From 82942c4fa14722564b37bd339bee698cc6d8c3ba Mon Sep 17 00:00:00 2001 From: Bob Fournier Date: Fri, 9 Feb 2024 07:28:31 -0500 Subject: [PATCH] Add support for disk encryption key in GCPMachine Add support for the disk encryption key for the boot disk and and additional disks. --- api/v1beta1/gcpmachine_types.go | 58 +++++++ api/v1beta1/zz_generated.deepcopy.go | 65 ++++++++ cloud/scope/machine.go | 34 +++- .../compute/instances/reconcile_test.go | 152 +++++++++++++++++- ...tructure.cluster.x-k8s.io_gcpmachines.yaml | 108 +++++++++++++ ....cluster.x-k8s.io_gcpmachinetemplates.yaml | 115 +++++++++++++ 6 files changed, 528 insertions(+), 4 deletions(-) diff --git a/api/v1beta1/gcpmachine_types.go b/api/v1beta1/gcpmachine_types.go index 8463855584..397bae9882 100644 --- a/api/v1beta1/gcpmachine_types.go +++ b/api/v1beta1/gcpmachine_types.go @@ -54,6 +54,9 @@ type AttachedDiskSpec struct { // Defaults to 30GB. For "local-ssd" size is always 375GB. // +optional Size *int64 `json:"size,omitempty"` + // EncryptionKey defines the KMS key to be used to encrypt the disk. + // +optional + EncryptionKey *CustomerEncryptionKey `json:"encryptionKey,omitempty"` } // IPForwarding represents the IP forwarding configuration for the GCP machine. @@ -146,6 +149,57 @@ const ( HostMaintenancePolicyTerminate HostMaintenancePolicy = "Terminate" ) +// KeyType is a type for disk encryption. +type KeyType string + +const ( + // CustomerManagedKey (CMEK) references an encryption key stored in Google Cloud KMS. + CustomerManagedKey KeyType = "Managed" + // CustomerSuppliedKey (CSEK) specifies an encryption key to use. + CustomerSuppliedKey KeyType = "Supplied" +) + +// ManagedKey is a reference to a key managed by the Cloud Key Management Service. +type ManagedKey struct { + // The name of the encryption key that is stored in Google Cloud KMS. For example: + // "kmsKeyName": "projects/kms_project_id/locations/region/keyRings/key_region/cryptoKeys/key + KmsKeyName string `json:"kmsKeyName,omitempty"` +} + +// SuppliedKey contains a key for disk encryption. +type SuppliedKey struct { + // Specifies a 256-bit customer-supplied encryption key, encoded in RFC 4648 + // base64 to either encrypt or decrypt this resource. You can provide either the rawKey or the rsaEncryptedKey. + // For example: "rawKey": "SGVsbG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0=" + RawKey string `json:"rawKey,omitempty"` + // Specifies an RFC 4648 base64 encoded, RSA-wrapped 2048-bit customer-supplied encryption + // key to either encrypt or decrypt this resource. You can provide either the rawKey or the + // rsaEncryptedKey. + // For example: "rsaEncryptedKey": "ieCx/NcW06PcT7Ep1X6LUTc/hLvUDYyzSZPPVCVPTVEohpeHASqC8uw5TzyO9U+Fka9JFHi + // z0mBibXUInrC/jEk014kCK/NPjYgEMOyssZ4ZINPKxlUh2zn1bV+MCaTICrdmuSBTWlUUiFoDi + // D6PYznLwh8ZNdaheCeZ8ewEXgFQ8V+sDroLaN3Xs3MDTXQEMMoNUXMCZEIpg9Vtp9x2oe==" + // The key must meet the following requirements before you can provide it to Compute Engine: + // 1. The key is wrapped using a RSA public key certificate provided by Google. + // 2. After being wrapped, the key must be encoded in RFC 4648 base64 encoding. + // Gets the RSA public key certificate provided by Google at: https://cloud-certs.storage.googleapis.com/google-cloud-csek-ingress.pem + RsaEncryptedKey string `json:"rsaEncryptedKey,omitempty"` +} + +// CustomerEncryptionKey supports both Customer-Managed or Customer-Supplied encryption keys . +type CustomerEncryptionKey struct { + // The type of encryption key. Must be either Managed, aka Customer-Managed Encryption Key (CMEK) or + // Supplied, aka Customer-Supplied EncryptionKey (CSEK). + KeyType KeyType `json:"keyType"` + // The service account being used for the encryption request for the given KMS key. + // If absent, the Compute Engine default service account is used. For example: + // "kmsKeyServiceAccount": "name@project_id.iam.gserviceaccount.com/ + KmsKeyServiceAccount string `json:"kmsKeyServiceAccount,omitempty"` + // The Customer-Managed Encryption Key references keys managed by the Cloud Key Management Service. + ManagedKey *ManagedKey `json:"managedKey,omitempty"` + // The Customer-Supplied Encryption Key provides the key used to create or manage a disk. + SuppliedKey *SuppliedKey `json:"suppliedKey,omitempty"` +} + // GCPMachineSpec defines the desired state of GCPMachine. type GCPMachineSpec struct { // InstanceType is the type of instance to create. Example: n1.standard-2 @@ -252,6 +306,10 @@ type GCPMachineSpec struct { // +kubebuilder:validation:Enum=Enabled;Disabled // +optional ConfidentialCompute *ConfidentialComputePolicy `json:"confidentialCompute,omitempty"` + + // RootDiskEncryptionKey defines the KMS key to be used to encrypt the root disk. + // +optional + RootDiskEncryptionKey *CustomerEncryptionKey `json:"rootDiskEncryptionKey,omitempty"` } // MetadataItem defines a single piece of metadata associated with an instance. diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go index 5ba5b30653..0c92f7279e 100644 --- a/api/v1beta1/zz_generated.deepcopy.go +++ b/api/v1beta1/zz_generated.deepcopy.go @@ -40,6 +40,11 @@ func (in *AttachedDiskSpec) DeepCopyInto(out *AttachedDiskSpec) { *out = new(int64) **out = **in } + if in.EncryptionKey != nil { + in, out := &in.EncryptionKey, &out.EncryptionKey + *out = new(CustomerEncryptionKey) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AttachedDiskSpec. @@ -79,6 +84,31 @@ func (in *BuildParams) DeepCopy() *BuildParams { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CustomerEncryptionKey) DeepCopyInto(out *CustomerEncryptionKey) { + *out = *in + if in.ManagedKey != nil { + in, out := &in.ManagedKey, &out.ManagedKey + *out = new(ManagedKey) + **out = **in + } + if in.SuppliedKey != nil { + in, out := &in.SuppliedKey, &out.SuppliedKey + *out = new(SuppliedKey) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomerEncryptionKey. +func (in *CustomerEncryptionKey) DeepCopy() *CustomerEncryptionKey { + if in == nil { + return nil + } + out := new(CustomerEncryptionKey) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Filter) DeepCopyInto(out *Filter) { *out = *in @@ -459,6 +489,11 @@ func (in *GCPMachineSpec) DeepCopyInto(out *GCPMachineSpec) { *out = new(ConfidentialComputePolicy) **out = **in } + if in.RootDiskEncryptionKey != nil { + in, out := &in.RootDiskEncryptionKey, &out.RootDiskEncryptionKey + *out = new(CustomerEncryptionKey) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GCPMachineSpec. @@ -633,6 +668,21 @@ func (in Labels) DeepCopy() Labels { return *out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ManagedKey) DeepCopyInto(out *ManagedKey) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ManagedKey. +func (in *ManagedKey) DeepCopy() *ManagedKey { + if in == nil { + return nil + } + out := new(ManagedKey) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *MetadataItem) DeepCopyInto(out *MetadataItem) { *out = *in @@ -906,3 +956,18 @@ func (in Subnets) DeepCopy() Subnets { in.DeepCopyInto(out) return *out } + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SuppliedKey) DeepCopyInto(out *SuppliedKey) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SuppliedKey. +func (in *SuppliedKey) DeepCopy() *SuppliedKey { + if in == nil { + return nil + } + out := new(SuppliedKey) + in.DeepCopyInto(out) + return out +} diff --git a/cloud/scope/machine.go b/cloud/scope/machine.go index 3a0f9f092b..610770939f 100644 --- a/cloud/scope/machine.go +++ b/cloud/scope/machine.go @@ -235,7 +235,7 @@ func (m *MachineScope) InstanceImageSpec() *compute.AttachedDisk { diskType = *t } - return &compute.AttachedDisk{ + disk := &compute.AttachedDisk{ AutoDelete: true, Boot: true, InitializeParams: &compute.AttachedDiskInitializeParams{ @@ -245,6 +245,23 @@ func (m *MachineScope) InstanceImageSpec() *compute.AttachedDisk { SourceImage: sourceImage, }, } + + if m.GCPMachine.Spec.RootDiskEncryptionKey != nil { + if m.GCPMachine.Spec.RootDiskEncryptionKey.KeyType == infrav1.CustomerManagedKey { + disk.DiskEncryptionKey = &compute.CustomerEncryptionKey{ + KmsKeyServiceAccount: m.GCPMachine.Spec.RootDiskEncryptionKey.KmsKeyServiceAccount, + KmsKeyName: m.GCPMachine.Spec.RootDiskEncryptionKey.ManagedKey.KmsKeyName, + } + } else if m.GCPMachine.Spec.RootDiskEncryptionKey.KeyType == infrav1.CustomerSuppliedKey { + disk.DiskEncryptionKey = &compute.CustomerEncryptionKey{ + KmsKeyServiceAccount: m.GCPMachine.Spec.RootDiskEncryptionKey.KmsKeyServiceAccount, + RawKey: m.GCPMachine.Spec.RootDiskEncryptionKey.SuppliedKey.RawKey, + RsaEncryptedKey: m.GCPMachine.Spec.RootDiskEncryptionKey.SuppliedKey.RsaEncryptedKey, + } + } + } + + return disk } // InstanceAdditionalDiskSpec returns compute instance additional attched-disk spec. @@ -269,6 +286,21 @@ func (m *MachineScope) InstanceAdditionalDiskSpec() []*compute.AttachedDisk { // https://cloud.google.com/compute/docs/disks/local-ssd#choose_an_interface additionalDisk.Interface = "NVME" } + if disk.EncryptionKey != nil { + if m.GCPMachine.Spec.RootDiskEncryptionKey.KeyType == infrav1.CustomerManagedKey { + additionalDisk.DiskEncryptionKey = &compute.CustomerEncryptionKey{ + KmsKeyServiceAccount: m.GCPMachine.Spec.RootDiskEncryptionKey.KmsKeyServiceAccount, + KmsKeyName: m.GCPMachine.Spec.RootDiskEncryptionKey.ManagedKey.KmsKeyName, + } + } else if m.GCPMachine.Spec.RootDiskEncryptionKey.KeyType == infrav1.CustomerSuppliedKey { + additionalDisk.DiskEncryptionKey = &compute.CustomerEncryptionKey{ + KmsKeyServiceAccount: m.GCPMachine.Spec.RootDiskEncryptionKey.KmsKeyServiceAccount, + RawKey: m.GCPMachine.Spec.RootDiskEncryptionKey.SuppliedKey.RawKey, + RsaEncryptedKey: m.GCPMachine.Spec.RootDiskEncryptionKey.SuppliedKey.RsaEncryptedKey, + } + } + } + additionalDisks = append(additionalDisks, additionalDisk) } diff --git a/cloud/services/compute/instances/reconcile_test.go b/cloud/services/compute/instances/reconcile_test.go index 54019c3f8c..b8c8bf2e44 100644 --- a/cloud/services/compute/instances/reconcile_test.go +++ b/cloud/services/compute/instances/reconcile_test.go @@ -460,12 +460,12 @@ func TestService_createOrGetInstance(t *testing.T) { ResourceManagerTags: map[string]string{}, }, SelfLink: "https://www.googleapis.com/compute/v1/projects/proj-id/zones/us-central1-c/instances/my-machine", - Scheduling: &compute.Scheduling{ - OnHostMaintenance: strings.ToUpper(string(infrav1.HostMaintenancePolicyTerminate)), - }, ConfidentialInstanceConfig: &compute.ConfidentialInstanceConfig{ EnableConfidentialCompute: true, }, + Scheduling: &compute.Scheduling{ + OnHostMaintenance: strings.ToUpper(string(infrav1.HostMaintenancePolicyTerminate)), + }, ServiceAccounts: []*compute.ServiceAccount{ { Email: "default", @@ -609,6 +609,152 @@ func TestService_createOrGetInstance(t *testing.T) { Zone: "us-central1-a", }, }, + { + name: "instance does not exist (should create instance) with Customer-Managed boot DiskEncryption", + scope: func() Scope { + machineScope.GCPMachine = getFakeGCPMachine() + diskEncryption := infrav1.CustomerEncryptionKey{ + KeyType: infrav1.CustomerManagedKey, + ManagedKey: &infrav1.ManagedKey{ + KmsKeyName: "projects/my-project/locations/us-central1/keyRings/us-central1/cryptoKeys/some-key", + }, + } + machineScope.GCPMachine.Spec.RootDiskEncryptionKey = &diskEncryption + return machineScope + }, + mockInstance: &cloud.MockInstances{ + ProjectRouter: &cloud.SingleProjectRouter{ID: "proj-id"}, + Objects: map[meta.Key]*cloud.MockInstancesObj{}, + }, + want: &compute.Instance{ + Name: "my-machine", + CanIpForward: true, + Disks: []*compute.AttachedDisk{ + { + AutoDelete: true, + Boot: true, + InitializeParams: &compute.AttachedDiskInitializeParams{ + DiskType: "zones/us-central1-c/diskTypes/pd-standard", + SourceImage: "projects/my-proj/global/images/family/capi-ubuntu-1804-k8s-v1-19", + ResourceManagerTags: map[string]string{}, + }, + DiskEncryptionKey: &compute.CustomerEncryptionKey{ + KmsKeyName: "projects/my-project/locations/us-central1/keyRings/us-central1/cryptoKeys/some-key", + }, + }, + }, + Labels: map[string]string{ + "capg-role": "node", + "capg-cluster-my-cluster": "owned", + "foo": "bar", + }, + MachineType: "zones/us-central1-c/machineTypes", + Metadata: &compute.Metadata{ + Items: []*compute.MetadataItems{ + { + Key: "user-data", + Value: ptr.To[string]("Zm9vCg=="), + }, + }, + }, + NetworkInterfaces: []*compute.NetworkInterface{ + { + Network: "projects/my-proj/global/networks/default", + }, + }, + Params: &compute.InstanceParams{ + ResourceManagerTags: map[string]string{}, + }, + SelfLink: "https://www.googleapis.com/compute/v1/projects/proj-id/zones/us-central1-c/instances/my-machine", + Scheduling: &compute.Scheduling{}, + ServiceAccounts: []*compute.ServiceAccount{ + { + Email: "default", + Scopes: []string{"https://www.googleapis.com/auth/cloud-platform"}, + }, + }, + Tags: &compute.Tags{ + Items: []string{ + "my-cluster-node", + "my-cluster", + }, + }, + Zone: "us-central1-c", + }, + }, + { + name: "instance does not exist (should create instance) with Customer-Supplied boot DiskEncryption", + scope: func() Scope { + machineScope.GCPMachine = getFakeGCPMachine() + diskEncryption := infrav1.CustomerEncryptionKey{ + KeyType: infrav1.CustomerSuppliedKey, + SuppliedKey: &infrav1.SuppliedKey{ + RawKey: "SGVsbG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0=", + }, + } + machineScope.GCPMachine.Spec.RootDiskEncryptionKey = &diskEncryption + return machineScope + }, + mockInstance: &cloud.MockInstances{ + ProjectRouter: &cloud.SingleProjectRouter{ID: "proj-id"}, + Objects: map[meta.Key]*cloud.MockInstancesObj{}, + }, + want: &compute.Instance{ + Name: "my-machine", + CanIpForward: true, + Disks: []*compute.AttachedDisk{ + { + AutoDelete: true, + Boot: true, + InitializeParams: &compute.AttachedDiskInitializeParams{ + DiskType: "zones/us-central1-c/diskTypes/pd-standard", + SourceImage: "projects/my-proj/global/images/family/capi-ubuntu-1804-k8s-v1-19", + ResourceManagerTags: map[string]string{}, + }, + DiskEncryptionKey: &compute.CustomerEncryptionKey{ + RawKey: "SGVsbG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0=", + }, + }, + }, + Labels: map[string]string{ + "capg-role": "node", + "capg-cluster-my-cluster": "owned", + "foo": "bar", + }, + MachineType: "zones/us-central1-c/machineTypes", + Metadata: &compute.Metadata{ + Items: []*compute.MetadataItems{ + { + Key: "user-data", + Value: ptr.To[string]("Zm9vCg=="), + }, + }, + }, + NetworkInterfaces: []*compute.NetworkInterface{ + { + Network: "projects/my-proj/global/networks/default", + }, + }, + Params: &compute.InstanceParams{ + ResourceManagerTags: map[string]string{}, + }, + SelfLink: "https://www.googleapis.com/compute/v1/projects/proj-id/zones/us-central1-c/instances/my-machine", + Scheduling: &compute.Scheduling{}, + ServiceAccounts: []*compute.ServiceAccount{ + { + Email: "default", + Scopes: []string{"https://www.googleapis.com/auth/cloud-platform"}, + }, + }, + Tags: &compute.Tags{ + Items: []string{ + "my-cluster-node", + "my-cluster", + }, + }, + Zone: "us-central1-c", + }, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_gcpmachines.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_gcpmachines.yaml index c965b68beb..84a3747508 100644 --- a/config/crd/bases/infrastructure.cluster.x-k8s.io_gcpmachines.yaml +++ b/config/crd/bases/infrastructure.cluster.x-k8s.io_gcpmachines.yaml @@ -69,6 +69,61 @@ spec: disk 3. "local-ssd" - Local SSD disk (https://cloud.google.com/compute/docs/disks/local-ssd). Default is "pd-standard".' type: string + encryptionKey: + description: EncryptionKey defines the KMS key to be used to + encrypt the disk. + properties: + keyType: + description: The type of encryption key. Must be either + Managed, aka Customer-Managed Encryption Key (CMEK) or + Supplied, aka Customer-Supplied EncryptionKey (CSEK). + type: string + kmsKeyServiceAccount: + description: 'The service account being used for the encryption + request for the given KMS key. If absent, the Compute + Engine default service account is used. For example: "kmsKeyServiceAccount": + "name@project_id.iam.gserviceaccount.com/' + type: string + managedKey: + description: The Customer-Managed Encryption Key references + keys managed by the Cloud Key Management Service. + properties: + kmsKeyName: + description: 'The name of the encryption key that is + stored in Google Cloud KMS. For example: "kmsKeyName": + "projects/kms_project_id/locations/region/keyRings/key_region/cryptoKeys/key' + type: string + type: object + suppliedKey: + description: The Customer-Supplied Encryption Key provides + the key used to create or manage a disk. + properties: + rawKey: + description: 'Specifies a 256-bit customer-supplied + encryption key, encoded in RFC 4648 base64 to either + encrypt or decrypt this resource. You can provide + either the rawKey or the rsaEncryptedKey. For example: + "rawKey": "SGVsbG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0="' + type: string + rsaEncryptedKey: + description: 'Specifies an RFC 4648 base64 encoded, + RSA-wrapped 2048-bit customer-supplied encryption + key to either encrypt or decrypt this resource. You + can provide either the rawKey or the rsaEncryptedKey. + For example: "rsaEncryptedKey": "ieCx/NcW06PcT7Ep1X6LUTc/hLvUDYyzSZPPVCVPTVEohpeHASqC8uw5TzyO9U+Fka9JFHi + z0mBibXUInrC/jEk014kCK/NPjYgEMOyssZ4ZINPKxlUh2zn1bV+MCaTICrdmuSBTWlUUiFoDi + D6PYznLwh8ZNdaheCeZ8ewEXgFQ8V+sDroLaN3Xs3MDTXQEMMoNUXMCZEIpg9Vtp9x2oe==" + The key must meet the following requirements before + you can provide it to Compute Engine: 1. The key is + wrapped using a RSA public key certificate provided + by Google. 2. After being wrapped, the key must be + encoded in RFC 4648 base64 encoding. Gets the RSA + public key certificate provided by Google at: https://cloud-certs.storage.googleapis.com/google-cloud-csek-ingress.pem' + type: string + type: object + required: + - keyType + type: object size: description: Size is the size of the disk in GBs. Defaults to 30GB. For "local-ssd" size is always 375GB. @@ -226,6 +281,59 @@ spec: types of root volumes: 1. "pd-standard" - Standard (HDD) persistent disk 2. "pd-ssd" - SSD persistent disk Default is "pd-standard".' type: string + rootDiskEncryptionKey: + description: RootDiskEncryptionKey defines the KMS key to be used + to encrypt the root disk. + properties: + keyType: + description: The type of encryption key. Must be either Managed, + aka Customer-Managed Encryption Key (CMEK) or Supplied, aka + Customer-Supplied EncryptionKey (CSEK). + type: string + kmsKeyServiceAccount: + description: 'The service account being used for the encryption + request for the given KMS key. If absent, the Compute Engine + default service account is used. For example: "kmsKeyServiceAccount": + "name@project_id.iam.gserviceaccount.com/' + type: string + managedKey: + description: The Customer-Managed Encryption Key references keys + managed by the Cloud Key Management Service. + properties: + kmsKeyName: + description: 'The name of the encryption key that is stored + in Google Cloud KMS. For example: "kmsKeyName": "projects/kms_project_id/locations/region/keyRings/key_region/cryptoKeys/key' + type: string + type: object + suppliedKey: + description: The Customer-Supplied Encryption Key provides the + key used to create or manage a disk. + properties: + rawKey: + description: 'Specifies a 256-bit customer-supplied encryption + key, encoded in RFC 4648 base64 to either encrypt or decrypt + this resource. You can provide either the rawKey or the + rsaEncryptedKey. For example: "rawKey": "SGVsbG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0="' + type: string + rsaEncryptedKey: + description: 'Specifies an RFC 4648 base64 encoded, RSA-wrapped + 2048-bit customer-supplied encryption key to either encrypt + or decrypt this resource. You can provide either the rawKey + or the rsaEncryptedKey. For example: "rsaEncryptedKey": + "ieCx/NcW06PcT7Ep1X6LUTc/hLvUDYyzSZPPVCVPTVEohpeHASqC8uw5TzyO9U+Fka9JFHi + z0mBibXUInrC/jEk014kCK/NPjYgEMOyssZ4ZINPKxlUh2zn1bV+MCaTICrdmuSBTWlUUiFoDi + D6PYznLwh8ZNdaheCeZ8ewEXgFQ8V+sDroLaN3Xs3MDTXQEMMoNUXMCZEIpg9Vtp9x2oe==" + The key must meet the following requirements before you + can provide it to Compute Engine: 1. The key is wrapped + using a RSA public key certificate provided by Google. 2. + After being wrapped, the key must be encoded in RFC 4648 + base64 encoding. Gets the RSA public key certificate provided + by Google at: https://cloud-certs.storage.googleapis.com/google-cloud-csek-ingress.pem' + type: string + type: object + required: + - keyType + type: object serviceAccounts: description: 'ServiceAccount specifies the service account email and which scopes to assign to the machine. Defaults to: email: "default", diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_gcpmachinetemplates.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_gcpmachinetemplates.yaml index ceacc3c0f0..eada6078ad 100644 --- a/config/crd/bases/infrastructure.cluster.x-k8s.io_gcpmachinetemplates.yaml +++ b/config/crd/bases/infrastructure.cluster.x-k8s.io_gcpmachinetemplates.yaml @@ -80,6 +80,65 @@ spec: Local SSD disk (https://cloud.google.com/compute/docs/disks/local-ssd). Default is "pd-standard".' type: string + encryptionKey: + description: EncryptionKey defines the KMS key to be + used to encrypt the disk. + properties: + keyType: + description: The type of encryption key. Must be + either Managed, aka Customer-Managed Encryption + Key (CMEK) or Supplied, aka Customer-Supplied + EncryptionKey (CSEK). + type: string + kmsKeyServiceAccount: + description: 'The service account being used for + the encryption request for the given KMS key. + If absent, the Compute Engine default service + account is used. For example: "kmsKeyServiceAccount": + "name@project_id.iam.gserviceaccount.com/' + type: string + managedKey: + description: The Customer-Managed Encryption Key + references keys managed by the Cloud Key Management + Service. + properties: + kmsKeyName: + description: 'The name of the encryption key + that is stored in Google Cloud KMS. For example: + "kmsKeyName": "projects/kms_project_id/locations/region/keyRings/key_region/cryptoKeys/key' + type: string + type: object + suppliedKey: + description: The Customer-Supplied Encryption Key + provides the key used to create or manage a disk. + properties: + rawKey: + description: 'Specifies a 256-bit customer-supplied + encryption key, encoded in RFC 4648 base64 + to either encrypt or decrypt this resource. + You can provide either the rawKey or the rsaEncryptedKey. + For example: "rawKey": "SGVsbG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0="' + type: string + rsaEncryptedKey: + description: 'Specifies an RFC 4648 base64 encoded, + RSA-wrapped 2048-bit customer-supplied encryption + key to either encrypt or decrypt this resource. + You can provide either the rawKey or the rsaEncryptedKey. + For example: "rsaEncryptedKey": "ieCx/NcW06PcT7Ep1X6LUTc/hLvUDYyzSZPPVCVPTVEohpeHASqC8uw5TzyO9U+Fka9JFHi + z0mBibXUInrC/jEk014kCK/NPjYgEMOyssZ4ZINPKxlUh2zn1bV+MCaTICrdmuSBTWlUUiFoDi + D6PYznLwh8ZNdaheCeZ8ewEXgFQ8V+sDroLaN3Xs3MDTXQEMMoNUXMCZEIpg9Vtp9x2oe==" + The key must meet the following requirements + before you can provide it to Compute Engine: + 1. The key is wrapped using a RSA public key + certificate provided by Google. 2. After being + wrapped, the key must be encoded in RFC 4648 + base64 encoding. Gets the RSA public key certificate + provided by Google at: https://cloud-certs.storage.googleapis.com/google-cloud-csek-ingress.pem' + type: string + type: object + required: + - keyType + type: object size: description: Size is the size of the disk in GBs. Defaults to 30GB. For "local-ssd" size is always 375GB. @@ -242,6 +301,62 @@ spec: (HDD) persistent disk 2. "pd-ssd" - SSD persistent disk Default is "pd-standard".' type: string + rootDiskEncryptionKey: + description: RootDiskEncryptionKey defines the KMS key to + be used to encrypt the root disk. + properties: + keyType: + description: The type of encryption key. Must be either + Managed, aka Customer-Managed Encryption Key (CMEK) + or Supplied, aka Customer-Supplied EncryptionKey (CSEK). + type: string + kmsKeyServiceAccount: + description: 'The service account being used for the encryption + request for the given KMS key. If absent, the Compute + Engine default service account is used. For example: + "kmsKeyServiceAccount": "name@project_id.iam.gserviceaccount.com/' + type: string + managedKey: + description: The Customer-Managed Encryption Key references + keys managed by the Cloud Key Management Service. + properties: + kmsKeyName: + description: 'The name of the encryption key that + is stored in Google Cloud KMS. For example: "kmsKeyName": + "projects/kms_project_id/locations/region/keyRings/key_region/cryptoKeys/key' + type: string + type: object + suppliedKey: + description: The Customer-Supplied Encryption Key provides + the key used to create or manage a disk. + properties: + rawKey: + description: 'Specifies a 256-bit customer-supplied + encryption key, encoded in RFC 4648 base64 to either + encrypt or decrypt this resource. You can provide + either the rawKey or the rsaEncryptedKey. For example: + "rawKey": "SGVsbG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0="' + type: string + rsaEncryptedKey: + description: 'Specifies an RFC 4648 base64 encoded, + RSA-wrapped 2048-bit customer-supplied encryption + key to either encrypt or decrypt this resource. + You can provide either the rawKey or the rsaEncryptedKey. + For example: "rsaEncryptedKey": "ieCx/NcW06PcT7Ep1X6LUTc/hLvUDYyzSZPPVCVPTVEohpeHASqC8uw5TzyO9U+Fka9JFHi + z0mBibXUInrC/jEk014kCK/NPjYgEMOyssZ4ZINPKxlUh2zn1bV+MCaTICrdmuSBTWlUUiFoDi + D6PYznLwh8ZNdaheCeZ8ewEXgFQ8V+sDroLaN3Xs3MDTXQEMMoNUXMCZEIpg9Vtp9x2oe==" + The key must meet the following requirements before + you can provide it to Compute Engine: 1. The key + is wrapped using a RSA public key certificate provided + by Google. 2. After being wrapped, the key must + be encoded in RFC 4648 base64 encoding. Gets the + RSA public key certificate provided by Google at: + https://cloud-certs.storage.googleapis.com/google-cloud-csek-ingress.pem' + type: string + type: object + required: + - keyType + type: object serviceAccounts: description: 'ServiceAccount specifies the service account email and which scopes to assign to the machine. Defaults