Bug 1734193 - AWS EBS volume support ignores the 'encrypted' property
Summary: AWS EBS volume support ignores the 'encrypted' property
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Cloud Compute
Version: 4.2.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.2.0
Assignee: Jan Chaloupka
QA Contact: Jianwei Hou
Depends On:
TreeView+ depends on / blocked
Reported: 2019-07-29 22:34 UTC by W. Trevor King
Modified: 2019-10-16 06:34 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-10-16 06:33:52 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift cluster-api-provider-aws pull 245 0 None closed Bug 1734193: Wire provider spec EBS volume Encrypted field into ec2.EbsBlockDevice.Encrypted field 2020-05-26 15:47:09 UTC
Red Hat Product Errata RHBA-2019:2922 0 None None None 2019-10-16 06:34:02 UTC

Description W. Trevor King 2019-07-29 22:34:57 UTC
Description of problem:

Currently setting 'encrypted: true' in a volume definition is silently ignored.

Version-Release number of selected component (if applicable):

Currently the encrypted setting [1] from [2] is ignored by the AWS cluster-API provider:

$ git grep Encrypted | grep -v vendor/
pkg/apis/awsproviderconfig/v1alpha1/awsmachineproviderconfig_types.go:    // Indicates whether the EBS volume is encrypted. Encrypted Amazon EBS volumes
pkg/apis/awsproviderconfig/v1alpha1/awsmachineproviderconfig_types.go:    Encrypted *bool `json:"encrypted,omitempty"`
pkg/apis/awsproviderconfig/v1alpha1/zz_generated.deepcopy.go:    if in.Encrypted != nil {
pkg/apis/awsproviderconfig/v1alpha1/zz_generated.deepcopy.go:        in, out := &in.Encrypted, &out.Encrypted

This means that you cannot use the setting to get encrypted root volumes for compute machines [3].  The provider should respect the setting and provision encrypted volumes when requested.

[1]: https://github.com/openshift/cluster-api-provider-aws/blob/7a53d36f7e4c928b51a502b9f12e245045cfb6f3/pkg/apis/awsproviderconfig/v1beta1/awsmachineproviderconfig_types.go#L179-L181
[2]: https://github.com/openshift/cluster-api-provider-aws/commit/e8362ca5a52914921d0d20d9c89b870e48285dc1
[3]: https://github.com/openshift/installer/pull/2114#issuecomment-516180113

Comment 4 sunzhaohua 2019-08-06 08:50:04 UTC

clusterversion: 4.2.0-0.nightly-2019-08-05-223032

Create a machine setting "encrypted: true", check EBS volumes, could see "Encryption: Encrypted"

Comment 5 errata-xmlrpc 2019-10-16 06:33:52 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.