Skip to content

API-1844: KMS Encryption Provider #1876

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

API-1844: KMS Encryption Provider #1876

wants to merge 2 commits into from

Conversation

swghosh
Copy link
Member

@swghosh swghosh commented Nov 13, 2024

Add support for KMS to existing encryption controller(s)

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 13, 2024
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Nov 13, 2024

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@swghosh swghosh changed the title [WIP] KMS Encryption Provider API-1844: [WIP] KMS Encryption Provider Nov 15, 2024
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Nov 15, 2024
@openshift-ci-robot
Copy link

openshift-ci-robot commented Nov 15, 2024
edited by openshift-ci bot
Loading

@swghosh: This pull request references API-1844 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.18.0" version, but no target version was set.

In response to this:

Add support for KMS to existing encryption controller(s)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

dgrisonnet
dgrisonnet reviewed Nov 19, 2024
View reviewed changes
@swghosh swghosh changed the title API-1844: [WIP] KMS Encryption Provider API-1844: KMS Encryption Provider Nov 19, 2024
@swghosh swghosh marked this pull request as ready for review November 19, 2024 15:42
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 19, 2024
@openshift-merge-robot openshift-merge-robot added needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. and removed needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Nov 19, 2024
@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Nov 27, 2024
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Nov 27, 2024
@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Dec 19, 2024
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Dec 19, 2024

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: swghosh
Once this PR has been reviewed and has the lgtm label, please assign deads2k for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Dec 19, 2024
@swghosh
Copy link
Member Author

swghosh commented Dec 20, 2024

/cc @dgrisonnet @tkashem

@openshift-ci openshift-ci bot requested a review from tkashem December 20, 2024 09:20
@swghosh swghosh force-pushed the kms-enc-provider branch 8 times, most recently from d14c5f3 to 6a60a7d Compare December 24, 2024 14:18
dgrisonnet
dgrisonnet reviewed Feb 28, 2025
View reviewed changes
Copy link
Member

@dgrisonnet dgrisonnet left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some high level design comments.

I am mostly wandering if instead of continuing in the route of generate key secret like we do for the other encryption providers, we could instead rely on a KMS config secret/CM that the existing state machines would look for similarly to what they are already doing with key secrets

pkg/operator/encryption/controllers/key_controller.go
@@ -159,7 +161,7 @@ func (c *keyController) sync(ctx context.Context, syncCtx factory.SyncContext) (
}

func (c *keyController) checkAndCreateKeys(ctx context.Context, syncContext factory.SyncContext, encryptedGRs []schema.GroupResource) error {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was looking at your change to the key controller and the more I am thinking about it the more I think we should handle local keys and kms keys differently. A lot of the existing key controller logic is about generating the key and backing it. Whereas for KMS we want to generating a plugin config and backing it up.

Because of that, I think it would be more appropriate to create a new controller for KMS. wdyt?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, there is one particular logic for which we will need the keyController and a new key state which is when the key is rotated on the external KMS.

When that happens we the KMS plugin will returned a new key_id in the responses: https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/3299-kms-v2-improvements#key_id-and-rotation.
In our case to handle that scenario we want the keyController to probe the Status procedure call and create a new key secret when the key_id changes to trigger a storage migration.

I recall discussing that with you in the past and we agreed that this could be done at a later point, but looking at your PR, was the intent behind your key controller changes to act as a placeholder to include that logic later?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was looking at your change to the key controller and the more I am thinking about it the more I think we should handle local keys and kms keys differently. A lot of the existing key controller logic is about generating the key and backing it. Whereas for KMS we want to generating a plugin config and backing it up.

Reasonably, we can follow-up with this when we add a new controller to manage the lifecycle of kms-plugin itself. Because then we'd need to update the status somewhere to list active KMS config hashes for the plugin controller to spin up unix sockets.

@swghosh
Bump openshift/api to include KMS encryption type(s)
efcb154 
Signed-off-by: Swarup Ghosh <swghosh@redhat.com>
@swghosh swghosh force-pushed the kms-enc-provider branch from be708f1 to dfe4f7c Compare April 7, 2025 07:48
@swghosh
Copy link
Member Author

swghosh commented Apr 15, 2025
edited
Loading

we could instead rely on a KMS config secret/CM that the existing state machines would look for similarly to what they are already doing with key secrets

we're already doing that: we keep track of the KMSConfig set in the apiserver.config.openshift.io/cluster resource and persist the configs in a backed secret, which the state machine uses to read info from.

The related details/implementation would be in pkg/operator/encryption/secrets/secrets.go where the kmsConfig is being marshalled/unmarshalled from the secret before being read by the state machine in pkg/operator/encryption/controllers/{key_controller.go,state_controller.go}.

@swghosh swghosh force-pushed the kms-enc-provider branch 2 times, most recently from 86fdb3a to 394ad47 Compare April 18, 2025 12:13
@swghosh
Copy link
Member Author

swghosh commented Apr 22, 2025
edited
Loading

Previous failure was CI infra related, when cluster failed to come up.

/retest

@swghosh
feat: Apply external KMS configs with encryption controllers
be61b4a 
Signed-off-by: Swarup Ghosh <swghosh@redhat.com>
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Apr 24, 2025

@swghosh: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dgrisonnet dgrisonnet dgrisonnet left review comments

@p0lyn0mial p0lyn0mial Awaiting requested review from p0lyn0mial

@tkashem tkashem Awaiting requested review from tkashem

Assignees
No one assigned
Labels
jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@swghosh @openshift-ci-robot @dgrisonnet @openshift-merge-robot