Closed cristicalin closed 2 years ago
It looks like the code is missing some sanity checks:
(venv) root@ubuntu-nuc-00:~/kubespray# cat /etc/kubernetes/ssl/secrets_encryption.yaml
kind: EncryptionConfig
apiVersion: v1
resources:
- resources:
- secrets
providers:
- aescbc:
keys:
- name: key
secret: <removed on purpose>
- identity: {}
(venv) root@ubuntu-nuc-00:~/kubespray# grep -r secrets_encryption_query roles/
roles/kubernetes/control-plane/defaults/main/main.yml:secrets_encryption_query: "resources[*].providers[0].{{kube_encryption_algorithm}}.keys[0].secret"
roles/kubernetes/control-plane/tasks/encrypt-at-rest.yml: kube_encrypt_token_extracted: "{{ secret_file_decoded | json_query(secrets_encryption_query) | first | b64decode }}"
(venv) root@ubuntu-nuc-00:~/kubespray# grep -r kube_encryption_algorithm roles/
roles/kubernetes/control-plane/defaults/main/main.yml:kube_encryption_algorithm: "secretbox"
roles/kubernetes/control-plane/defaults/main/main.yml:secrets_encryption_query: "resources[*].providers[0].{{kube_encryption_algorithm}}.keys[0].secret"
roles/kubernetes/control-plane/templates/secrets_encryption.yaml.j2: - {{ kube_encryption_algorithm }}:
(venv) root@ubuntu-nuc-00:~/kubespray# cat roles/kubernetes/control-plane/templates/secrets_encryption.yaml.j2
kind: EncryptionConfig
apiVersion: v1
resources:
- resources:
{{ kube_encryption_resources|to_nice_yaml|indent(4, True) }}
providers:
- {{ kube_encryption_algorithm }}:
keys:
- name: key
secret: {{ kube_encrypt_token | b64encode }}
- identity: {}
https://github.com/kubernetes-sigs/kubespray/pull/8574 seems to be the culprit here. Maybe some sanity checks are warranted instead of the later failure in the playbook execution or a better detection of the currently configured value.
/cc @Payback159
Hi @cristicalin , I probably won't get around to it this week. Next week I should be able to take a look at it.
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.
This bot triages issues and PRs according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/remove-lifecycle stale
/lifecycle rotten
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.
This bot triages issues and PRs according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/remove-lifecycle rotten
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle rotten
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.
This bot triages issues and PRs according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/reopen
/remove-lifecycle rotten
Please send feedback to sig-contributor-experience at kubernetes/community.
/close
@k8s-triage-robot: Closing this issue.
/reopen
@brysonshepherd: You can't reopen an issue/PR unless you authored it or you are a collaborator.
this issue was never addressed. and there is not a documented way to upgrade from kubespray 2.18 to 2.19 if kube_encrypt_secret_data was originally set to true in 2.18 using kube_encryption_algorithm: "aescbc", besides pinning the kube_encryption_algorithm
Environment:
Cloud provider or hardware configuration: Baremetal
OS (
printf "$(uname -srm)\n$(cat /etc/os-release)\n"
):Version of Ansible (
ansible --version
):Version of Python (
python --version
):Kubespray version (commit) (
git rev-parse --short HEAD
):Network plugin used:
Full inventory with variables (
ansible -i inventory/sample/inventory.ini all -m debug -a "var=hostvars[inventory_hostname]"
):Command used to invoke ansible:
Output of ansible run:
Anything else do we need to know: