Enhancement to support CMEK Encrypted Disks

[elankath]

What would you like to be added:

1. End to end changes required to support CMEK Encrypted disks. See source requirement at: https://github.com/gardener/gardener-extension-provider-gcp/issues/564

Why is this needed: To support https://github.com/gardener/gardener-extension-provider-gcp/issues/564 for ITAR

Tasks

Machine Class Changes

• [x] Addition of kmsKeyName and in the provider spec to map inside kmsKeyName in GCP CustomerEncryptionKey Machine Controller Manager GCP Provider Changes. There is no need for separate specification of kmsKeyServiceAccountName since the current GCPProviderSpec already has a ServiceAccounts []GCPServiceAccount and introducing another would be redundant. (NOTE: Clarify why is this a slice since technically a VM can be associated with only ONE service account)
• [x] Enhancement of GCPProviderSpec.GCPDisk with kms key name field.
• [x] Enhancement of GCPDisk such that AttachedDisks are populated using the right encryption key using key name from the machine class, whose origin source is in the shoot yaml.
• [x] Enhancement of CreateMachine->CreateMachineUtil to ensure that compute.Instances are launched with encrypted disks populating the CustomerEncryptionKey struct appropriately using the kmsKeyName and optionally kmsKeyServiceAccountName taken from the GCPProviderSpec.
• [x] Unit tests
• [x] End to End tests

GCP Provider Extension

• [x] Enhance github.com/gardener/gardener-extension-provider-gcp/pkg/apis/gcp.WorkerConfig in backward incompatible manner to add fields for both bootVolume and dataVolume, each containing encryption key names: kmsKeyName
• [x] Enhance the machine deployment generation code in generateMachineConfig to generate machine classes with kmsKeyName and optionally kmsKeyServiceAccountName in the provider spec.
• [x] Unit Tests
• [x] End to End Tests
• [x] Resolve addition of IAM Policy bindings to keys wrt service accounts
• [x] Resolve on whether whether roles/cloudkms.admin or roles/cloudkms.cryptoKeyEncrypterDecrypter is sufficient. FINDING: roles/cloudkms.cryptoKeyEncrypterDecrypter is sufficient for encrypted disks. roles/cloudkms.admin is only needed for creation/deletion and general admin of keys.

Timeline

• [x] Gardener extension release (22nd June)
• [x] MCM-provider GCP (16 June) (Done on 8th June)

Live update (28th June) , Canary Freeze (22nd June)

Target the releases from our side -> 16th June

Testing

Multiple GCP Service Accounts

• [x] Test VM launch with multiple GCP service accounts.
• [x] Test diff KMS keys for diff disks giving privilege to these GCP service accounts.
• [x] Test with old shoot YAMLs and new shoot YAMLs. Backward compat testing

[gardener-robot]

FYI, any commands from a description edit will not be applied, please create a new comment with the desired command.

[himanshu-kun]

/reopen