Merge pull request #7900 from zacblazic/use-encryption-provider-confi…

…g-flag

Use non-experimental version of encryption provider config flag in 1.13+

k8s/crds/kops.k8s.io_clusters.yaml

@@ -987,6 +987,10 @@ spec:
                     in the 'kube-system' namespace to be used for TLS bootstrapping
                     authentication
                   type: boolean
+                encryptionProviderConfig:
+                  description: EncryptionProviderConfig enables encryption at rest
+                    for secrets.
+                  type: string
                 etcdCaFile:
                   description: EtcdCAFile is the path to a ca certificate
                   type: string

nodeup/pkg/model/kube_apiserver.go

@@ -59,13 +59,20 @@ func (b *KubeAPIServerBuilder) Build(c *fi.ModelBuilderContext) error {
 
 	if b.Cluster.Spec.EncryptionConfig != nil {
 		if *b.Cluster.Spec.EncryptionConfig && b.IsKubernetesGTE("1.7") {
-			b.Cluster.Spec.KubeAPIServer.ExperimentalEncryptionProviderConfig = fi.String(filepath.Join(b.PathSrvKubernetes(), "encryptionconfig.yaml"))
+			encryptionConfigPath := fi.String(filepath.Join(b.PathSrvKubernetes(), "encryptionconfig.yaml"))
+
+			if b.IsKubernetesGTE("1.13") {
+				b.Cluster.Spec.KubeAPIServer.EncryptionProviderConfig = encryptionConfigPath
+			} else {
+				b.Cluster.Spec.KubeAPIServer.ExperimentalEncryptionProviderConfig = encryptionConfigPath
+			}
+
 			key := "encryptionconfig"
 			encryptioncfg, _ := b.SecretStore.Secret(key)
 			if encryptioncfg != nil {
 				contents := string(encryptioncfg.Data)
 				t := &nodetasks.File{
-					Path:     *b.Cluster.Spec.KubeAPIServer.ExperimentalEncryptionProviderConfig,
+					Path:     *encryptionConfigPath,
 					Contents: fi.NewStringResource(contents),
 					Mode:     fi.String("600"),
 					Type:     nodetasks.FileType_File,

nodeup/pkg/model/kube_apiserver_test.go

@@ -128,6 +128,12 @@ func Test_KubeAPIServer_BuildFlags(t *testing.T) {
 			},
 			"--experimental-encryption-provider-config=/srv/kubernetes/encryptionconfig.yaml --insecure-port=0 --secure-port=0",
 		},
+		{
+			kops.KubeAPIServerConfig{
+				EncryptionProviderConfig: fi.String("/srv/kubernetes/encryptionconfig.yaml"),
+			},
+			"--encryption-provider-config=/srv/kubernetes/encryptionconfig.yaml --insecure-port=0 --secure-port=0",
+		},
 		{
 			kops.KubeAPIServerConfig{
 				TargetRamMb: 320,

pkg/apis/kops/componentconfig.go

@@ -396,6 +396,8 @@ type KubeAPIServerConfig struct {
 	AuthorizationWebhookCacheUnauthorizedTTL *metav1.Duration `json:"authorizationWebhookCacheUnauthorizedTtl,omitempty" flag:"authorization-webhook-cache-unauthorized-ttl"`
 	// AuthorizationRBACSuperUser is the name of the superuser for default rbac
 	AuthorizationRBACSuperUser *string `json:"authorizationRbacSuperUser,omitempty" flag:"authorization-rbac-super-user"`
+	// EncryptionProviderConfig enables encryption at rest for secrets.
+	EncryptionProviderConfig *string `json:"encryptionProviderConfig,omitempty" flag:"encryption-provider-config"`
 	// ExperimentalEncryptionProviderConfig enables encryption at rest for secrets.
 	ExperimentalEncryptionProviderConfig *string `json:"experimentalEncryptionProviderConfig,omitempty" flag:"experimental-encryption-provider-config"`
 

pkg/apis/kops/v1alpha1/componentconfig.go

@@ -396,6 +396,8 @@ type KubeAPIServerConfig struct {
 	AuthorizationWebhookCacheUnauthorizedTTL *metav1.Duration `json:"authorizationWebhookCacheUnauthorizedTtl,omitempty" flag:"authorization-webhook-cache-unauthorized-ttl"`
 	// AuthorizationRBACSuperUser is the name of the superuser for default rbac
 	AuthorizationRBACSuperUser *string `json:"authorizationRbacSuperUser,omitempty" flag:"authorization-rbac-super-user"`
+	// EncryptionProviderConfig enables encryption at rest for secrets.
+	EncryptionProviderConfig *string `json:"encryptionProviderConfig,omitempty" flag:"encryption-provider-config"`
 	// ExperimentalEncryptionProviderConfig enables encryption at rest for secrets.
 	ExperimentalEncryptionProviderConfig *string `json:"experimentalEncryptionProviderConfig,omitempty" flag:"experimental-encryption-provider-config"`
 

pkg/apis/kops/v1alpha2/componentconfig.go

@@ -396,6 +396,8 @@ type KubeAPIServerConfig struct {
 	AuthorizationWebhookCacheUnauthorizedTTL *metav1.Duration `json:"authorizationWebhookCacheUnauthorizedTtl,omitempty" flag:"authorization-webhook-cache-unauthorized-ttl"`
 	// AuthorizationRBACSuperUser is the name of the superuser for default rbac
 	AuthorizationRBACSuperUser *string `json:"authorizationRbacSuperUser,omitempty" flag:"authorization-rbac-super-user"`
+	// EncryptionProviderConfig enables encryption at rest for secrets.
+	EncryptionProviderConfig *string `json:"encryptionProviderConfig,omitempty" flag:"encryption-provider-config"`
 	// ExperimentalEncryptionProviderConfig enables encryption at rest for secrets.
 	ExperimentalEncryptionProviderConfig *string `json:"experimentalEncryptionProviderConfig,omitempty" flag:"experimental-encryption-provider-config"`