kube_encryption_resources must be output as yaml

[mirwan]

What type of PR is this?
/kind bug

What this PR does / why we need it:
kube_encryption_resources variable (list) is rendered as plain text from secrets_encryption.yaml.j2 template, elements of this list (strings) are prefixed with unicode "u" prefix in the rendered manifest.
As a consequence, encryption at REST is simply ignored for these resources.

This variable must be serialized as yaml, that's what this PR does.

Which issue(s) this PR fixes:
None

Special notes for your reviewer:
N/A

Does this PR introduce a user-facing change?:

Once the encryption-at-rest is in place, resources must be updated.
As mentioned in https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/, for example with secrets only (as the default value of `kube_encryption_resources` variable is), the following command should be applied:
kubectl get secrets --all-namespaces -o json | kubectl replace -f -

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mirwan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [mirwan]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[floryut]

I'm not sure this is needed, here is an output of what I got as of now

[root@instance-1 ssl]# cat secrets_encryption.yaml
kind: EncryptionConfig
apiVersion: v1
resources:
  - resources: ['secrets']
    providers:
    - aescbc:
        keys:
        - name: key
          secret: aGg2TUtSZTllUUpGRlFhalR0d050UzdQMTFLand2SDI=
    - identity: {}

Compared to your version

[root@instance-1 ssl]# cat secrets_encryption.yaml
kind: EncryptionConfig
apiVersion: v1
resources:
  - resources: 
    - 'secrets'

    providers:
    - aescbc:
        keys:
        - name: key
          secret: aGg2TUtSZTllUUpGRlFhalR0d050UzdQMTFLand2SDI=
    - identity: {}

Am I missing something ?

[mirwan]

@floryut That is the output I get:

kind: EncryptionConfig
apiVersion: v1
resources:
  - resources: [u'secrets']
    providers:
    - aescbc:
        keys:
        - name: key
          secret: 5oM3SecretB643ncoded=
    - identity: {}

I don't know what is the root cause (py version on the remote host, control machine, ...).
Anyway, as far as the variable kube_encryption_resources is defined as an ansible (python) list it should be serialized as yaml.
Otherwise, kube_encryption_resources type may be enforced as string but it could be handy to keep it as a list.

[mirwan]

@floryut What do you think ?

[floryut]

@floryut What do you think ?

Looks good to me, WDYT @EppO ?

[Miouge1]

Can we add a test case for it? Like a file in tests/files/*.yml with an working example of kube_encryption_resources?

[floryut]

Can we add a test case for it? Like a file in tests/files/*.yml with an working example of kube_encryption_resources?

Well as of now we kind of already have a test for it as it's default to kube_encryption_resources: [secrets]
Do you think we need more than that ?

[floryut]

Lets merge that, we can always add another PR if we want to further test things, as long as this fix a bug in some cases
/lgtm

[mirwan]

@floryut Thx for the approval.
@Miouge1 @floryut I can work on another PR to include a encryption test. I took a look at the current test cases, I would add a 0X0_check_encryption.yml playbook with a block task conditioned by kube_encrypt_secret_data. The playbook would be run no matter what but tasks would be skipped most of the time. Is it the right way ?

[brysonshepherd]

@mirwan thanks for this. it was weird because new clusters were fine, but it was killing my upgrades.

[brysonshepherd]

We need this cherrypicked to release-2.13

[floryut]

We need this cherrypicked to release-2.13

Please do, we could always do another tag with the 1.18.9 I guess