[x] Addition of kmsKeyName and in the provider spec to map inside kmsKeyName in GCP CustomerEncryptionKey
Machine Controller Manager GCP Provider Changes. There is no need for separate specification of kmsKeyServiceAccountName since the current GCPProviderSpec already has a ServiceAccounts []GCPServiceAccount and introducing another would be redundant. (NOTE: Clarify why is this a slice since technically a VM can be associated with only ONE service account)
[x] Enhancement of GCPProviderSpec.GCPDisk with kms key name field.
[x] Enhancement of GCPDisk such that AttachedDisks are populated using the right encryption key using key name from the machine class, whose origin source is in the shoot yaml.
[x] Enhancement of CreateMachine->CreateMachineUtil to ensure that compute.Instances are launched with encrypted disks populating the CustomerEncryptionKey struct appropriately using the kmsKeyName and optionally kmsKeyServiceAccountName taken from the GCPProviderSpec.
[x] Unit tests
[x] End to End tests
GCP Provider Extension
[x] Enhance github.com/gardener/gardener-extension-provider-gcp/pkg/apis/gcp.WorkerConfig in backward incompatible manner to add fields for both bootVolume and dataVolume, each containing encryption key names: kmsKeyName
[x] Enhance the machine deployment generation code in generateMachineConfig to generate machine classes with kmsKeyName and optionally kmsKeyServiceAccountName in the provider spec.
[x] Unit Tests
[x] End to End Tests
[x] Resolve addition of IAM Policy bindings to keys wrt service accounts
[x] Resolve on whether whether roles/cloudkms.admin or roles/cloudkms.cryptoKeyEncrypterDecrypter is sufficient. FINDING: roles/cloudkms.cryptoKeyEncrypterDecrypter is sufficient for encrypted disks. roles/cloudkms.admin is only needed for creation/deletion and general admin of keys.
Timeline
[x] Gardener extension release (22nd June)
[x] MCM-provider GCP (16 June) (Done on 8th June)
Live update (28th June) , Canary Freeze (22nd June)
Target the releases from our side -> 16th June
Testing
Multiple GCP Service Accounts
[x] Test VM launch with multiple GCP service accounts.
[x] Test diff KMS keys for diff disks giving privilege to these GCP service accounts.
[x] Test with old shoot YAMLs and new shoot YAMLs. Backward compat testing
What would you like to be added:
Why is this needed: To support https://github.com/gardener/gardener-extension-provider-gcp/issues/564 for ITAR
Tasks
Machine Class Changes
kmsKeyName
and in the provider spec to map insidekmsKeyName
in GCPCustomerEncryptionKey
Machine Controller Manager GCP Provider Changes. There is no need for separate specification ofkmsKeyServiceAccountName
since the currentGCPProviderSpec
already has aServiceAccounts []GCPServiceAccount
and introducing another would be redundant. (NOTE: Clarify why is this a slice since technically a VM can be associated with only ONE service account)GCPProviderSpec.GCPDisk
with kms key name field.GCPDisk
such that AttachedDisks are populated using the right encryption key using key name from the machine class, whose origin source is in the shoot yaml.CreateMachine->CreateMachineUtil
to ensure thatcompute.Instances
are launched with encrypted disks populating theCustomerEncryptionKey
struct appropriately using thekmsKeyName
and optionallykmsKeyServiceAccountName
taken from theGCPProviderSpec
.GCP Provider Extension
github.com/gardener/gardener-extension-provider-gcp/pkg/apis/gcp.WorkerConfig
in backward incompatible manner to add fields for bothbootVolume
anddataVolume
, each containing encryption key names:kmsKeyName
generateMachineConfig
to generate machine classes withkmsKeyName
and optionallykmsKeyServiceAccountName
in the provider spec.roles/cloudkms.admin
orroles/cloudkms.cryptoKeyEncrypterDecrypter
is sufficient. FINDING:roles/cloudkms.cryptoKeyEncrypterDecrypter
is sufficient for encrypted disks.roles/cloudkms.admin
is only needed for creation/deletion and general admin of keys.Timeline
Live update (28th June) , Canary Freeze (22nd June)
Target the releases from our side -> 16th June
Testing
Multiple GCP Service Accounts