search

iits-consulting / terraform-opentelekomcloud-project-factory

This repository helps to create an OTC-based cloud-native infrastructure landscape with Kubernetes, load balancers, VPCs, etc. With these modules, we provide you a rocket start while you can still deep-dive into detailed configuration later.
GNU General Public License v3.0
83 stars 20 forks source link

How to set up encrypted CCE Node Storage correct? #49

Closed Pascal-Orthopy closed 2 years ago

Pascal-Orthopy commented 2 years ago

Hello all,

first of all thank you for these great terraform modules, they are really helpful.

But i have a question, we are trying to encrypt the CCE Node Storage, but when we are set up the configuration and agency for this feature, our nodes cannot start. Could it be that we forgot some settings or is there some documentation somewhere on how to set up encryption for the nodes?

Here is our CCE and Agency declaration:

module "cce" {
  source  = "registry.terraform.io/iits-consulting/project-factory/opentelekomcloud//modules/cce"
  version = "4.2.2"
  name    = "${var.context}-${var.stage}"

  cluster_config = {
    vpc_id            = module.vpc.vpc.id
    subnet_id         = module.vpc.subnets["kubernetes-subnet"].id
    cluster_version   = "v1.21"
    high_availability = false
    enable_scaling    = true
  }
  node_config = {
    availability_zones = [
      "${var.region}-03",
      "${var.region}-01"
    ]
    node_count                        = 2
    node_flavor                       = "s3.large.4"
    node_storage_type                 = "SSD"
    node_storage_size                 = 100
    node_storage_encryption_enabled   = true
  }
  autoscaling_config = {
    nodes_max = 2
  }
  tags = local.tags
}

resource "opentelekomcloud_identity_agency_v3" "agency" {
  name                  = "EVSAccessKMS"
  description           = "Node encryption"
  delegated_domain_name = "op_svc_evs"
  domain_roles          = ["KMS Administrator", ]
}

With this setting we get the following errors in our OTC console:

Create user node VMs. The process takes about 2 to 3 minutes.[0/1] | Failed |  
Install the Kubernetes software on the user node. The process takes about 1 to 2 minutes. [0/1] |  Failed |

and in the cluster we get these errors:

Failed to create node(s) (Internal error)
Failed to install the node (Internal error)
Failed to create the node VM (Internal error)

The agency and encryption keys are created.

Pascal-Orthopy commented 2 years ago

I have found a more Detailed error entry, seems like i missed some Role settings?

[[CreateNodeVM.DoError] Expected HTTP response code [200 201 202 203 204] when accessing [POST https://ecs.eu-de.otc.t-systems.com/....], but got 400 instead {"error":{"message":"Failed to check the role of kms.{\"error\":{\"code\":\"EVS.2044\",\"message\":\"Failed to check the role of kms.\"}}","code":"Ecs.0025"}}, [InstallNode.DoError] [Install.Dependency] creating node machine failed]
Pascal-Orthopy commented 2 years ago

So i fond the Problem, our "Agency" declaration was not correct, we missed the "project_role" settings

resource "opentelekomcloud_identity_agency_v3" "agency" {
  name                  = "EVSAccessKMS"
  description           = "CCE Node Encryption Agency"
  delegated_domain_name = "op_svc_evs"
  domain_roles          = ["KMS Administrator",]
  project_role {
    project = "eu-de"
    roles   = ["KMS Administrator",]
  }
}

This has fixed the cluster nodes.