Commits on Feb 26, 2019

1. data/aws: Encrypt the AMI used by the bootstrap and master machines …

   This is a quick hack to get encrypted masters.  Ideally we'd want to
   deregister these on bootstrap-teardown, but handling that nicely will
   be easier after some cleanups from [1].  As it stands, we'll
   deregister this as part of the general cluster teardown.
   
   Because we don't set kms_key_id [2] we get "the default AWS KMS Key"
   (according to [2]).  AWS docs are not particularly clear about whether
   users can configure the default key for their account/region to
   override that default, although it is clear that it defaults to an
   AWS-managed CMK [3] and that the alias for AMI encryption is
   alias/aws/ebs [4].  If there is no way to override alias/aws/ebs,
   we'll probably eventially need to expose kms_key_id to users.
   
   [1]: openshift#1148
   [2]: https://www.terraform.io/docs/providers/aws/r/ami_copy.html#kms_key_id
   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
   [4]: https://aws.amazon.com/blogs/security/how-to-create-a-custom-ami-with-encrypted-amazon-ebs-snapshots-and-share-it-with-other-accounts-and-regions/

   

   wking committed Feb 26, 2019
   Configuration menu

   • View commit details
   • Copy full SHA for 0c370dd
   • Browse repository at this point

   Copy the full SHA

   0c370dd View commit details

   Browse the repository at this point in the history