From 535410c1cbe0c91e4c767b2cae8a61958a0638fe Mon Sep 17 00:00:00 2001 From: sajauddin Date: Mon, 13 Feb 2023 01:53:07 -0800 Subject: [PATCH] Implementing rotation of etcd encryption keys Signed-off-by: sajauddin --- playbooks/ocp-etcd-rotate-encryption-key.yml | 6 ++ .../ocp-etcd-rotate-encryption-key/README.md | 43 +++++++++++++ .../tasks/main.yaml | 63 +++++++++++++++++++ 3 files changed, 112 insertions(+) create mode 100644 playbooks/ocp-etcd-rotate-encryption-key.yml create mode 100644 playbooks/roles/ocp-etcd-rotate-encryption-key/README.md create mode 100644 playbooks/roles/ocp-etcd-rotate-encryption-key/tasks/main.yaml diff --git a/playbooks/ocp-etcd-rotate-encryption-key.yml b/playbooks/ocp-etcd-rotate-encryption-key.yml new file mode 100644 index 0000000..c5a415d --- /dev/null +++ b/playbooks/ocp-etcd-rotate-encryption-key.yml @@ -0,0 +1,6 @@ +--- +- + name: OCP etcd rotate encryption key + hosts: bastion + roles: + - role: ocp-etcd-rotate-encryption-key diff --git a/playbooks/roles/ocp-etcd-rotate-encryption-key/README.md b/playbooks/roles/ocp-etcd-rotate-encryption-key/README.md new file mode 100644 index 0000000..48c3691 --- /dev/null +++ b/playbooks/roles/ocp-etcd-rotate-encryption-key/README.md @@ -0,0 +1,43 @@ +Rotate OCP ETCD encryption key +========= +This ansible playbook can be used to rotate encryption key for OpenShift API server and Kubernetes API server resources. + +Before rotating keys, encryption status for the OpenShift API server, Kubernetes API server and OpenShift OAuth API server will be verified. + + +Requirements +------------ + +- Access to the cluster as a user with the cluster-admin role. +- The cluster is in a known good state, without any errors. + + +Role Variables +-------------- + + - None + +Dependencies +------------ + + - None + +Example Playbook +---------------- +``` +- + name: OCP etcd rotate encryption key + hosts: bastion + roles: + - role: ocp-etcd-rotate-encryption-key +``` + +License +------- + +See LICENCE.txt + +Author Information +------------------ + +sajauddin.mohammad@ibm.com diff --git a/playbooks/roles/ocp-etcd-rotate-encryption-key/tasks/main.yaml b/playbooks/roles/ocp-etcd-rotate-encryption-key/tasks/main.yaml new file mode 100644 index 0000000..12b64a5 --- /dev/null +++ b/playbooks/roles/ocp-etcd-rotate-encryption-key/tasks/main.yaml @@ -0,0 +1,63 @@ +--- +# check if Cluster Health is good +- name: Check all Cluster Operators are available + shell: oc get co | awk 'NR>1 {if($3=="False" || $4=="True" || $5=="True" ){print $1}}' | wc -l + register: co + +- name: Fail when Cluster Operators are not available + fail: + msg: " {{ co.stdout }} Cluster Operators is/are not available." + when: co.stdout | int != 0 + +- name: Check all nodes are Ready + shell: oc wait --all --for=condition=Ready nodes --timeout=10s + + +# Verify the encryption status of Openshift api server, Kubernetes api server and Openshift OAuth api server +- name: Verify encryption of OpenShift API server + shell: oc get openshiftapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type=="Encrypted")]}{.reason}{"\n"}{.message}{"\n"}' + register: openshift_api_server_encryption_status + +- name: Fail if Openshift API server is not encrypted + fail: + msg: "OpenShift API server is not encrypted" + when: openshift_api_server_encryption_status.failed + +- name: Verify encryption of Kubernetes API server + shell: oc get kubeapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type=="Encrypted")]}{.reason}{"\n"}{.message}{"\n"}' + register: kubeapiserver_encryption_status + +- name: Fail if Kubernetes API server is not encrypted + fail: + msg: "Kubernetes API server is not encrypted" + when: kubeapiserver_encryption_status.failed + +- name: Verify encryption of OpenShift OAuth API server + shell: oc get authentication.operator.openshift.io -o=jsonpath='{range .items[0].status.conditions[?(@.type=="Encrypted")]}{.reason}{"\n"}{.message}{"\n"}' + register: oauth_apiserver_encryption_status + +- name: Fail if Openshift OAuth API server is not encrypted + fail: + msg: "OpenShift OAuth API server is not encrypted" + when: oauth_apiserver_encryption_status.failed + + +#Rotate encryption keys +- name: Rotate encryption key for Openshift API server + shell: | + oc patch openshiftapiserver cluster --type merge -p " + spec: + unsupportedConfigOverrides: + encryption: + reason: force OAS rotation `date` + " + +- name: Rotate encryption key for Kubernetes API server + shell: | + oc patch kubeapiserver cluster --type merge -p " + spec: + unsupportedConfigOverrides: + encryption: + reason: force KAS rotation `date` + " +