refactor(encryption): update aws-encryption-provider service to use k8s_encryption_provider and remove obsolete scripts

This commit is contained in:
2025-05-19 00:41:28 +02:00
parent c9def750f6
commit 2ba2df5cf7
7 changed files with 2 additions and 144 deletions
+1 -1
View File
@@ -33,7 +33,7 @@
- name: Set root-only executable permissions for specific tools - name: Set root-only executable permissions for specific tools
ansible.builtin.file: ansible.builtin.file:
path: /usr/local/bin/{{ item }} path: /usr/local/bin/{{ item }}
mode: '0750' mode: '0700'
loop: loop:
- open_volume - open_volume
- read_system_id - read_system_id
@@ -1,52 +0,0 @@
#!/bin/bash
if [ "$#" -ne 3 ]; then
echo "Usage: $0 <keyserver>" "<image>" "<device>"
echo "Example: $0 https://keyserver.example.com /path/to/image.img <device>"
echo "Example: $0 https://keyserver.example.com /path/to/image.img /dev/mapper/crypt1"
exit 1
fi
KEYSERVER=$1
IMAGE=$2
DEVICE=$3
if [ ! -e $IMAGE ]; then
logger "open_volume: ($DEVICE) Image file not found"
exit 1
fi
# if keyserver is not reachable, exit
if ! curl -s -I $KEYSERVER > /dev/null; then
logger "open_volume: ($DEVICE) Key server not reachable, exiting."
exit 1
fi
# If device is already open, exit
if [ -e /dev/mapper/$DEVICE ]; then
echo "open_volume: ($DEVICE) Device already open, exiting."
exit 1
fi
uuid=$(cat /proc/cpuinfo | grep 'model name' | head -1)
uuid+=$(ip link show eth0 | grep ether | awk '{print $2}')
uuid+=$(sudo dmidecode -s system-uuid)
KEYID=$(echo -n "$uuid" | md5sum | awk '{print $1}')
logger "open_volume: ($DEVICE) Downloading key from key server,"
LOCALKEYFILE=$(mktemp)
curl -s -o $LOCALKEYFILE $KEYSERVER/$KEYID
if [ $? -ne 0 ]; then
logger "open_volume: ($DEVICE) Failed to download key from key server"
rm $LOCALKEYFILE
exit 1
fi
logger "open_volume:'$DEVICE' Key downloaded successfully, opening volume"
/usr/sbin/cryptsetup luksOpen $IMAGE $DEVICE -d $LOCALKEYFILE
if [ $? -ne 0 ]; then
logger "open_volume: ($DEVICE) Failed to open volume"
rm $LOCALKEYFILE
exit 1
fi
logger "open_volume: ($DEVICE) Volume opened successfully, removing key file"
rm $LOCALKEYFILE
exit 0
@@ -1,5 +0,0 @@
#!/bin/bash
uuid=$(cat /proc/cpuinfo | grep 'model name' | head -1)
uuid+=$(ip link show eth0 | grep ether | awk '{print $2}')
uuid+=$(sudo dmidecode -s system-uuid)
echo -n "$uuid" | md5sum | awk '{print $1}'
@@ -1,78 +0,0 @@
#!/bin/bash
#!/bin/bash
if [ "$#" -lt 1 ]; then
echo "Usage: $0 <keyserver>" "[socket]"
echo "Example: $0 https://keyserver.example.com"
echo "Example: $0 https://keyserver.example.com /var/run/kmsplugin/socket.sock"
exit 1
fi
KEYSERVER=$1
SOCKET=${2:-/var/run/kmsplugin/socket.sock}
# if keyserver is not reachable, exit
if ! curl -s -I $KEYSERVER > /dev/null; then
logger "start_encryption_provider: Key server not reachable, exiting."
exit 1
fi
uuid=$(cat /proc/cpuinfo | grep 'model name' | head -1)
uuid+=$(ip link show eth0 | grep ether | awk '{print $2}')
uuid+=$(sudo dmidecode -s system-uuid)
KEYID=$(echo -n "$uuid" | md5sum | awk '{print $1}')
logger "start_encryption_provider: Downloading key from key server,"
LOCALKEYFILE=$(mktemp)
curl -s -o $LOCALKEYFILE $KEYSERVER/$KEYID-encryption-service-credentials.json
if [ $? -ne 0 ]; then
logger "start_encryption_provider: Failed to download key from key server"
rm $LOCALKEYFILE
exit 1
fi
logger "start_encryption_provider: Key downloaded successfully, extracting credentials"
export AWS_ACCESS_KEY_ID=$(jq -r '.access_key' $LOCALKEYFILE)
if [ $? -ne 0 ]; then
logger "start_encryption_provider: Failed to extract AWS credentials from key file"
rm $LOCALKEYFILE
exit 1
fi
export AWS_SECRET_ACCESS_KEY=$(jq -r '.secret_key' $LOCALKEYFILE)
if [ $? -ne 0 ]; then
logger "start_encryption_provider: Failed to extract AWS credentials from key file"
rm $LOCALKEYFILE
exit 1
fi
KEYARN=$(jq -r '.key_arn' $LOCALKEYFILE)
if [ $? -ne 0 ]; then
logger "start_encryption_provider: Failed to extract KMS key ARN from key file"
rm $LOCALKEYFILE
exit 1
fi
REGION=$(jq -r '.region' $LOCALKEYFILE)
if [ $? -ne 0 ]; then
logger "start_encryption_provider: Failed to extract region from key file"
rm $LOCALKEYFILE
exit 1
fi
logger "start_encryption_provider: Removing key file"
rm $LOCALKEYFILE
logger "start_encryption_provider: Starting encryption provider"
mkdir {{ encryption_kms_socket_dir | dirname }} }} 2>/dev/null || true
chmod 700 {{ encryption_kms_socket_dir | dirname }} 2>/dev/null
if [ ! -f /usr/local/bin/aws-encryption-provider ]; then
logger "start_encryption_provider: Encryption provider not found, exiting."
exit 1
fi
/usr/local/bin/aws-encryption-provider --key=$KEYARN --region=$REGION --listen=$SOCKET
if [ $? -ne 0 ]; then
logger "start_encryption_provider: Failed to start encryption provider"
exit 1
fi
exit 0
-7
View File
@@ -1,10 +1,3 @@
- name: Copy aws-encryption-provider binary to the host
become: true
ansible.builtin.copy:
src: aws-encryption-provider
dest: /usr/local/bin/aws-encryption-provider
mode: "0755"
- name: Create KMS socket directory - name: Create KMS socket directory
become: true become: true
ansible.builtin.file: ansible.builtin.file:
@@ -5,7 +5,7 @@ Before=snap.microk8s.daemon-kubelite.service
[Service] [Service]
Type=simple Type=simple
ExecStart=/usr/local/bin/start_encryption_provider "{{ key_server }}" "{{ encryption_kms_socket }}" ExecStart=/usr/local/bin/k8s_encryption_provider "{{ key_server }}" "{{ encryption_kms_socket }}"
Restart=on-failure Restart=on-failure
User=root User=root