Add support for disk encryption key in GCPMachine

[bfournie]

What type of PR is this?

What this PR does / why we need it:

Add support for the disk encryption key for the boot disk and and additional disks in the GCP machine.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

Special notes for your reviewer:

Please confirm that if this PR changes any image versions, then that's the sole change this PR makes.

TODOs:

• squashed commits
• includes documentation
• adds unit tests

Release note:

Add support for disk encryption key in GCPMachine

[k8s-ci-robot]

Welcome @bfournie!

It looks like this is your first PR to kubernetes-sigs/cluster-api-provider-gcp 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/cluster-api-provider-gcp has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @bfournie. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[damdo]

LGTM bare API comments from @JoelSpeed
Thanks @bfournie

[damdo]

/ok-to-test
/assign @cpanato @richardcase

[cpanato]

/test ls

[k8s-ci-robot]

@cpanato: The specified target(s) for /test were not found.
The following commands are available to trigger required jobs:

• /test pull-cluster-api-provider-gcp-build
• /test pull-cluster-api-provider-gcp-e2e-test
• /test pull-cluster-api-provider-gcp-make
• /test pull-cluster-api-provider-gcp-test
• /test pull-cluster-api-provider-gcp-verify

The following commands are available to trigger optional jobs:

• /test pull-cluster-api-provider-gcp-apidiff
• /test pull-cluster-api-provider-gcp-capi-e2e
• /test pull-cluster-api-provider-gcp-conformance
• /test pull-cluster-api-provider-gcp-conformance-ci-artifacts
• /test pull-cluster-api-provider-gcp-coverage
• /test pull-cluster-api-provider-gcp-coverage-release-1-4
• /test pull-cluster-api-provider-gcp-coverage-release-1-5
• /test pull-cluster-api-provider-gcp-e2e-workload-upgrade

Use /test all to run the following jobs that were automatically triggered:

• pull-cluster-api-provider-gcp-apidiff
• pull-cluster-api-provider-gcp-build
• pull-cluster-api-provider-gcp-e2e-test
• pull-cluster-api-provider-gcp-make
• pull-cluster-api-provider-gcp-test
• pull-cluster-api-provider-gcp-verify

In response to this:

/test ls

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[cpanato]

/test pull-cluster-api-provider-gcp-conformance

[JoelSpeed]

Does GCP specify any constraints for the name of the KMS key? Upper case? Lower case? Certain special characters allowed? MInimum or maximum length? All of this could be validated at admission time to prevent errors down the line

[bfournie]

So unless I'm missing something I don't see constraints defined in the API https://pkg.go.dev/google.golang.org/api/compute/v1#CustomerEncryptionKey or in validations. I'm leery to add additional limit checks here unless its well defined.

[JoelSpeed]

When trying to create a key, it gives me

Key names can contain letters, numbers, underscores (_), and hyphens (-). Keys can't be renamed or deleted.

I believe that is also true of project IDs and regions so we probably can limit to that selection plus the slashes required

[richardcase]

Thanks for testing that @JoelSpeed.

[bfournie]

Thanks, I'll add a check in the webhook.Validator.

[JoelSpeed]

Did the rule cost come up before or after you added the maxlength? The maxlength is an important factor in the rule cost estimations

[richardcase]

@JoelSpeed - you make a good point about kubebuilder validations/CEL vs webhook validation. I think part of the current reliance on webhook validation in CAPI is historical because CEL wasn't available for more complex validation logic.

[bfournie]

The rule cost error came up when using the 3 XValidation rules. With MaxLength validation plus one XValidation it did not cause an error.

[JoelSpeed]

I was speaking with @vincepri last week and we think there's merit in having a community wide conversation about API review and CEL vs webhook validations. In a couple of weeks I have some time to put together some ideas which I'll bring to the community call for discussion

[bfournie]

Sounds good. Hopefully we can get this merged and revisit the validations after the discussion.

[netlify]

✅ Deploy Preview for kubernetes-sigs-cluster-api-gcp ready!

Name	Link
🔨 Latest commit	0c780af
🔍 Latest deploy log	https://app.netlify.com/sites/kubernetes-sigs-cluster-api-gcp/deploys/65df64752a95ad0008f7e7b1
😎 Deploy Preview	https://deploy-preview-1137--kubernetes-sigs-cluster-api-gcp.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[JoelSpeed]

I was speaking with @vincepri last week and we think there's merit in having a community wide conversation about API review and CEL vs webhook validations. In a couple of weeks I have some time to put together some ideas which I'll bring to the community call for discussion

[JoelSpeed]

/lgtm

[cpanato]

thanks

/approve

/hold for @richardcase as he did some reviews as well

[damdo]

/lgtm

Let's see what @richardcase thinks

[richardcase]

Looks good to me, thanks @bfournie . Good discussion on CEL as part of this 👍

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bfournie, cpanato, richardcase

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [cpanato,richardcase]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[richardcase]

/unhold

[richardcase]

/retest

[damdo]

I asked @bfournie to rebase this on top of main once #1157 merges.
I suspect something in the tooling is breaking (could be the Go version as I've seen this break with Netlify already recently).
So a rebase could help here.

[bfournie]

/retest

[damdo]

/lgtm