feat: Add encryption key generation task

This commit introduces a task to generate an encryption key and configuration for Kubernetes. The encryption key is generated using a shell command and set as a fact. Then, the encryption configuration file is created with the key injected. This enhances Kubernetes secrets security.
GeekOpsUA · Apr 17, 2024 · e2ca012 · e2ca012
1 parent 14e5f91
commit e2ca012
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 0 deletions.
diff --git a/ansible/tasks/generate_encryption_config.yml b/ansible/tasks/generate_encryption_config.yml
@@ -0,0 +1,29 @@
+---
+- name: Generate and set encryption key
+  run_once: true
+  block:
+  - name: Generate the Data Encryption Key
+    delegate_to: localhost
+    ansible.builtin.shell:
+      cmd: set -o pipefail; head -c 32 /dev/urandom | base64
+    register: encryption_key
+
+  - name: Set encryption key
+    ansible.builtin.set_fact:
+      encryption_key: "{{ encryption_key.stdout }}"
+
+- name: Generate the Data Encryption Config
+  become: true
+  block:
+  - name: Make remote directory for encryption config
+    ansible.builtin.file:
+      path: "{{ k8s_lib_dir }}"
+      state: directory
+      mode: '0755'
+
+  - name: Generate encryption config
+    ansible.builtin.template:
+      src: k8s/encryption-config.yaml.j2
+      dest: "{{ k8s_lib_dir }}/encryption-config.yaml"
+      mode: '0644'
+    tags: encryption
diff --git a/ansible/templates/k8s/encryption-config.yaml.j2 b/ansible/templates/k8s/encryption-config.yaml.j2
@@ -0,0 +1,11 @@
+---
+apiVersion: apiserver.config.k8s.io/v1
+kind: EncryptionConfiguration
+resources:
+  - resources:
+      - secrets
+    providers:
+      - aescbc:
+          keys:
+            - name: key1
+              secret: {{ encryption_key }}