Add support for disk encryption key in GCPMachine

Add support for the disk encryption key for the boot disk and and additional disks.
kubernetes-sigs · Feb 15, 2024 · a2d0fb3 · a2d0fb3
1 parent 9788374
commit a2d0fb3
Show file tree

Hide file tree

Showing 8 changed files with 741 additions and 5 deletions.
diff --git a/api/v1beta1/gcpmachine_types.go b/api/v1beta1/gcpmachine_types.go
@@ -54,6 +54,9 @@ type AttachedDiskSpec struct {
 	// Defaults to 30GB. For "local-ssd" size is always 375GB.
 	// +optional
 	Size *int64 `json:"size,omitempty"`
+	// EncryptionKey defines the KMS key to be used to encrypt the disk.
+	// +optional
+	EncryptionKey *CustomerEncryptionKey `json:"encryptionKey,omitempty"`
 }
 
 // IPForwarding represents the IP forwarding configuration for the GCP machine.
@@ -146,6 +149,65 @@ const (
 	HostMaintenancePolicyTerminate HostMaintenancePolicy = "Terminate"
 )
 
+// KeyType is a type for disk encryption.
+type KeyType string
+
+const (
+	// CustomerManagedKey (CMEK) references an encryption key stored in Google Cloud KMS.
+	CustomerManagedKey KeyType = "Managed"
+	// CustomerSuppliedKey (CSEK) specifies an encryption key to use.
+	CustomerSuppliedKey KeyType = "Supplied"
+)
+
+// ManagedKey is a reference to a key managed by the Cloud Key Management Service.
+type ManagedKey struct {
+	// KMSKeyName is the name of the encryption key that is stored in Google Cloud KMS. For example:
+	// "kmsKeyName": "projects/kms_project_id/locations/region/keyRings/key_region/cryptoKeys/key
+	// +kubebuilder:validation:Required
+	KMSKeyName string `json:"kmsKeyName,omitempty"`
+}
+
+// SuppliedKey contains a key for disk encryption.
+// +kubebuilder:validation:MinProperties=1
+type SuppliedKey struct {
+	// RawKey specifies a 256-bit customer-supplied encryption key, encoded in RFC 4648
+	// base64 to either encrypt or decrypt this resource. You can provide either the rawKey or the rsaEncryptedKey.
+	// For example: "rawKey": "SGVsbG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0="
+	// +optional
+	RawKey []byte`json:"rawKey,omitempty"`
+	// RSAEncryptedKey specifies an RFC 4648 base64 encoded, RSA-wrapped 2048-bit customer-supplied encryption
+	// key to either encrypt or decrypt this resource. You can provide either the rawKey or the
+	// rsaEncryptedKey.
+	// For example: "rsaEncryptedKey": "ieCx/NcW06PcT7Ep1X6LUTc/hLvUDYyzSZPPVCVPTVEohpeHASqC8uw5TzyO9U+Fka9JFHi
+	// z0mBibXUInrC/jEk014kCK/NPjYgEMOyssZ4ZINPKxlUh2zn1bV+MCaTICrdmuSBTWlUUiFoDi
+	// D6PYznLwh8ZNdaheCeZ8ewEXgFQ8V+sDroLaN3Xs3MDTXQEMMoNUXMCZEIpg9Vtp9x2oe=="
+	// The key must meet the following requirements before you can provide it to Compute Engine:
+	// 1. The key is wrapped using a RSA public key certificate provided by Google.
+	// 2. After being wrapped, the key must be encoded in RFC 4648 base64 encoding.
+	// Gets the RSA public key certificate provided by Google at: https://cloud-certs.storage.googleapis.com/google-cloud-csek-ingress.pem
+	// +optional
+	RSAEncryptedKey []byte `json:"rsaEncryptedKey,omitempty"`
+}
+
+// CustomerEncryptionKey supports both Customer-Managed or Customer-Supplied encryption keys .
+type CustomerEncryptionKey struct {
+	// KeyType is the type of encryption key. Must be either Managed, aka Customer-Managed Encryption Key (CMEK) or
+	// Supplied, aka Customer-Supplied EncryptionKey (CSEK).
+	// +kubebuilder:validation:Enum=Managed;Supplied
+	KeyType KeyType `json:"keyType"`
+	// KMSKeyServiceAccount is the service account being used for the encryption request for the given KMS key.
+	// If absent, the Compute Engine default service account is used. For example:
+	// "kmsKeyServiceAccount": "name@project_id.iam.gserviceaccount.com/
+	// +optional
+	KMSKeyServiceAccount *string `json:"kmsKeyServiceAccount,omitempty"`
+	// ManagedKey references keys managed by the Cloud Key Management Service. This should be set when KeyType is Managed.
+	// +optional
+	ManagedKey *ManagedKey `json:"managedKey,omitempty"`
+	// SuppliedKey provides the key used to create or manage a disk. This should be set when KeyType is Managed.
+	// +optional
+	SuppliedKey *SuppliedKey `json:"suppliedKey,omitempty"`
+}
+
 // GCPMachineSpec defines the desired state of GCPMachine.
 type GCPMachineSpec struct {
 	// InstanceType is the type of instance to create. Example: n1.standard-2
@@ -252,6 +314,10 @@ type GCPMachineSpec struct {
 	// +kubebuilder:validation:Enum=Enabled;Disabled
 	// +optional
 	ConfidentialCompute *ConfidentialComputePolicy `json:"confidentialCompute,omitempty"`
+
+	// RootDiskEncryptionKey defines the KMS key to be used to encrypt the root disk.
+	// +optional
+	RootDiskEncryptionKey *CustomerEncryptionKey `json:"rootDiskEncryptionKey,omitempty"`
 }
 
 // MetadataItem defines a single piece of metadata associated with an instance.

diff --git a/api/v1beta1/gcpmachine_webhook.go b/api/v1beta1/gcpmachine_webhook.go
@@ -50,7 +50,11 @@ var _ webhook.Validator = &GCPMachine{}
 // ValidateCreate implements webhook.Validator so a webhook will be registered for the type.
 func (m *GCPMachine) ValidateCreate() (admission.Warnings, error) {
 	clusterlog.Info("validate create", "name", m.Name)
-	return nil, validateConfidentialCompute(m.Spec)
+
+	if err := validateConfidentialCompute(m.Spec); err != nil {
+		return nil, err
+	}
+	return nil, validateCustomerEncryptionKey(m.Spec)
 }
 
 // ValidateUpdate implements webhook.Validator so a webhook will be registered for the type.
@@ -117,3 +121,36 @@ func validateConfidentialCompute(spec GCPMachineSpec) error {
 	}
 	return nil
 }
+
+func checkKeyType(key *CustomerEncryptionKey) error {
+	switch key.KeyType {
+	case CustomerManagedKey:
+		if key.ManagedKey == nil || key.SuppliedKey != nil {
+			return fmt.Errorf("CustomerEncryptionKey KeyType of Managed requires only ManagedKey to be set")
+		}
+	case CustomerSuppliedKey:
+		if key.SuppliedKey == nil || key.ManagedKey != nil {
+			return fmt.Errorf("CustomerEncryptionKey KeyType of Supplied requires only SuppliedKey to be set")
+		}
+	default:
+		return fmt.Errorf("Invalid value for CustomerEncryptionKey KeyType %s", key.KeyType)
+	}
+	return nil
+}
+
+func validateCustomerEncryptionKey(spec GCPMachineSpec) error {
+	if spec.RootDiskEncryptionKey != nil {
+		if err := checkKeyType(spec.RootDiskEncryptionKey); err != nil {
+			return err
+		}
+	}
+
+	for _, disk := range spec.AdditionalDisks {
+		if disk.EncryptionKey != nil {
+			if err := checkKeyType(disk.EncryptionKey); err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
diff --git a/api/v1beta1/gcpmachine_webhook_test.go b/api/v1beta1/gcpmachine_webhook_test.go
@@ -85,6 +85,43 @@ func TestGCPMachine_ValidateCreate(t *testing.T) {
 			},
 			wantErr: true,
 		},
+		{
+			name: "GCPMachine with RootDiskEncryptionKey KeyType Managed and Managed field not set",
+			GCPMachine: &GCPMachine{
+				Spec: GCPMachineSpec{
+					RootDiskEncryptionKey: &CustomerEncryptionKey{
+						KeyType: CustomerManagedKey,
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "GCPMachine with RootDiskEncryptionKey KeyType Supplied and Supplied field not set",
+			GCPMachine: &GCPMachine{
+				Spec: GCPMachineSpec{
+					RootDiskEncryptionKey: &CustomerEncryptionKey{
+						KeyType: CustomerSuppliedKey,
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "GCPMachine with AdditionalDisk Encryption KeyType Managed and Managed field not set",
+			GCPMachine: &GCPMachine{
+				Spec: GCPMachineSpec{
+					AdditionalDisks: []AttachedDiskSpec{
+						{
+							EncryptionKey: &CustomerEncryptionKey{
+								KeyType: CustomerManagedKey,
+							},
+						},
+					},
+				},
+			},
+			wantErr: true,
+		},
 	}
 	for _, test := range tests {
 		test := test

diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go
diff --git a/cloud/scope/machine.go b/cloud/scope/machine.go
@@ -235,7 +235,7 @@ func (m *MachineScope) InstanceImageSpec() *compute.AttachedDisk {
 		diskType = *t
 	}
 
-	return &compute.AttachedDisk{
+	disk := &compute.AttachedDisk{
 		AutoDelete: true,
 		Boot:       true,
 		InitializeParams: &compute.AttachedDiskInitializeParams{
@@ -245,6 +245,27 @@ func (m *MachineScope) InstanceImageSpec() *compute.AttachedDisk {
 			SourceImage:         sourceImage,
 		},
 	}
+
+	if m.GCPMachine.Spec.RootDiskEncryptionKey != nil {
+		if m.GCPMachine.Spec.RootDiskEncryptionKey.KeyType == infrav1.CustomerManagedKey && m.GCPMachine.Spec.RootDiskEncryptionKey.ManagedKey != nil {
+			disk.DiskEncryptionKey = &compute.CustomerEncryptionKey{
+				KmsKeyName: m.GCPMachine.Spec.RootDiskEncryptionKey.ManagedKey.KMSKeyName,
+			}
+			if m.GCPMachine.Spec.RootDiskEncryptionKey.KMSKeyServiceAccount != nil {
+				disk.DiskEncryptionKey.KmsKeyServiceAccount = *m.GCPMachine.Spec.RootDiskEncryptionKey.KMSKeyServiceAccount
+			}
+		} else if m.GCPMachine.Spec.RootDiskEncryptionKey.KeyType == infrav1.CustomerSuppliedKey && m.GCPMachine.Spec.RootDiskEncryptionKey.SuppliedKey != nil {
+			disk.DiskEncryptionKey = &compute.CustomerEncryptionKey{
+				RawKey:          string(m.GCPMachine.Spec.RootDiskEncryptionKey.SuppliedKey.RawKey),
+				RsaEncryptedKey: string(m.GCPMachine.Spec.RootDiskEncryptionKey.SuppliedKey.RSAEncryptedKey),
+			}
+			if m.GCPMachine.Spec.RootDiskEncryptionKey.KMSKeyServiceAccount != nil {
+				disk.DiskEncryptionKey.KmsKeyServiceAccount = *m.GCPMachine.Spec.RootDiskEncryptionKey.KMSKeyServiceAccount
+			}
+		}
+	}
+
+	return disk
 }
 
 // InstanceAdditionalDiskSpec returns compute instance additional attched-disk spec.
@@ -269,6 +290,25 @@ func (m *MachineScope) InstanceAdditionalDiskSpec() []*compute.AttachedDisk {
 			// https://cloud.google.com/compute/docs/disks/local-ssd#choose_an_interface
 			additionalDisk.Interface = "NVME"
 		}
+		if disk.EncryptionKey != nil {
+			if m.GCPMachine.Spec.RootDiskEncryptionKey.KeyType == infrav1.CustomerManagedKey && m.GCPMachine.Spec.RootDiskEncryptionKey.ManagedKey != nil {
+				additionalDisk.DiskEncryptionKey = &compute.CustomerEncryptionKey{
+					KmsKeyName: m.GCPMachine.Spec.RootDiskEncryptionKey.ManagedKey.KMSKeyName,
+				}
+				if m.GCPMachine.Spec.RootDiskEncryptionKey.KMSKeyServiceAccount != nil {
+					additionalDisk.DiskEncryptionKey.KmsKeyServiceAccount = *m.GCPMachine.Spec.RootDiskEncryptionKey.KMSKeyServiceAccount
+				}
+			} else if m.GCPMachine.Spec.RootDiskEncryptionKey.KeyType == infrav1.CustomerSuppliedKey && m.GCPMachine.Spec.RootDiskEncryptionKey.SuppliedKey != nil {
+				additionalDisk.DiskEncryptionKey = &compute.CustomerEncryptionKey{
+					RawKey:          string(m.GCPMachine.Spec.RootDiskEncryptionKey.SuppliedKey.RawKey),
+					RsaEncryptedKey: string(m.GCPMachine.Spec.RootDiskEncryptionKey.SuppliedKey.RSAEncryptedKey),
+				}
+				if m.GCPMachine.Spec.RootDiskEncryptionKey.KMSKeyServiceAccount != nil {
+					additionalDisk.DiskEncryptionKey.KmsKeyServiceAccount = *m.GCPMachine.Spec.RootDiskEncryptionKey.KMSKeyServiceAccount
+				}
+			}
+		}
+
 		additionalDisks = append(additionalDisks, additionalDisk)
 	}