Support rsaEncryptedKey on ComputeInstance

milesarmstrong commented 1 year ago

Checklist

[X] I did not find a related open enhancement request.
[X] I understand that enhancement requests filed in the GitHub repository are by default low priority.
[X] If this request is time-sensitive, I have submitted a corresponding issue with GCP support.

Describe the feature or resource

The ComputeInstance resource supports spec.bootDisk.diskEncryptionKeyRaw only.

The REST API for instances supports disks[].diskEncryptionKey.rsaEncryptedKey.

Please add ComputeInstance support for RSA-wrapped CSEKs.

Note: It looks like ComputeDisk supports spec.diskEncryptionKey.rsaEncryptedKey, but we need a boot disk that is deleted when the instance is deleted, hence needing support in ComputeInstance.

Additional information

https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#encrypt_a_new_persistent_disk_with_csek

https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#gcloud

Importance

This is currently a blocker. I will open a Google Cloud Support case as well.

milesarmstrong commented 1 year ago

Support Case: 46330995

diviner524 commented 1 year ago

@milesarmstrong This particular resource ComputeInstance is implemented based on Terraform so it may require an update in the underlying Terraform resource first. [1]

We have received the case, and we are working with Terraform team internally to see if they can prioritize the update. It will also be helpful if you can provide more context and share the importance of the feature request to GCP support.

This will help the Terraform team to prioritize the required work.

[1] https://registry.terraform.io/providers/hashicorp/google-beta/latest/docs/resources/compute_instance#initialize_params

GoogleCloudPlatform / k8s-config-connector