Merge pull request #77369 from immutableT/remove-enc-from-kube-up

Remove the option of encrypting secrets in etcd via a locally stored key.
2025-07-26 21:17:23 +00:00 · 2019-05-03 02:56:29 -07:00 · 2019-05-03 02:56:29 -07:00 · eb41c9c5fc
commit eb41c9c5fc
parent 5f6d9b614e 1ae9cb2f88
2 changed files with 0 additions and 20 deletions
--- a/cluster/gce/config-default.sh
+++ b/cluster/gce/config-default.sh
@ -218,25 +218,6 @@ if [[ ${ENABLE_METADATA_CONCEALMENT:-} == "true" ]]; then
  PROVIDER_VARS="${PROVIDER_VARS:-} ENABLE_METADATA_CONCEALMENT METADATA_CONCEALMENT_NO_FIREWALL"
 fi
 # Enable AESGCM encryption of secrets by default.
 ENCRYPTION_PROVIDER_CONFIG="${ENCRYPTION_PROVIDER_CONFIG:-}"
 if [[ -z "${ENCRYPTION_PROVIDER_CONFIG}" ]]; then
    ENCRYPTION_PROVIDER_CONFIG=$(cat << EOM | base64 | tr -d '\r\n'
 kind: EncryptionConfiguration
 apiVersion: apiserver.config.k8s.io/v1
 resources:
  - resources:
    - secrets
    providers:
    - aesgcm:
        keys:
        - name: key1
          secret: $(dd if=/dev/urandom iflag=fullblock bs=32 count=1 2>/dev/null | base64 | tr -d '\r\n')
 EOM
 )
 fi
 # Optional: Enable node logging.
 ENABLE_NODE_LOGGING="${KUBE_ENABLE_NODE_LOGGING:-true}"
 LOGGING_DESTINATION="${KUBE_LOGGING_DESTINATION:-gcp}" # options: elasticsearch, gcp
--- a/cluster/gce/util.sh
+++ b/cluster/gce/util.sh
@ -1283,7 +1283,6 @@ ETCD_CA_KEY: $(yaml-quote ${ETCD_CA_KEY_BASE64:-})
 ETCD_CA_CERT: $(yaml-quote ${ETCD_CA_CERT_BASE64:-})
 ETCD_PEER_KEY: $(yaml-quote ${ETCD_PEER_KEY_BASE64:-})
 ETCD_PEER_CERT: $(yaml-quote ${ETCD_PEER_CERT_BASE64:-})
 ENCRYPTION_PROVIDER_CONFIG: $(yaml-quote ${ENCRYPTION_PROVIDER_CONFIG:-})
 SERVICEACCOUNT_ISSUER: $(yaml-quote ${SERVICEACCOUNT_ISSUER:-})
 EOF
    # KUBE_APISERVER_REQUEST_TIMEOUT_SEC (if set) controls the --request-timeout