BUG 1900454: Add SecurityProfile.EncryptionAtHost parameter to enable host-based VM encryption

[dkorzuno]

What this PR does / why we need it:

The PR adds a parameter which enables encryption at host for virtual machines.

The corresponding upstream PR is kubernetes-sigs#1012

Special notes for your reviewer:

I am not sure how to go about unit testing the changes.

Release note:

1. Add SecurityProfile.EncryptionAtHost parameter to machine spec to enable host-based VM encryption.

[JoelSpeed]

@dkorzuno This PR seems to implement a feature similar to #158 which merged earlier during this release cycle.

Disk encryption and this feature seem to be at odds with each other, ie, you can't use them at the same time. Are you aware of how the two features differ? It would be good to understand the motivation for supporting both

[jim-minter]

@JoelSpeed yes, they're awfully similar, but not the same...

#158 is about device encryption of attached VM disks using user managed keys, which is largely an enterprise requirement.
This PR is about encryption of hypervisor-local resources including scratch volumes, which is largely a federal requirement.

The options are not mutually exclusive and I believe we have customer use cases for neither, either, and both. Aaaah!

Thanks,

Jim

[JoelSpeed]

• Cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/VM-Decrypt) is enabled on your VMs/virtual machine scale sets.
• Azure Disk Encryption cannot be enabled on disks that have encryption at host enabled.

This is from the docs that are linked in the PR description, suggests to me that they are mutually exclusive and that you can't use both in tandem 🤔

Do we have an RFE for this feature? As far as I'm aware no one has brought this feature to the team's attention before raising this PR so we are a little unsure of what the drive is for adding this feature

[jim-minter]

Azure Disk Encryption is yet another technology, it's different again to disk encryption sets (#158) and encryption at host (this PR). I understand that OpenShift doesn't and won't support ADE.

Sorry there's no RFE :-/ Let's catch up about that tomorrow.

[dkorzuno]

Created a Bugzilla entry https://bugzilla.redhat.com/show_bug.cgi?id=1900454

[JoelSpeed]

/retitle BUG 1900454: Add SecurityProfile.EncryptionAtHost parameter to enable host-based VM encryption

[openshift-ci-robot]

@dkorzuno: This pull request references Bugzilla bug 1900454, which is invalid:

• expected the bug to target the "4.7.0" release, but it targets "---" instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

BUG 1900454: Add SecurityProfile.EncryptionAtHost parameter to enable host-based VM encryption

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[JoelSpeed]

/bugzilla refresh

[openshift-ci-robot]

@JoelSpeed: This pull request references Bugzilla bug 1900454, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target release (4.7.0) matches configured target release for branch (4.7.0)
• bug is in the state NEW, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

In response to this:

/bugzilla refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[dkorzuno]

@JoelSpeed (or someone) could you help me identify what caused the e2e test fail? The build log says

stderr:
+ curl -q -s --connect-timeout 1 http://localhost:10249/proxyMode
command terminated with exit code 7
error:
exit status 7

but it's hard to trace it back to the change I made.

[JoelSpeed]

could you help me identify what caused the e2e test fail?

I don't think this issue is related to your PR, let's give a restest and see if it fails in the same way again

/retest

[JoelSpeed]

The latest changes look good btw, I like the extraction of the virtualMachineParameter creation into its own function, very clean. Test cases looking good too

[JoelSpeed]

Would be good to have a comment on top of this, also, probably doesn't need to be an exported method, deriveVirtualMachineParameters should be sufficient

[dkorzuno]

Good point. Changes made.

[JoelSpeed]

No need to declare these here is there? Can just use them inline?

[dkorzuno]

@JoelSpeed I made the changes you requested. The e2e test is still failing though :(
I'd appreciate any hints as to how can we move it further.

[JoelSpeed]

I don't think we have a loop capturing issue here, this isn't normally needed since the range variable is a reference not a pointer. You can test this by breaking one of the test cases and removing this line, only the one should fail, not all of them

[JoelSpeed]

The E2E failures are unrelated, it is a known issue that the tests are rather flaky at the moment, don't worry about them.

FYI, I'm still waiting on PM direction as to whether we should be accepting this PR or not (CC @listey)

[JoelSpeed]

/approve

/hold until I get a response from PM about what to do here

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: JoelSpeed

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [JoelSpeed]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[JoelSpeed]

Having spoken with PM, we should be able to merge this as soon as master opens for 4.8. Probably some time in February based on current schedules.

Will try and get someone else from my team to give a review as well so it's ready to go when master opens

[Danil-Grigorev]

This /lgtm Let's wait until the branch opens again.

[JoelSpeed]

/hold cancel

4.8 master is now open so this can be merged

[Danil-Grigorev]

/lgtm

[openshift-ci-robot]

@dkorzuno: All pull requests linked via external trackers have merged:

• openshift/cluster-api-provider-azure#183

Bugzilla bug 1900454 has been moved to the MODIFIED state.

In response to this:

BUG 1900454: Add SecurityProfile.EncryptionAtHost parameter to enable host-based VM encryption

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[mjudeikis]

/cherry-pick release-4.7

[openshift-cherrypick-robot]

@mjudeikis: new pull request created: #201

In response to this:

/cherry-pick release-4.7

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[mjudeikis]

/cherry-pick release-4.6

[openshift-cherrypick-robot]

@mjudeikis: new pull request created: #202

In response to this:

/cherry-pick release-4.6

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.