Open pauljegouic opened 1 year ago
kms_config
is used protect Kubernetes secrets and any credentials stored in a secret by enabling a [key management service (KMS) provider] which provides an encryption solution using a root key.
https://cloud.ibm.com/docs/containers?topic=containers-encryption
crk & kms_instance_id
- is used for encryption of local disk of worker nodes
https://cloud.ibm.com/docs/openshift?topic=openshift-encryption#worker-encryption-vpc
Thanks so much for the answer !
Based on documentation: encryption at worker level is managed for a workerpool.
--> Does it mean, that if we create additional workerpool, we have to inform it in our ibm_container_vpc_worker_pool
. In other words, this new pool does not inherit from the default
one, right ?
--> Also, from a graphical point of view, does encryption for boot volume can be done through the IBM Cloud GUI or is it only implemented by CLI and Terraform provider ?
Workerpool does not inherit from other workerpools. Everything has to be specified for each new workerpool.
When you create a vpc cluster , at the bottom of the page you should see find this for enabling boot volume encryption
@attilatabori this is what we have tried with @pauljegouic. But this leads to a situation where the cluster creation never completes, because each worker node remains stuck at Provisioning - Completing worker configuration
about this workers stuck at provisioning, you may raise a ticket toward vpc at https://cloud.ibm.com/unifiedsupport/ workers happen to provision for lenghty times, but should not stuck at it.
There is an issue with our region, because of endpoints specificity.
Encryption of worker is done through the KeyProtect public endpoints (because of "disable_public_endpoints: false" - WORST property ever since it controls more than the user can think).
This endpoints does not exists in our region. Can you instead use the private endpoint ? even if "disable_public_endpoint" is set to false ?
@astha-jain Could you please review the above and suggest the next steps or who can help? Thanks.
Since I understand this is not a terraform issue, I have raised a support ticket for this specific issue due to our region design: CS3269580
@attilatabori can you look into this
Hello there @hkantare
Hope you're doing well :)
I am looking into new definitions, especially ibm_container_vpc_cluster, and I can't understand the difference between:
kms_config
blockcrk_id
&kms_instance_id
Is there a difference in term of behaviour ?
Can we define different keys for different usage (i.e: etcd encryption and bootvolume) ? Or is it a deprecation (crk_id and kms_instance_id to be left soon) ?