pkg/asset/machines/aws/machines: Request encrypted EBS volumes

[wking]

This should allow us to get encrypted compute machines even without the AWS cluster-API provider supporting copy-and-encrypt for RHCOS AMIs.

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: wking

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [wking]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[abhinavdahiya]

/cc @enxebre @ingvagabund
Does this option work? DO we know the constraints? What keys is it using for encrypting..?

[abhinavdahiya]

This needs a bugzilla if we need to merge this to master.

[cgwalters]

In case anyone else was curious, the EBS docs claim there's effectively no performance hit.

[wking]

This needs a bugzilla if we need to merge this to master.

Currently we're just evaluating whether this works, so...

/hold

[wking]

Looking at the e2e-aws run, the build log has the cluster at ci-op-7tpb7vcy-1d3f3. While the test was running, I captured the volume situation with:

$ AWS_PROFILE=ci aws ec2 describe-volumes --output json >volumes.json

Checking now for the volumes associated with that cluster:

$ jq '.Volumes[] | .cluster = (.Tags[] | select(.Key | startswith("kubernetes.io/cluster/")).Key) | select(.cluster | startswith("kubernetes.io/cluster/ci-op-7tpb7vcy-1d3f3")) | {VolumeId, Encrypted, cluster, instance: .Attachments[0].InstanceId}' volumes.json
{
  "VolumeId": "vol-07cc62ef5ad9af01f",
  "Encrypted": true,
  "cluster": "kubernetes.io/cluster/ci-op-7tpb7vcy-1d3f3-c78t9",
  "instance": "i-0deed742bda0fd047"
}
{
  "VolumeId": "vol-0d91f36089c2341f5",
  "Encrypted": false,
  "cluster": "kubernetes.io/cluster/ci-op-7tpb7vcy-1d3f3-c78t9",
  "instance": "i-0590e489ce5862fe1"
}
{
  "VolumeId": "vol-076599bc4160a6f51",
  "Encrypted": true,
  "cluster": "kubernetes.io/cluster/ci-op-7tpb7vcy-1d3f3-c78t9",
  "instance": "i-09f9adcc2570118ca"
}
{
  "VolumeId": "vol-0e2bd7ec799f5387b",
  "Encrypted": true,
  "cluster": "kubernetes.io/cluster/ci-op-7tpb7vcy-1d3f3-c78t9",
  "instance": "i-0d7f3ad2f18cef610"
}
{
  "VolumeId": "vol-089e1e295082f42ae",
  "Encrypted": false,
  "cluster": "kubernetes.io/cluster/ci-op-7tpb7vcy-1d3f3-c78t9",
  "instance": "i-0bc2c963f56f0f0ab"
}
{
  "VolumeId": "vol-0ba2060446daa6537",
  "Encrypted": false,
  "cluster": "kubernetes.io/cluster/ci-op-7tpb7vcy-1d3f3-c78t9",
  "instance": "i-0148733bcb3208812"
}

Mapping those instance IDs to roles:

$ curl -s https://storage.googleapis.com/origin-ci-test/pr-logs/pull/openshift_installer/2114/pull-ci-openshift-installer-master-e2e-aws/6896/artifacts/e2e-aws/nodes.json | jq '[.items[] | {machine: .metadata.annotations["machine.openshift.io/machine"], instance: .spec.providerID}] | sort_by(.machine)[]'
{
  "machine": "openshift-machine-api/ci-op-7tpb7vcy-1d3f3-c78t9-master-0",
  "instance": "aws:///us-east-1a/i-0d7f3ad2f18cef610"
}
{
  "machine": "openshift-machine-api/ci-op-7tpb7vcy-1d3f3-c78t9-master-1",
  "instance": "aws:///us-east-1b/i-0deed742bda0fd047"
}
{
  "machine": "openshift-machine-api/ci-op-7tpb7vcy-1d3f3-c78t9-master-2",
  "instance": "aws:///us-east-1a/i-09f9adcc2570118ca"
}
{
  "machine": "openshift-machine-api/ci-op-7tpb7vcy-1d3f3-c78t9-worker-us-east-1a-57zgk",
  "instance": "aws:///us-east-1a/i-0148733bcb3208812"
}
{
  "machine": "openshift-machine-api/ci-op-7tpb7vcy-1d3f3-c78t9-worker-us-east-1a-h5mwk",
  "instance": "aws:///us-east-1a/i-0bc2c963f56f0f0ab"
}
{
  "machine": "openshift-machine-api/ci-op-7tpb7vcy-1d3f3-c78t9-worker-us-east-1b-gx9r2",
  "instance": "aws:///us-east-1b/i-0590e489ce5862fe1"
}

So the three compute nodes had unencrypted volumes. Am I holding this wrong?

[abhinavdahiya]

Looking at the e2e-aws run, the build log has the cluster at ci-op-7tpb7vcy-1d3f3. While the test was running, I captured the volume situation with:

$ AWS_PROFILE=ci aws ec2 describe-volumes --output json >volumes.json

Checking now for the volumes associated with that cluster:

$ jq '.Volumes[] | .cluster = (.Tags[] | select(.Key | startswith("kubernetes.io/cluster/")).Key) | select(.cluster | startswith("kubernetes.io/cluster/ci-op-7tpb7vcy-1d3f3")) | {VolumeId, Encrypted, cluster, instance: .Attachments[0].InstanceId}' volumes.json
{
  "VolumeId": "vol-07cc62ef5ad9af01f",
  "Encrypted": true,
  "cluster": "kubernetes.io/cluster/ci-op-7tpb7vcy-1d3f3-c78t9",
  "instance": "i-0deed742bda0fd047"
}
{
  "VolumeId": "vol-0d91f36089c2341f5",
  "Encrypted": false,
  "cluster": "kubernetes.io/cluster/ci-op-7tpb7vcy-1d3f3-c78t9",
  "instance": "i-0590e489ce5862fe1"
}
{
  "VolumeId": "vol-076599bc4160a6f51",
  "Encrypted": true,
  "cluster": "kubernetes.io/cluster/ci-op-7tpb7vcy-1d3f3-c78t9",
  "instance": "i-09f9adcc2570118ca"
}
{
  "VolumeId": "vol-0e2bd7ec799f5387b",
  "Encrypted": true,
  "cluster": "kubernetes.io/cluster/ci-op-7tpb7vcy-1d3f3-c78t9",
  "instance": "i-0d7f3ad2f18cef610"
}
{
  "VolumeId": "vol-089e1e295082f42ae",
  "Encrypted": false,
  "cluster": "kubernetes.io/cluster/ci-op-7tpb7vcy-1d3f3-c78t9",
  "instance": "i-0bc2c963f56f0f0ab"
}
{
  "VolumeId": "vol-0ba2060446daa6537",
  "Encrypted": false,
  "cluster": "kubernetes.io/cluster/ci-op-7tpb7vcy-1d3f3-c78t9",
  "instance": "i-0148733bcb3208812"
}

Mapping those instance IDs to roles:

$ curl -s https://storage.googleapis.com/origin-ci-test/pr-logs/pull/openshift_installer/2114/pull-ci-openshift-installer-master-e2e-aws/6896/artifacts/e2e-aws/nodes.json | jq '[.items[] | {machine: .metadata.annotations["machine.openshift.io/machine"], instance: .spec.providerID}] | sort_by(.machine)[]'
{
  "machine": "openshift-machine-api/ci-op-7tpb7vcy-1d3f3-c78t9-master-0",
  "instance": "aws:///us-east-1a/i-0d7f3ad2f18cef610"
}
{
  "machine": "openshift-machine-api/ci-op-7tpb7vcy-1d3f3-c78t9-master-1",
  "instance": "aws:///us-east-1b/i-0deed742bda0fd047"
}
{
  "machine": "openshift-machine-api/ci-op-7tpb7vcy-1d3f3-c78t9-master-2",
  "instance": "aws:///us-east-1a/i-09f9adcc2570118ca"
}
{
  "machine": "openshift-machine-api/ci-op-7tpb7vcy-1d3f3-c78t9-worker-us-east-1a-57zgk",
  "instance": "aws:///us-east-1a/i-0148733bcb3208812"
}
{
  "machine": "openshift-machine-api/ci-op-7tpb7vcy-1d3f3-c78t9-worker-us-east-1a-h5mwk",
  "instance": "aws:///us-east-1a/i-0bc2c963f56f0f0ab"
}
{
  "machine": "openshift-machine-api/ci-op-7tpb7vcy-1d3f3-c78t9-worker-us-east-1b-gx9r2",
  "instance": "aws:///us-east-1b/i-0590e489ce5862fe1"
}

So the three compute nodes had unencrypted volumes. Am I holding this wrong?

https://github.com/openshift/cluster-api-provider-aws/blob/7a53d36f7e4c928b51a502b9f12e245045cfb6f3/pkg/actuators/machine/instances.go#L200-L212

it doesn't look like cluster-api-provide-aws is passing through the encrypted to https://docs.aws.amazon.com/sdk-for-go/v1/api/service.ec2.EbsBlockDevice.html

[wking]

I've filed rhbz#1734193 about the missing encrypted support.

[openshift-ci-robot]

@wking: The following tests failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
ci/prow/e2e-openstack	68d7514	link	/test e2e-openstack
ci/prow/e2e-aws	68d7514	link	/test e2e-aws
ci/prow/e2e-aws-scaleup-rhel7	68d7514	link	/test e2e-aws-scaleup-rhel7

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[wking]

/close

I'd forgotten about this PR and filed #2160 which also includes doc updates.

[openshift-ci-robot]

@wking: Closed this PR.

In response to this:

/close

I'd forgotten about this PR and filed #2160 which also includes doc updates.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.