Adding disk encryption to storageclasses and to openshift registry

4 files changed, 19 insertions, 8 deletions

diff --git a/roles/openshift_default_storage_class/README.md b/roles/openshift_default_storage_class/README.md
index 198163127..bc825a479 100644
--- a/roles/openshift_default_storage_class/README.md
+++ b/roles/openshift_default_storage_class/README.md
@@ -3,6 +3,8 @@ openshift_master_storage_class
 
 A role that deploys configuratons for Openshift StorageClass
 
+Documentation: https://kubernetes.io/docs/concepts/storage/persistent-volumes/
+
 Requirements
 ------------
 
@@ -13,7 +15,8 @@ Role Variables
 
 openshift_storageclass_name: Name of the storage class to create
 openshift_storageclass_provisioner: The kubernetes provisioner to use
-openshift_storageclass_type: type of storage to use. This is different among clouds/providers
+openshift_storageclass_parameters: Paramters to pass to the storageclass parameters section
+
 
 Dependencies
 ------------
@@ -22,10 +25,14 @@ Dependencies
 Example Playbook
 ----------------
 
+  # aws specific
 - role: openshift_default_storage_class
   openshift_storageclass_name: awsEBS
   openshift_storageclass_provisioner: kubernetes.io/aws-ebs
-  openshift_storageclass_type: gp2
+  openshift_storageclass_parameters:
+    type: gp2
+    encripted: true
+
 
 
 License
diff --git a/roles/openshift_default_storage_class/defaults/main.yml b/roles/openshift_default_storage_class/defaults/main.yml
index 66ffd2a73..4bdc1dd6e 100644
--- a/roles/openshift_default_storage_class/defaults/main.yml
+++ b/roles/openshift_default_storage_class/defaults/main.yml
@@ -3,12 +3,14 @@ openshift_storageclass_defaults:
   aws:
     name: gp2
     provisioner: kubernetes.io/aws-ebs
-    type: gp2
+    parameters:
+      type: gp2
   gce:
     name: standard
     provisioner: kubernetes.io/gce-pd
-    type: pd-standard
+    parameters:
+      type: pd-standard
 
 openshift_storageclass_name: "{{ openshift_storageclass_defaults[openshift_cloudprovider_kind]['name'] }}"
 openshift_storageclass_provisioner: "{{ openshift_storageclass_defaults[openshift_cloudprovider_kind]['provisioner'] }}"
-openshift_storageclass_type: "{{ openshift_storageclass_defaults[openshift_cloudprovider_kind]['type'] }}"
+openshift_storageclass_parameters: "{{ openshift_storageclass_defaults[openshift_cloudprovider_kind]['parameters'] }}"
diff --git a/roles/openshift_default_storage_class/tasks/main.yml b/roles/openshift_default_storage_class/tasks/main.yml
index 408fc17c7..78c0cd761 100644
--- a/roles/openshift_default_storage_class/tasks/main.yml
+++ b/roles/openshift_default_storage_class/tasks/main.yml
@@ -14,6 +14,5 @@
           annotations:
             storageclass.beta.kubernetes.io/is-default-class: "true"
         provisioner: "{{ openshift_storageclass_provisioner }}"
-        parameters:
-          type: "{{ openshift_storageclass_type }}"
+        parameters: "{{ openshift_storageclass_parameters }}"
   run_once: true
diff --git a/roles/openshift_hosted/templates/registry_config.j2 b/roles/openshift_hosted/templates/registry_config.j2
index dc8a9f089..9673841bf 100644
--- a/roles/openshift_hosted/templates/registry_config.j2
+++ b/roles/openshift_hosted/templates/registry_config.j2
@@ -21,7 +21,10 @@ storage:
     regionendpoint: {{ openshift_hosted_registry_storage_s3_regionendpoint }}
 {%   endif %}
     bucket: {{ openshift_hosted_registry_storage_s3_bucket }}
-    encrypt: false
+    encrypt: {{ openshift_hosted_registry_storage_s3_encrypt | default(false) }}
+{% if openshift_hosted_registry_storage_s3_kmskeyid %}
+    keyid: {{ openshift_hosted_registry_storage_s3_kmskeyid }}
+{% endif %}
     secure: true
     v4auth: true
     rootdirectory: {{ openshift_hosted_registry_storage_s3_rootdirectory | default('/registry') }}