Skip to content

Add CMEK support #211

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Dec 26, 2018
Merged

Add CMEK support #211

merged 2 commits into from
Dec 26, 2018

Conversation

saad-ali
Copy link
Contributor

Modify the CreateVolume code to accept a new opaque parameter: disk-encryption-kms-key.

The value of this new parameter must be the fully qualified identifier for the key that will be used to encrypt new disks (e.g. projects/[KMS_PROJECT_ID]/locations/[REGION]/keyRings/[KEY_RING]/cryptoKeys/[KEY]).

The key must exist prior to provisioning.

E2E tests will be added in a follow-up PR (need to figure out how to enable KMS and provision key as part of test).

/assign @msau42

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Dec 20, 2018
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: saad-ali

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 20, 2018
@k8s-ci-robot k8s-ci-robot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label Dec 20, 2018
@saad-ali
Copy link
Contributor Author

/hold
Manual testing to verify functionality

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Dec 20, 2018
@saad-ali
Copy link
Contributor Author

Manually verified that encrypted disk is able to be provisioned via dynamic provision, used by a pod, and automatically deleted when pod and PVC are deleted

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Dec 20, 2018
@saad-ali
Copy link
Contributor Author

/test pull-gcp-compute-persistent-disk-csi-driver-e2e

1 similar comment
@saad-ali
Copy link
Contributor Author

/test pull-gcp-compute-persistent-disk-csi-driver-e2e

msau42
msau42 reviewed Dec 20, 2018
View reviewed changes
pkg/gce-pd-csi-driver/controller_test.go
CapacityBytes: common.GbToBytes(20),
VolumeId: testVolumeId,
VolumeContext: nil,
AccessibleTopology: stdTopology,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the Key something that would be ok/useful to add as part of the VolumeContext?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is not necessary. Once a volume is provisioned, GCE knows that the key is required and it does not explicitly need to be passed in for attach or mount.

@davidz627
Copy link
Contributor

/assign

@saad-ali
Copy link
Contributor Author

@davidz627 any idea why pull-gcp-compute-persistent-disk-csi-driver-e2e is failing? Everything seems to be working fine in my manual testing.

@kubernetes-sigs kubernetes-sigs deleted a comment from msau42 Dec 21, 2018
@davidz627
Copy link
Contributor

looks like its timing out, not sure why your change would make it take much longer but the timeout (10m) is pretty short anyway, I'll bump it

@davidz627 davidz627 mentioned this pull request Dec 21, 2018
Closed
@davidz627
Copy link
Contributor

/lgtm
Insert disk parameter lists are getting pretty long, we should probably pack them into a struct at some point. Not necessary to make the change in this PR unless you want to.

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Dec 21, 2018
@saad-ali
Copy link
Contributor Author

/test pull-gcp-compute-persistent-disk-csi-driver-e2e

@k8s-ci-robot k8s-ci-robot merged commit dd58da4 into kubernetes-sigs:master Dec 26, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@msau42 msau42 msau42 left review comments

@davidz627 davidz627 Awaiting requested review from davidz627

@jingxu97 jingxu97 Awaiting requested review from jingxu97

Assignees

@davidz627 davidz627

@msau42 msau42

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@saad-ali @k8s-ci-robot @davidz627 @msau42