ibm_container_vpc_cluster - properties KeyProtect

[pauljegouic]

Hello there @hkantare

Hope you're doing well :)

I am looking into new definitions, especially ibm_container_vpc_cluster, and I can't understand the difference between:

• kms_config block
• crk_id & kms_instance_id

Is there a difference in term of behaviour ?

Can we define different keys for different usage (i.e: etcd encryption and bootvolume) ? Or is it a deprecation (crk_id and kms_instance_id to be left soon) ?

[hkantare]

kms_config is used protect Kubernetes secrets and any credentials stored in a secret by enabling a [key management service (KMS) provider] which provides an encryption solution using a root key. https://cloud.ibm.com/docs/containers?topic=containers-encryption

crk & kms_instance_id - is used for encryption of local disk of worker nodes https://cloud.ibm.com/docs/openshift?topic=openshift-encryption#worker-encryption-vpc

[pauljegouic]

Thanks so much for the answer !

Based on documentation: encryption at worker level is managed for a workerpool. --> Does it mean, that if we create additional workerpool, we have to inform it in our ibm_container_vpc_worker_pool. In other words, this new pool does not inherit from the default one, right ? --> Also, from a graphical point of view, does encryption for boot volume can be done through the IBM Cloud GUI or is it only implemented by CLI and Terraform provider ?

[attilatabori]

Workerpool does not inherit from other workerpools. Everything has to be specified for each new workerpool.

When you create a vpc cluster , at the bottom of the page you should see find this for enabling boot volume encryption

[nicolascomete]

@attilatabori this is what we have tried with @pauljegouic. But this leads to a situation where the cluster creation never completes, because each worker node remains stuck at Provisioning - Completing worker configuration

[attilatabori]

about this workers stuck at provisioning, you may raise a ticket toward vpc at https://cloud.ibm.com/unifiedsupport/ workers happen to provision for lenghty times, but should not stuck at it.

[pauljegouic]

There is an issue with our region, because of endpoints specificity.

Encryption of worker is done through the KeyProtect public endpoints (because of "disable_public_endpoints: false" - WORST property ever since it controls more than the user can think).

This endpoints does not exists in our region. Can you instead use the private endpoint ? even if "disable_public_endpoint" is set to false ?

[pradeep-b]

@astha-jain Could you please review the above and suggest the next steps or who can help? Thanks.

[pauljegouic]

Since I understand this is not a terraform issue, I have raised a support ticket for this specific issue due to our region design: CS3269580

[hkantare]

@attilatabori can you look into this