Adding disk encryption to storageclasses and to openshift registry

6 files changed, 33 insertions, 8 deletions

diff --git a/inventory/byo/hosts.origin.example b/inventory/byo/hosts.origin.example
index b38c6e6b6..c02afe024 100644
--- a/inventory/byo/hosts.origin.example
+++ b/inventory/byo/hosts.origin.example
@@ -464,6 +464,8 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',
 # S3 bucket must already exist.
 #openshift_hosted_registry_storage_kind=object
 #openshift_hosted_registry_storage_provider=s3
+#openshift_hosted_registry_storage_s3_encrypt=false
+#openshift_hosted_registry_storage_s3_kmskeyid=aws_kms_key_id
 #openshift_hosted_registry_storage_s3_accesskey=aws_access_key_id
 #openshift_hosted_registry_storage_s3_secretkey=aws_secret_access_key
 #openshift_hosted_registry_storage_s3_bucket=bucket_name
@@ -548,6 +550,11 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',
 # Configure the prefix and version for the component images
 #openshift_hosted_metrics_deployer_prefix=docker.io/openshift/origin-
 #openshift_hosted_metrics_deployer_version=3.6.0
+#
+# StorageClass
+# openshift_storageclass_name=gp2
+# openshift_storageclass_parameters={'type': 'gp2', 'encrypted': false}
+#
 
 # Logging deployment
 #
diff --git a/inventory/byo/hosts.ose.example b/inventory/byo/hosts.ose.example
index e5e9c7342..74d4edcfe 100644
--- a/inventory/byo/hosts.ose.example
+++ b/inventory/byo/hosts.ose.example
@@ -464,6 +464,8 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',
 # S3 bucket must already exist.
 #openshift_hosted_registry_storage_kind=object
 #openshift_hosted_registry_storage_provider=s3
+#openshift_hosted_registry_storage_s3_encrypt=false
+#openshift_hosted_registry_storage_s3_kmskeyid=aws_kms_key_id
 #openshift_hosted_registry_storage_s3_accesskey=aws_access_key_id
 #openshift_hosted_registry_storage_s3_secretkey=aws_secret_access_key
 #openshift_hosted_registry_storage_s3_bucket=bucket_name
@@ -548,6 +550,11 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',
 # Configure the prefix and version for the component images
 #openshift_hosted_metrics_deployer_prefix=registry.example.com:8888/openshift3/
 #openshift_hosted_metrics_deployer_version=3.6.0
+#
+# StorageClass
+# openshift_storageclass_name=gp2
+# openshift_storageclass_parameters={'type': 'gp2', 'encrypted': false}
+#
 
 # Logging deployment
 #
diff --git a/roles/openshift_default_storage_class/README.md b/roles/openshift_default_storage_class/README.md
index 198163127..bc825a479 100644
--- a/roles/openshift_default_storage_class/README.md
+++ b/roles/openshift_default_storage_class/README.md
@@ -3,6 +3,8 @@ openshift_master_storage_class
 
 A role that deploys configuratons for Openshift StorageClass
 
+Documentation: https://kubernetes.io/docs/concepts/storage/persistent-volumes/
+
 Requirements
 ------------
 
@@ -13,7 +15,8 @@ Role Variables
 
 openshift_storageclass_name: Name of the storage class to create
 openshift_storageclass_provisioner: The kubernetes provisioner to use
-openshift_storageclass_type: type of storage to use. This is different among clouds/providers
+openshift_storageclass_parameters: Paramters to pass to the storageclass parameters section
+
 
 Dependencies
 ------------
@@ -22,10 +25,14 @@ Dependencies
 Example Playbook
 ----------------
 
+  # aws specific
 - role: openshift_default_storage_class
   openshift_storageclass_name: awsEBS
   openshift_storageclass_provisioner: kubernetes.io/aws-ebs
-  openshift_storageclass_type: gp2
+  openshift_storageclass_parameters:
+    type: gp2
+    encripted: true
+
 
 
 License
diff --git a/roles/openshift_default_storage_class/defaults/main.yml b/roles/openshift_default_storage_class/defaults/main.yml
index 66ffd2a73..4bdc1dd6e 100644
--- a/roles/openshift_default_storage_class/defaults/main.yml
+++ b/roles/openshift_default_storage_class/defaults/main.yml
@@ -3,12 +3,14 @@ openshift_storageclass_defaults:
   aws:
     name: gp2
     provisioner: kubernetes.io/aws-ebs
-    type: gp2
+    parameters:
+      type: gp2
   gce:
     name: standard
     provisioner: kubernetes.io/gce-pd
-    type: pd-standard
+    parameters:
+      type: pd-standard
 
 openshift_storageclass_name: "{{ openshift_storageclass_defaults[openshift_cloudprovider_kind]['name'] }}"
 openshift_storageclass_provisioner: "{{ openshift_storageclass_defaults[openshift_cloudprovider_kind]['provisioner'] }}"
-openshift_storageclass_type: "{{ openshift_storageclass_defaults[openshift_cloudprovider_kind]['type'] }}"
+openshift_storageclass_parameters: "{{ openshift_storageclass_defaults[openshift_cloudprovider_kind]['parameters'] }}"
diff --git a/roles/openshift_default_storage_class/tasks/main.yml b/roles/openshift_default_storage_class/tasks/main.yml
index 408fc17c7..78c0cd761 100644
--- a/roles/openshift_default_storage_class/tasks/main.yml
+++ b/roles/openshift_default_storage_class/tasks/main.yml
@@ -14,6 +14,5 @@
           annotations:
             storageclass.beta.kubernetes.io/is-default-class: "true"
         provisioner: "{{ openshift_storageclass_provisioner }}"
-        parameters:
-          type: "{{ openshift_storageclass_type }}"
+        parameters: "{{ openshift_storageclass_parameters }}"
   run_once: true
diff --git a/roles/openshift_hosted/templates/registry_config.j2 b/roles/openshift_hosted/templates/registry_config.j2
index dc8a9f089..9673841bf 100644
--- a/roles/openshift_hosted/templates/registry_config.j2
+++ b/roles/openshift_hosted/templates/registry_config.j2
@@ -21,7 +21,10 @@ storage:
     regionendpoint: {{ openshift_hosted_registry_storage_s3_regionendpoint }}
 {%   endif %}
     bucket: {{ openshift_hosted_registry_storage_s3_bucket }}
-    encrypt: false
+    encrypt: {{ openshift_hosted_registry_storage_s3_encrypt | default(false) }}
+{% if openshift_hosted_registry_storage_s3_kmskeyid %}
+    keyid: {{ openshift_hosted_registry_storage_s3_kmskeyid }}
+{% endif %}
     secure: true
     v4auth: true
     rootdirectory: {{ openshift_hosted_registry_storage_s3_rootdirectory | default('/registry') }}