Bug 1884632: Adding BYOK disk encryption through DES

[kwoodson]

This pull requests adds fields to the v1beta1 types to suppert disk encryption sets.

We have customers requesting that we provide OS disk encryption. AKS is using DES for OS level as well as PVC support. The following PR was an attempt to add the necessary fields for bring-your-own-key encryption using DiskEncryptionSets.

This is high priority for the ARO team and we would like to get the work going.

[kwoodson]

@enxebre @ingvagabund PTAL

[kwoodson]

@ingvagabund When running make generate the zz_generated.deepcopy.go was not generated. This might be due to my local setup. I hand patched it for the time being but it should be generated.

[kwoodson]

I had to grant Reader role on the DES for the service principal and then with this latest update I was able to get this to work:

oc get machines
...
kwtest-w6n4r-worker-eastus1-des-9xqdr   Running   Standard_D2s_v3   eastus   1      6m4s

Command line:

az vm show -n kwtest-w6n4r-worker-eastus1-des-9xqdr -g aro-w5o8qzfu
...
    "osDisk": {
      "caching": "ReadWrite",
      "createOption": "FromImage",
      "diffDiskSettings": null,
      "diskSizeGb": 128,
      "encryptionSettings": null,
      "image": null,
      "managedDisk": {
        "diskEncryptionSet": {
          "id": "/subscriptions/225e02bc-43d0-43d1-a01a-17e584a4ef69/resourceGroups/disk-encryption/providers/Microsoft.Compute/diskEncryptionSets/aro-de",
          "resourceGroup": "disk-encryption"
        },
        "id": "/subscriptions/225e02bc-43d0-43d1-a01a-17e584a4ef69/resourceGroups/ARO-W5O8QZFU/providers/Microsoft.Compute/disks/kwtest-w6n4r-worker-eastus1-des-9xqdr_OSDisk",

From the portal I was able to confirm the encryption:

kwtest-w6n4r-worker-eastus1-des-9xqdr_OSDisk
128 GiB
Premium SSD
SSE with CMK               <----- SSE (storage service encryption) with CMK (customer managed key)
Read/write

[michaelgugino]

Make generate scripts were broken. We'll need to re-run the make generate on this patch set after this merges: #159

Otherwise, this change LGTM

[elmiko]

this looks reasonable to me
/lgtm

[ingvagabund]

I had to grant Reader role on the DES for the service principal

Worth documenting the additional role

[abhinavdahiya]

it would be nice if we can provide details on what kind of permissions are required to use this disk encryption set for this machine.

[kwoodson]

The service principal that is used with the cluster will require the reader role on the disk encryption set.
https://docs.microsoft.com/en-us/azure/aks/azure-disk-customer-managed-keys#grant-the-diskencryptionset-access-to-key-vault

[abhinavdahiya]

Would be nice to include some documentation on the the expected form of the ID, Using Azure resource IDs implies that this resource can be from any subscription, any resource group.

Since this is for supporting customer managed encryption, it is fair to say we need to support this resource from resource group other than the cluster's but what about the subscription.

[kwoodson]

Here is an example of an a disk encryption set ID. Azure resource IDs include a path-like system so that it is clear where the object is located, what the object is, and its name.

/subscriptions/<subscriptionid>/resourceGroups/disk-encryption/providers/Microsoft.Compute/diskEncryptionSets/aro-de

According to the documentation here https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption-key-vault#create-a-key-vault it states:

Your key vault and VMs must be in the same subscription. Also, to ensure that encryption secrets don't cross regional boundaries, Azure Disk Encryption requires the Key Vault and the VMs to be co-located in the same region. Create and use a Key Vault that is in the same subscription and region as the VMs to be encrypted.

[kwoodson]

Rebased with #158, make generate, and pushed. Let's go CI bot!

[kwoodson]

I guess I need to add the UPSTREAM: <carry>: git commit message.

[kwoodson]

Looks like flakes under both e2e-azure and the operator:

11/42
- ingress
- dns
- image-registry
- monitoring
etc

3/2465
Failing tests:

[sig-cli] oc adm must-gather runs successfully [Suite:openshift/conformance/parallel]
[sig-cli] oc adm must-gather runs successfully with options [Suite:openshift/conformance/parallel]

[kwoodson]

/test e2e-azure-operator

[kwoodson]

/test e2e-azure-operator

[kwoodson]

/test e2e-azure

[kwoodson]

/test e2e-azure

[kwoodson]

@elmiko @michaelgugino Any ideas why this continues to fail? It looks like must-gather is failing. This PR only adds fields but isn't actually exercised. Is this inherently flaky?

What do we do to get this to pass?

If there is something wrong with the PR I'm happy to fix it. Can these tests be run locally? Just looking for some help.

[michaelgugino]

/test govet

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-ci-robot]

@kwoodson: The following test failed, say /retest to rerun all failed tests:

Test name	Commit	Details	Rerun command
ci/prow/e2e-azure-operator	1b3c02b	link	/test e2e-azure-operator

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-ci-robot]

@kwoodson: All pull requests linked via external trackers have merged:

• openshift/cluster-api-provider-azure#158

Bugzilla bug 1884632 has been moved to the MODIFIED state.

In response to this:

Bug 1884632: Adding BYOK disk encryption through DES

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.