated

Comment thread pkg/cluster/storage.go

Comment thread pkg/cluster/cluster.go

dereknola added 3 commits December 7, 2021 13:10

Fix to bootstrap on restart of joing nodes

e432c1a

Signed-off-by: Derek Nola <derek.nola@suse.com>

Consolidate event recorder

b446de9

Signed-off-by: Derek Nola <derek.nola@suse.com>

Include nodeName in events

b4ed675

Signed-off-by: Derek Nola <derek.nola@suse.com>

brandond requested changes Dec 7, 2021

View reviewed changes

Comment thread pkg/util/api.go Outdated

Comment thread pkg/deploy/controller.go Outdated

Consolidate node name

d83ae1b

Signed-off-by: Derek Nola <derek.nola@suse.com>

brandond approved these changes Dec 7, 2021

View reviewed changes

dereknola merged commit bcb6629 into k3s-io:master Dec 7, 2021

dereknola added a commit to dereknola/k3s that referenced this pull request Dec 7, 2021

Backport of k3s-io#4372

2dfad6f

Signed-off-by: Derek Nola <derek.nola@suse.com>

dereknola mentioned this pull request Dec 7, 2021

[Release-1.22] Secrets-encryption rotation #4654

Merged

dereknola added a commit that referenced this pull request Dec 7, 2021

Backport of #4372 (#4654)

2561285

Signed-off-by: Derek Nola <derek.nola@suse.com>

This was referenced Dec 7, 2021

[Engine-1.21] Secrets-encryption rotation #4656

Merged

[Release-1.21] Secrets-encryption rotation #4658

Merged

dereknola deleted the encryption_app branch December 15, 2021 16:38

This was referenced Dec 15, 2021

[Release-1.22] K3s secrets encryption key rotation #4602

Closed

[Release-1.21] K3s secrets encryption key rotation #4555

Closed

K3s secrets encryption key rotation #4254

Closed

dereknola mentioned this pull request Dec 22, 2021

Require integration test to be run as sudo/root #4824

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Secrets-encryption rotation#4372

Secrets-encryption rotation#4372
dereknola merged 71 commits intok3s-io:masterfrom
dereknola:encryption_app

dereknola commented Nov 1, 2021 •

edited

Loading

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

mdrahman-suse commented Dec 15, 2021

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

Conversation

dereknola commented Nov 1, 2021 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Proposed Changes

Types of Changes

Verification

Linked Issues

User-Facing Change

Further Comments

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

mdrahman-suse commented Dec 15, 2021

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

dereknola commented Nov 1, 2021 •

edited

Loading