From 2d397b59d9f020aaf4283c0bd119ada93f90ece9 Mon Sep 17 00:00:00 2001 From: Abhinav Dahiya Date: Thu, 12 Mar 2020 16:52:18 -0700 Subject: [PATCH] support KMS key for EBS encryption For encyrpted EBS volumes allow users to provide ARN to the KMS keys to use. It uses the ID > ARN preference order similar to other functions - Why only ID and ARN? the KMS keys don't really support filtering the KMS keys based on tags. [1] & [2] [1]: https://docs.aws.amazon.com/cli/latest/reference/kms/index.html#cli-aws-kms [2]: https://docs.aws.amazon.com/cli/latest/reference/kms/describe-key.html --- pkg/actuators/machine/instances.go | 7 +++++++ .../v1beta1/awsmachineproviderconfig_types.go | 3 +++ .../awsproviderconfig/v1beta1/zz_generated.deepcopy.go | 1 + 3 files changed, 11 insertions(+) diff --git a/pkg/actuators/machine/instances.go b/pkg/actuators/machine/instances.go index ec6fb30c24..2d283b8948 100644 --- a/pkg/actuators/machine/instances.go +++ b/pkg/actuators/machine/instances.go @@ -212,6 +212,13 @@ func getBlockDeviceMappings(blockDeviceMappings []providerconfigv1.BlockDeviceMa Encrypted: blockDeviceMappings[0].EBS.Encrypted, }, } + + if aws.StringValue(blockDeviceMappings[0].EBS.KMSKey.ID) != "" { + blockDeviceMapping.Ebs.KmsKeyId = blockDeviceMappings[0].EBS.KMSKey.ID + } else if aws.StringValue(blockDeviceMappings[0].EBS.KMSKey.ARN) != "" { + blockDeviceMapping.Ebs.KmsKeyId = blockDeviceMappings[0].EBS.KMSKey.ARN + } + if *volumeType == "io1" { blockDeviceMapping.Ebs.Iops = blockDeviceMappings[0].EBS.Iops } diff --git a/pkg/apis/awsproviderconfig/v1beta1/awsmachineproviderconfig_types.go b/pkg/apis/awsproviderconfig/v1beta1/awsmachineproviderconfig_types.go index ecdd389e5f..df9dd78e34 100644 --- a/pkg/apis/awsproviderconfig/v1beta1/awsmachineproviderconfig_types.go +++ b/pkg/apis/awsproviderconfig/v1beta1/awsmachineproviderconfig_types.go @@ -180,6 +180,9 @@ type EBSBlockDeviceSpec struct { // may only be attached to machines that support Amazon EBS encryption. Encrypted *bool `json:"encrypted,omitempty"` + // Indicates the KMS key that should be used to encrypt the Amazon EBS volume. + KMSKey AWSResourceReference `json:"kmsKey,omitempty"` + // The number of I/O operations per second (IOPS) that the volume supports. // For io1, this represents the number of IOPS that are provisioned for the // volume. For gp2, this represents the baseline performance of the volume and diff --git a/pkg/apis/awsproviderconfig/v1beta1/zz_generated.deepcopy.go b/pkg/apis/awsproviderconfig/v1beta1/zz_generated.deepcopy.go index e5a6736aa3..2b5fce103b 100644 --- a/pkg/apis/awsproviderconfig/v1beta1/zz_generated.deepcopy.go +++ b/pkg/apis/awsproviderconfig/v1beta1/zz_generated.deepcopy.go @@ -272,6 +272,7 @@ func (in *EBSBlockDeviceSpec) DeepCopyInto(out *EBSBlockDeviceSpec) { *out = new(bool) **out = **in } + in.KMSKey.DeepCopyInto(&out.KMSKey) if in.Iops != nil { in, out := &in.Iops, &out.Iops *out = new(int64)