Skip to content

OCPBUGS-74418: Introduce KMSEncryption feature gate #2670

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ardaguclu wants to merge 1 commit into
base: release-4.21
Choose a base branch
from
Open

OCPBUGS-74418: Introduce KMSEncryption feature gate #2670

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
68 changes: 68 additions & 0 deletions config/v1/tests/apiservers.config.openshift.io/KMSEncryption.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this
name: "APIServer"
crdName: apiservers.config.openshift.io
featureGates:
- KMSEncryption
- -KMSEncryptionProvider
tests:
onCreate:
- name: Should be able to create with KMS type without kms config
initial: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
encryption:
type: KMS
expected: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
audit:
profile: Default
encryption:
type: KMS
- name: Should be able to create with aescbc encryption
initial: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
encryption:
type: aescbc
expected: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
audit:
profile: Default
encryption:
type: aescbc
- name: Should be able to create with aesgcm encryption
initial: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
encryption:
type: aesgcm
expected: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
audit:
profile: Default
encryption:
type: aesgcm
- name: Should be able to create with identity encryption
initial: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
encryption:
type: identity
expected: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
audit:
profile: Default
encryption:
type: identity
4 changes: 2 additions & 2 deletions config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if w
name: "APIServer"
crdName: apiservers.config.openshift.io
featureGates:
- KMSEncryptionProvider
- KMSEncryptionProvider
tests:
onCreate:
- name: Should be able to create encrypt with KMS for AWS with valid values
Expand Down Expand Up @@ -64,7 +64,7 @@ tests:
type: KMS
kms: {}
expectedError: "spec.encryption.kms.type: Required value"
- name: Should fail to create with kms type AWS but without aws config
- name: Should fail to create with kms type AWS but without aws config
initial: |
apiVersion: config.openshift.io/v1
kind: APIServer
Expand Down
1 change: 1 addition & 0 deletions config/v1/types_apiserver.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -212,6 +212,7 @@ type APIServerEncryption struct {

// +openshift:validation:FeatureGateAwareEnum:featureGate="",enum="";identity;aescbc;aesgcm
// +openshift:validation:FeatureGateAwareEnum:featureGate=KMSEncryptionProvider,enum="";identity;aescbc;aesgcm;KMS
// +openshift:validation:FeatureGateAwareEnum:featureGate=KMSEncryption,enum="";identity;aescbc;aesgcm;KMS
type EncryptionType string

const (
Expand Down
68 changes: 0 additions & 68 deletions ...nerated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -158,69 +158,6 @@ spec:
description: encryption allows the configuration of encryption of
resources at the datastore layer.
properties:
kms:
description: |-
kms defines the configuration for the external KMS instance that manages the encryption keys,
when KMS encryption is enabled sensitive resources will be encrypted using keys managed by an
externally configured KMS instance.

The Key Management Service (KMS) instance provides symmetric encryption and is responsible for
managing the lifecyle of the encryption keys outside of the control plane.
This allows integration with an external provider to manage the data encryption keys securely.
properties:
aws:
description: |-
aws defines the key config for using an AWS KMS instance
for the encryption. The AWS KMS instance is managed
by the user outside the purview of the control plane.
properties:
keyARN:
description: |-
keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption.
The value must adhere to the format `arn:aws:kms:<region>:<account_id>:key/<key_id>`, where:
- `<region>` is the AWS region consisting of lowercase letters and hyphens followed by a number.
- `<account_id>` is a 12-digit numeric identifier for the AWS account.
- `<key_id>` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens.
maxLength: 128
minLength: 1
type: string
x-kubernetes-validations:
- message: keyARN must follow the format `arn:aws:kms:<region>:<account_id>:key/<key_id>`.
The account ID must be a 12 digit number and the region
and key ID should consist only of lowercase hexadecimal
characters and hyphens (-).
rule: self.matches('^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$')
region:
description: |-
region specifies the AWS region where the KMS instance exists, and follows the format
`<region-prefix>-<region-name>-<number>`, e.g.: `us-east-1`.
Only lowercase letters and hyphens followed by numbers are allowed.
maxLength: 64
minLength: 1
type: string
x-kubernetes-validations:
- message: region must be a valid AWS region, consisting
of lowercase characters, digits and hyphens (-) only.
rule: self.matches('^[a-z0-9]+(-[a-z0-9]+)*$')
required:
- keyARN
- region
type: object
type:
description: |-
type defines the kind of platform for the KMS provider.
Available provider types are AWS only.
enum:
- AWS
type: string
required:
- type
type: object
x-kubernetes-validations:
- message: aws config is required when kms provider type is AWS,
and forbidden otherwise
rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws)
: !has(self.aws)'
type:
description: |-
type defines what encryption type should be used to encrypt resources at the datastore layer.
Expand All @@ -244,11 +181,6 @@ spec:
- KMS
type: string
type: object
x-kubernetes-validations:
- message: kms config is required when encryption type is KMS, and
forbidden otherwise
rule: 'has(self.type) && self.type == ''KMS'' ? has(self.kms) :
!has(self.kms)'
servingCerts:
description: |-
servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates
Expand Down
1 change: 1 addition & 0 deletions config/v1/zz_generated.featuregated-crd-manifests.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ apiservers.config.openshift.io:
Capability: ""
Category: ""
FeatureGates:
- KMSEncryption
- KMSEncryptionProvider
FilenameOperatorName: config-operator
FilenameOperatorOrdering: "01"
Expand Down
Loading