Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EBS volume encryption fleet/spot exclusive? #1242

Closed
tibuntu opened this issue Feb 11, 2025 · 3 comments · Fixed by #1248 or #1247
Closed

EBS volume encryption fleet/spot exclusive? #1242

tibuntu opened this issue Feb 11, 2025 · 3 comments · Fixed by #1248 or #1247

Comments

@tibuntu
Copy link
Contributor

tibuntu commented Feb 11, 2025

Describe the bug

EBS volume encryption only supported for fleet/spot instances.

In the recent 8.0.0 release support for encrypted EBS volumes was announced.

After finally updating to 8.1.0 today, we were quite confused because we only saw that partially for our Runners.
Turned out that the condition in template/runner-docker-machine-config.tftpl is based on the use_fleet parameter.

Is there a specific reason why this only supported for fleet/spot instances? We also use On-Demand instances for a few runners/special jobs.

To Reproduce

Steps to reproduce the behavior:

  1. Call the module with
  runner_worker_docker_machine_fleet = {
    enable = true
  }
  1. Start a job with the configured runner tag
  2. Check the EBS volume of the instance to see that it is unencrypted

Expected behavior

As the 8.0.0 clearly states "[...] encrypt all EBS" we would have expected EBS encryption for all instance types.
@kayman-mk
Copy link
Collaborator

Docs: https://gitlab.com/gitlab-org/ci-cd/docker-machine/-/blob/main/docs/drivers/aws.md
PR: #1204

@kayman-mk
Copy link
Collaborator

I do not find any comments that it's related to the fleeting plugin. It's a bug.

@kayman-mk kayman-mk mentioned this issue Feb 20, 2025
Merged
kayman-mk added a commit that referenced this issue Feb 20, 2025
@kayman-mk
fix: always encrypt EBS volumes if the KMS key is given (#1248)
76ae944 
## Description

The EBS volume encryption was activated only, if the fleeting plugin is
activated. It seems that we can always activate the encryption as the
docker-machine parameters are not tied to the fleeting plugin.

Fixes #1242
@cattle-ops-releaser-2 cattle-ops-releaser-2 bot mentioned this issue Feb 20, 2025
Merged
kayman-mk pushed a commit that referenced this issue Feb 20, 2025
@cattle-ops-releaser-2 @github-actions
chore(main): release 9.0.2 (#1247)
2d27280 
🤖 I have created a release *beep* *boop*
---


##
[9.0.2](9.0.1...9.0.2)
(2025-02-20)


### Bug Fixes

* allow changes to "runner_worker.max_jobs" for Docker Autoscaler
([#1221](#1221))
([0624391](0624391))
* always encrypt EBS volumes if the KMS key is given
([#1248](#1248))
([76ae944](76ae944)),
closes
[#1242](#1242)
* return security group id for docker-autoscaler in `runner_sg_id`
([#1249](#1249))
([9c573b6](9c573b6)),
closes
[#1241](#1241)

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

---------

Co-authored-by: cattle-ops-releaser-2[bot] <134548870+cattle-ops-releaser-2[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
@tibuntu
Copy link
Contributor Author

tibuntu commented Feb 20, 2025

Amazing! As always big thank you for the quick response!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@tibuntu @kayman-mk