Skip to content

Feat/k8s config etcd encryption #11641

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Feat/k8s config etcd encryption #11641

wants to merge 2 commits into from

Conversation

@clementnuss
Copy link
Contributor

@clementnuss clementnuss commented Aug 21, 2025
edited
Loading

Pull Request

Note to the Contributor

I started implementing this feature after reading issue #10899 and more specifically @smira's comment.
As suggested, I created a new k8s document config package, in which I added the new EtcdEncryptionConfig config.

I made a few assumptions that require validation:

  • only 1 EtcdEncryptionConfig can be specified per machine config
  • I do not validate the content of the custom EtcdEncryptionConfig (i.e. if the user uploads a broken etcd config, etcd will crash as a result). we could import k8s upstream types and try to marshal, let me know if it should be done.
  • when an EtcdEncryptionConfig is specified, talos default etcd encryptionconfig.yaml is completely bypassed

something else that got me thinking: if there are multiple documents to be added in the future to permit customize all k8s moving parts, wouldn't be smart if instead of creating multiple talos configs to embed the corresponding k8s config we directly allowed specifying the k8s config? with an example, instead of:

apiVersion: v1alpha1
kind: EtcdEncryptionConfig
config: |4
    apiVersion: apiserver.config.k8s.io/v1
    kind: EncryptionConfiguration
    ...

directly offer the possibility to use as a patch document

apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
...

What? (description)

offers a config document based solution for the user to provide a custom
etcd encryption configuration. when specified, the custom encryption
config is applied as-is band it bypases the talos etcd encryption config

Why? (reasoning)

a custom etcd configuration is needed as soon as you want to rotate, or if you want to have more specific parameters than talos defaults (e.g. other encryption scheme, key names, resources to be encrypted, etc)

Acceptance

⚠️ still draft, I have some open questions before finalizing the PR and going through the checklist again.

Please use the following checklist:

  • you linked an issue (if applicable)
  • you included tests (if applicable)
  • you ran conformance (make conformance) (GPG key missing)
  • you formatted your code (make fmt)
  • you linted your code (make lint)
  • you generated documentation (make docs)
  • you ran unit-tests (make unit-tests)

See make help for a description of the available targets.

clementnuss and others added 2 commits August 21, 2025 16:56
@clementnuss
feat: add EtcdEnryptionConfig document in a new config/k8s package
860940f 
offers a config document based solution for the user to provide a custom
etcd encryption configuration. when specified, the custom encryption
config is applied as-is band it bypases the talos etcd encryption config

Signed-off-by: Clément Nussbaumer <[email protected]>
@clementnuss
test: validate EtcdEncryptionConfig custom config
5a028ff 
add basic integration test for a custom etcd encryption config.

Signed-off-by: Clément Nussbaumer <[email protected]>
@github-project-automation github-project-automation bot moved this to To Do in Planning Aug 21, 2025
This was referenced Aug 25, 2025
Open
Open
@clementnuss clementnuss mentioned this pull request Sep 22, 2025
Open
@github-actions
Copy link

github-actions bot commented Oct 6, 2025

This PR is stale because it has been open 45 days with no activity.

@github-actions github-actions bot added the Stale label Oct 6, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Stale

Projects

Planning
Status: To Do

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@clementnuss