Merge pull request #222 from leiyiz/release-1.1

cherry pick #214 into release-1.1

README.md

@@ -48,11 +48,12 @@ volume. Customizable parameters for volume creation include:
 
 | Parameter         | Values                  | Default                                | Description |
 | ---------------   | ----------------------- |-----------                             | ----------- |
-| tier              | "standard"<br>"premium"<br>"enterprise" | "standard"                             | storage performance tier |
+| tier              | "standard"<br>"premium"<br>"enterprise" | "standard"             | storage performance tier |
 | network           | string                  | "default"                              | VPC name<br>When using "PRIVATE_SERVICE_ACCESS" connect-mode, network needs to be the full VPC name |
 | reserved-ipv4-cidr| string		              | ""                                     | CIDR range to allocate Filestore IP Ranges from.<br>The CIDR must be large enough to accommodate multiple Filestore IP Ranges of /29 each, /24 if enterprise tier is used |
 | reserved-ip-range | string		              | ""                                     | IP range to allocate Filestore IP Ranges from.<br>This flag is used instead of "reserved-ipv4-cidr" when "connect-mode" is set to "PRIVATE_SERVICE_ACCESS" and the value must be an [allocated IP address range](https://cloud.google.com/compute/docs/ip-addresses/reserve-static-internal-ip-address).<br>The IP range must be large enough to accommodate multiple Filestore IP Ranges of /29 each, /24 if enterprise tier is used |
 | connect-mode      | "DIRECT_PEERING"<br>"PRIVATE_SERVICE_ACCESS" | "DIRECT_PEERING"  | The network connect mode of the Filestore instance.<br>To provision Filestore instance with shared-vpc from service project, PRIVATE_SERVICE_ACCESS mode must be used |
+| instance-encryption-kms-key | string        | ""                                     | Fully qualified resource identifier for the key to use to encrypt new instances. |
 
 For Kubernetes clusters, these parameters are specified in the StorageClass.
 

pkg/cloud_provider/file/file.go

@@ -37,14 +37,15 @@ import (
 )
 
 type ServiceInstance struct {
-	Project  string
-	Name     string
-	Location string
-	Tier     string
-	Network  Network
-	Volume   Volume
-	Labels   map[string]string
-	State    string
+	Project    string
+	Name       string
+	Location   string
+	Tier       string
+	Network    Network
+	Volume     Volume
+	Labels     map[string]string
+	State      string
+	KmsKeyName string
 }
 
 type Volume struct {
@@ -129,17 +130,19 @@ func (manager *gcfsServiceManager) CreateInstance(ctx context.Context, obj *Serv
 				ConnectMode:     obj.Network.ConnectMode,
 			},
 		},
-		Labels: obj.Labels,
+		KmsKeyName: obj.KmsKeyName,
+		Labels:     obj.Labels,
 	}
 
-	glog.V(4).Infof("Creating instance %v: location %v, tier %v, capacity %v, network %v, ipRange %v, connectMode %v, labels %v",
+	glog.V(4).Infof("Creating instance %q: location %q, tier %q, capacity %v, network %q, ipRange %q, connectMode %q, KmsKeyName %q, labels %v",
 		obj.Name,
 		obj.Location,
 		betaObj.Tier,
 		betaObj.FileShares[0].CapacityGb,
 		betaObj.Networks[0].Network,
 		betaObj.Networks[0].ReservedIpRange,
 		betaObj.Networks[0].ConnectMode,
+		betaObj.KmsKeyName,
 		betaObj.Labels)
 	op, err := manager.instancesService.Create(locationURI(obj.Project, obj.Location), betaObj).InstanceId(obj.Name).Context(ctx).Do()
 	if err != nil {
@@ -176,18 +179,20 @@ func (manager *gcfsServiceManager) CreateInstanceFromBackupSource(ctx context.Co
 				ConnectMode:     obj.Network.ConnectMode,
 			},
 		},
-		Labels: obj.Labels,
-		State:  obj.State,
+		KmsKeyName: obj.KmsKeyName,
+		Labels:     obj.Labels,
+		State:      obj.State,
 	}
 
-	glog.V(4).Infof("Creating instance %v: location %v, tier %v, capacity %v, network %v, ipRange %v, connectMode %v, labels %v backup source %v",
+	glog.V(4).Infof("Creating instance %q: location %v, tier %q, capacity %v, network %q, ipRange %q, connectMode %q, KmsKeyName %q, labels %v backup source %q",
 		obj.Name,
 		obj.Location,
 		instance.Tier,
 		instance.FileShares[0].CapacityGb,
 		instance.Networks[0].Network,
 		instance.Networks[0].ReservedIpRange,
 		instance.Networks[0].ConnectMode,
+		instance.KmsKeyName,
 		instance.Labels,
 		instance.FileShares[0].SourceBackup)
 	op, err := manager.instancesService.Create(locationURI(obj.Project, obj.Location), instance).InstanceId(obj.Name).Context(ctx).Do()
@@ -242,8 +247,9 @@ func cloudInstanceToServiceInstance(instance *filev1beta1.Instance) (*ServiceIns
 			ReservedIpRange: instance.Networks[0].ReservedIpRange,
 			ConnectMode:     instance.Networks[0].ConnectMode,
 		},
-		Labels: instance.Labels,
-		State:  instance.State,
+		KmsKeyName: instance.KmsKeyName,
+		Labels:     instance.Labels,
+		State:      instance.State,
 	}, nil
 }
 
@@ -261,6 +267,10 @@ func CompareInstances(a, b *ServiceInstance) error {
 	if a.Network.Name != b.Network.Name {
 		mismatches = append(mismatches, "network name")
 	}
+	// Filestore API does not include key version info in the Instance object, simple string comparison will work
+	if a.KmsKeyName != b.KmsKeyName {
+		mismatches = append(mismatches, "kms key name")
+	}
 
 	if len(mismatches) > 0 {
 		return fmt.Errorf("instance %v already exists but doesn't match expected: %+v", a.Name, mismatches)
@@ -341,16 +351,18 @@ func (manager *gcfsServiceManager) ResizeInstance(ctx context.Context, obj *Serv
 				ConnectMode:     obj.Network.ConnectMode,
 			},
 		},
+		KmsKeyName: obj.KmsKeyName,
 	}
 
-	glog.V(4).Infof("Patching instance %v: location %v, tier %v, capacity %v, network %v, ipRange %v, connectMode %v",
+	glog.V(4).Infof("Patching instance %q: location %q, tier %q, capacity %v, network %q, ipRange %q, connectMode %q, KmsKeyName %q",
 		obj.Name,
 		obj.Location,
 		betaObj.Tier,
 		betaObj.FileShares[0].CapacityGb,
 		betaObj.Networks[0].Network,
 		betaObj.Networks[0].ReservedIpRange,
 		betaObj.Networks[0].ConnectMode,
+		betaObj.KmsKeyName,
 	)
 	op, err := manager.instancesService.Patch(instanceuri, betaObj).UpdateMask(fileShareUpdateMask).Context(ctx).Do()
 	if err != nil {

pkg/csi_driver/controller.go

@@ -55,12 +55,13 @@ const (
 
 // CreateVolume parameters
 const (
-	paramTier             = "tier"
-	paramLocation         = "location"
-	paramNetwork          = "network"
-	paramReservedIPV4CIDR = "reserved-ipv4-cidr"
-	paramReservedIPRange  = "reserved-ip-range"
-	paramConnectMode      = "connect-mode"
+	paramTier                     = "tier"
+	paramLocation                 = "location"
+	paramNetwork                  = "network"
+	paramReservedIPV4CIDR         = "reserved-ipv4-cidr"
+	paramReservedIPRange          = "reserved-ip-range"
+	paramConnectMode              = "connect-mode"
+	paramInstanceEncryptionKmsKey = "instance-encryption-kms-key"
 
 	// Keys for PV and PVC parameters as reported by external-provisioner
 	ParameterKeyPVCName      = "csi.storage.k8s.io/pvc/name"
@@ -393,6 +394,7 @@ func (s *controllerServer) generateNewFileInstance(name string, capBytes int64,
 	tier := defaultTier
 	network := defaultNetwork
 	connectMode := directPeering
+	kmsKeyName := ""
 
 	// Validate parameters (case-insensitive).
 	for k, v := range params {
@@ -414,6 +416,8 @@ func (s *controllerServer) generateNewFileInstance(name string, capBytes int64,
 			if connectMode != directPeering && connectMode != privateServiceAccess {
 				return nil, fmt.Errorf("connect mode can only be one of %q or %q", directPeering, privateServiceAccess)
 			}
+		case paramInstanceEncryptionKmsKey:
+			kmsKeyName = v
 		// Ignore the cidr flag as it is not passed to the cloud provider
 		// It will be used to get unreserved IP in the reserveIPV4Range function
 		// ignore IPRange flag as it will be handled at the same place as cidr
@@ -425,6 +429,9 @@ func (s *controllerServer) generateNewFileInstance(name string, capBytes int64,
 			return nil, fmt.Errorf("invalid parameter %q", k)
 		}
 	}
+	if kmsKeyName != "" && tier != enterpriseTier {
+		return nil, fmt.Errorf("KMS Key data encryption is only supported for enterprise tier instances")
+	}
 	return &file.ServiceInstance{
 		Project:  s.config.cloud.Project,
 		Name:     name,
@@ -438,6 +445,7 @@ func (s *controllerServer) generateNewFileInstance(name string, capBytes int64,
 			Name:      newInstanceVolume,
 			SizeBytes: capBytes,
 		},
+		KmsKeyName: kmsKeyName,
 	}, nil
 }
 

pkg/csi_driver/controller_test.go

@@ -33,6 +33,7 @@ import (
 const (
 	testProject          = "test-project"
 	testLocation         = "us-central1-c"
+	testRegion           = "us-central1"
 	testIP               = "1.1.1.1"
 	testCSIVolume        = "test-csi"
 	testCSIVolume2       = "test-csi-2"
@@ -508,6 +509,38 @@ func TestGenerateNewFileInstance(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "custom params, customer kms key",
+			params: map[string]string{
+				paramTier:                       enterpriseTier,
+				paramInstanceEncryptionKmsKey:   "foo-key",
+				"csiProvisionerSecretName":      "foo-secret",
+				"csiProvisionerSecretNamespace": "foo-namespace",
+			},
+			instance: &file.ServiceInstance{
+				Project:  testProject,
+				Name:     testCSIVolume,
+				Location: testRegion,
+				Tier:     enterpriseTier,
+				Network: file.Network{
+					Name:        defaultNetwork,
+					ConnectMode: directPeering,
+				},
+				Volume: file.Volume{
+					Name:      newInstanceVolume,
+					SizeBytes: testBytes,
+				},
+				KmsKeyName: "foo-key",
+			},
+		},
+		{
+			name: "non-enterprise tier, customer kms key",
+			params: map[string]string{
+				paramTier:                     "foo-tier",
+				paramInstanceEncryptionKmsKey: "foo-key",
+			},
+			expectErr: true,
+		},
 		{
 			name: "invalid params",
 			params: map[string]string{