feat/4-kms

[karbyshevds]

closes #4

Changes

• Create encrypted storage class and make it default
• Encrypt cloud storages
• Encrypt k8s node drives (including boot drives)

Cloud provider specific changes

GCP

• Update providers to use KMS encryption features from beta
• Enable CSI driver addon

AWS

• Create separate service-linked role for each cluster to prevent default autoscaling role access to all KMS keys
• Add KMS key grants to service-linked role to be able to attach & use encrypted EBS volumes to EC2 instances in autoscaling groups
• Add KMS key permissions to EKS cluster IAM role to be able to create & attach encrypted EBS as PV

Azure

• Separate encryption set is created for each cluster
• kms_vault_id is also required as parameter - looks like this is the only way to grant required permissions to encryption set
• k8s version 1.17+ required (see here)

Profile changes:

• Azure:

  cloud.azure.kms_key_id param added, e.x.: "https://KEY_URL" kms_vault_id param added, e.x.: "/subscriptions/SUBSCRIPTION_ID/resourceGroups/RESOURCE_GROUP/providers/Microsoft.KeyVault/vaults/KEY_VAULT"

• AWS:

  cloud.aws.kms_key_arn param added

• GCP:

  cloud.gcp.kms_key_id param added, e.x.: "projects/PROJECT/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY"