Bug 1734193

Summary: AWS EBS volume support ignores the 'encrypted' property
Product: OpenShift Container Platform Reporter: W. Trevor King <wking>
Component: Cloud ComputeAssignee: Jan Chaloupka <jchaloup>
Status: CLOSED ERRATA QA Contact: Jianwei Hou <jhou>
Severity: low Docs Contact:
Priority: unspecified    
Version: 4.2.0CC: agarcial, gblomqui, zhsun
Target Milestone: ---   
Target Release: 4.2.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-10-16 06:33:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description W. Trevor King 2019-07-29 22:34:57 UTC
Description of problem:

Currently setting 'encrypted: true' in a volume definition is silently ignored.

Version-Release number of selected component (if applicable):

Currently the encrypted setting [1] from [2] is ignored by the AWS cluster-API provider:

$ git grep Encrypted | grep -v vendor/
pkg/apis/awsproviderconfig/v1alpha1/awsmachineproviderconfig_types.go:    // Indicates whether the EBS volume is encrypted. Encrypted Amazon EBS volumes
pkg/apis/awsproviderconfig/v1alpha1/awsmachineproviderconfig_types.go:    Encrypted *bool `json:"encrypted,omitempty"`
pkg/apis/awsproviderconfig/v1alpha1/zz_generated.deepcopy.go:    if in.Encrypted != nil {
pkg/apis/awsproviderconfig/v1alpha1/zz_generated.deepcopy.go:        in, out := &in.Encrypted, &out.Encrypted

This means that you cannot use the setting to get encrypted root volumes for compute machines [3].  The provider should respect the setting and provision encrypted volumes when requested.

[1]: https://github.com/openshift/cluster-api-provider-aws/blob/7a53d36f7e4c928b51a502b9f12e245045cfb6f3/pkg/apis/awsproviderconfig/v1beta1/awsmachineproviderconfig_types.go#L179-L181
[2]: https://github.com/openshift/cluster-api-provider-aws/commit/e8362ca5a52914921d0d20d9c89b870e48285dc1
[3]: https://github.com/openshift/installer/pull/2114#issuecomment-516180113

Comment 4 sunzhaohua 2019-08-06 08:50:04 UTC
Verified.

clusterversion: 4.2.0-0.nightly-2019-08-05-223032

Create a machine setting "encrypted: true", check EBS volumes, could see "Encryption: Encrypted"

Comment 5 errata-xmlrpc 2019-10-16 06:33:52 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2922