-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable weave network encryption #3734
Comments
A kops secret which is used in the template would be perfect. I think you have a good example to use. I am open to using a random key as well. We probably want to store the data in a k8s secrets which is populated in the weave manifest |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
/remove-lifecycle stale |
Here are the tasks:
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
/reopen |
This is a required security feature. |
This would be really nice to have. |
@chrislovecnm Hi. I'm working on this, but I'm not sure how to create a k8s secret from a kops secret. Any pointers?
Also, do we need to create another secret type for this? Currently I see only these 4 types are available:
|
Is part of developing a toggle for this to have the status easily visible somewhere? I think I have enabled this feature manually, but the only way I have found to check the weave encryption status is to run Edit:
|
Sorry, I forgot to link this. A word of warning, I have no tried to migrate a production cluster yet and I doubt it will work without downtime. |
I don't know why, but my weavenet never seems to come when I enable encryption with a secret I just added. My flow is: create the secret, apply Weaveworks K8s with password-secret |
@thedarkfalcon well, that is hard for me to diagnose. |
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Rotten issues close after 30d of inactivity. Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
@fejta-bot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Just for anyone else that finds this thread via google. My problem was that the filename of the secret actually seemed to matter. Even though I was giving the secret a name, the file that the secret was being read from seemed to have an affect of the secrets data. I was initially creating the secret from a Jenkins secret file - which receives a random name when it is exposed to the Jenkins workspace. This secret was then being added to the cluster, however the metadata or something with the Kubernetes secret was wrong due to the input filename.. When I was deleting the secret and manually recreating it, I was using the expected filename. I troubleshooted all this by being bad and just dumping secrets to screen and saw the discrepancy. |
We would like to enable weave's network encryption capabilities for intra cluster communications. This weave feature is documented at
Reading over previous kops issues I see that
Feature request: ability to configure weave
(#1171) is inconclusive. Any updates on this front? I also see that #2600 merged. Presumably this would not be that different a change.From the weave documentation looks like we'd only need a
password
flag in its configuration to enable encryption. Perhaps this could be a boolean config exposed to users. If true, a random key is generated by kops, stored similarkops secrets
, and injected into the weave config files. Another alternative is having users provide a key.Upgrading existing clusters could be problematic/require downtime.
Happy to contribute time towards this feature. Wondering if there's anything else surrounding #1171 or this particular feature development-wise that I should be aware of before doing so.
Thanks!
The text was updated successfully, but these errors were encountered: