CNTRLPLANE-2241: Add KMS encryption mode into library-go encryption controllers

[ardaguclu]

This PR adds the implementation proposed in openshift/enhancements#1900.

This PR introduces KMS as a new mode in encryption controllers to be functioning along side with the other modes. Basically, the idea is to track the KMS configuration to detect any configuration changes. So that key_controller can create new Secret to initiate migration. KMS Secret will not contain any confidential data. It will simply store the KMS configuration.

For Tech Preview v1, we will only support static unix domain socket (i.e. unix:///var/run/kmsplugin/kms.sock). Consequently, in this version, we don't support KMS -> KMS migrations.

Ref: Previous attemps:

• NO-JIRA: Introduce KMS encryption mode into encryption controllers #2045
• API-1844: KMS Encryption Provider #1876

Notes:

• The changes here will be backported to 4.21
• Substantial portion of the changed lines are unit and integration tests.

[openshift-ci-robot]

@ardaguclu: This pull request references CNTRLPLANE-2241 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

This PR adds the implementation proposed in openshift/enhancements#1900.

This PR introduces KMS as a new mode in encryption controllers to be functioning along side with the other modes. Basically, the idea is to track the KMS configuration to detect any configuration changes. So that key_controller can create new Secret to initiate migration. KMS Secret will not contain any confidential data. It will simply store the KMS configuration.

For Tech Preview v1, we will only support static unix domain socket (i.e. unix:///var/run/kmsplugin/kms.sock). Consequently, in this version, we don't support KMS -> KMS migrations.

Ref: Previous attemps:

• NO-JIRA: Introduce KMS encryption mode into encryption controllers #2045
• API-1844: KMS Encryption Provider #1876

Notes:

• The changes here will be backported to 4.21
• Most of the changes are obsessively added unit tests

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@ardaguclu: This pull request references CNTRLPLANE-2241 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

This PR adds the implementation proposed in openshift/enhancements#1900.

This PR introduces KMS as a new mode in encryption controllers to be functioning along side with the other modes. Basically, the idea is to track the KMS configuration to detect any configuration changes. So that key_controller can create new Secret to initiate migration. KMS Secret will not contain any confidential data. It will simply store the KMS configuration.

For Tech Preview v1, we will only support static unix domain socket (i.e. unix:///var/run/kmsplugin/kms.sock). Consequently, in this version, we don't support KMS -> KMS migrations.

Ref: Previous attemps:

• NO-JIRA: Introduce KMS encryption mode into encryption controllers #2045
• API-1844: KMS Encryption Provider #1876

Notes:

• The changes here will be backported to 4.21
• Substantial portion of the changed lines are unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@ardaguclu: This pull request references CNTRLPLANE-2241 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

This PR adds the implementation proposed in openshift/enhancements#1900.

This PR introduces KMS as a new mode in encryption controllers to be functioning along side with the other modes. Basically, the idea is to track the KMS configuration to detect any configuration changes. So that key_controller can create new Secret to initiate migration. KMS Secret will not contain any confidential data. It will simply store the KMS configuration.

For Tech Preview v1, we will only support static unix domain socket (i.e. unix:///var/run/kmsplugin/kms.sock). Consequently, in this version, we don't support KMS -> KMS migrations.

Ref: Previous attemps:

• NO-JIRA: Introduce KMS encryption mode into encryption controllers #2045
• API-1844: KMS Encryption Provider #1876

Notes:

• The changes here will be backported to 4.21
• Substantial portion of the changed lines are unit and integration tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[ardaguclu]

Fake imports;

• WIP: Fake vendor library-go cluster-kube-apiserver-operator#2013
• WIP: Fake vendor library-go cluster-openshift-apiserver-operator#639
• WIP: Fake vendor library-go cluster-authentication-operator#824

[ardaguclu]

/hold
These PRs are prerequisite of this;

• OCPBUGS-68343: Bump openshift/api to get new KMS FG #2091 -- conceptually be based on the new feature gate (Rebased)
• NO-JIRA: Enable test-e2e-encryption #2087 -- to be able to run integration tests (Rebased)

[ardaguclu]

/uncc @dgrisonnet
/cc @benluddy @bertinatto @p0lyn0mial

[p0lyn0mial]

I’m still wondering about encapsulation here.
I think other parts of the code won’t even be aware that the name has changed.

Only the code in encryptionconfig/config.go will encode and decode the new name, right?

Do we need to ensure that the name doesn’t already contain "-"?
For simplicity, we could add a comment in the key generation function describing this requirement.

[ardaguclu]

Only the code in encryptionconfig/config.go will encode and decode the new name, right?

That is correct. Rest of the code only deals with KeyState. They do not even know about the details of EncryptionConfiguration.

Do we need to ensure that the name doesn’t already contain "-"?

Kube-apiserver already fails, if it encounters a provider name without -. Because uniqueness has broken.

For simplicity, we could add a comment in the key generation function describing this requirement.

I've added a comment about the reasons behind this provider name generation mechanism. Please let me know your thoughts. Thanks.

[benluddy]

How should this handle an unexpected provider name?

[ardaguclu]

Although it may not be possible, it is better to handle the invalid provider name gracefully. I've updated the code. Please let me know your thoughts.

[benluddy]

OK, "kms v2 providers name must always be unique across all kms providers (v1 and v2)":

https://github.com/kubernetes/kubernetes/blob/870e2928bc1d9a48a8ef75289ea57ec6cdeb5cb3/staging/src/k8s.io/apiserver/pkg/apis/apiserver/validation/validation_encryption.go#L438-L444

[benluddy]

Are there going to be side effects from this naming scheme visible in things like metric labels?

[ardaguclu]

All the metrics that is about provider_name will be affected https://github.com/kubernetes/kubernetes/blob/90a76aaa9afbe9cdb3df5f0a4356018b6637648b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/metrics/metrics.go#L169.

[benluddy]

OK, this is at least less strange than smuggling identity names in phony AES-GCM provider configs. Later, I would be interested in coming up with alternatives that let the controllers correlate provider configs to their source secret without smuggling.

[ardaguclu]

I agree with you. It was error-prone and not nice. Since now we carry KMSConfigurations in backed Secrets, I think we won't need to carry anything in provider_names.

[benluddy]

IIUC, even if we did roll out a new encryption config in response to the "reason" update, we're not even capable of triggering a KEK rotation unless a specific provider happened to expose that capability independently.

[ardaguclu]

Good point. That is correct.

[benluddy]

Is there a real need to export these constants? IMO, duplicating the values in tests is good because it requires that changes in observable behavior are accompanied by changes to test expectations. And other code (doing related things like setting up volume mounts) should be observing effective values rather than using hardcoded defaults.

[ardaguclu]

The only reason is to be accessed by key_controller. If we move these constants in there, we don't need to export them.

[p0lyn0mial]

could we just inline these in key_controller?

[ardaguclu]

cluster-authentication-operator e2e tests passed: https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_cluster-authentication-operator/837/pull-ci-openshift-cluster-authentication-operator-master-e2e-gcp-operator-encryption-kms/2023275986719608832
cluster-kube-apiserver-operator e2e tests passed: https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_cluster-kube-apiserver-operator/2033/pull-ci-openshift-cluster-kube-apiserver-operator-main-e2e-gcp-operator-encryption-kms/2021125688223862784
cluster-openshift-apiserver-operator e2e tests passed: https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_cluster-openshift-apiserver-operator/647/pull-ci-openshift-cluster-openshift-apiserver-operator-main-e2e-gcp-operator-encryption-kms/2023391453706719232

[p0lyn0mial]

given that the name will be changed only in the EncryptionConfiguration and will not be visible to the KeyState, is this comment still relevant?

maybe we should add a comment about the expected key format, which must include the keyID (at least for now)?

[ardaguclu]

Comment is not relevant anymore. I've removed it.

[p0lyn0mial]

Not sure if I understand this comment.

For KMS the Secret doesn't matter and can/will always be empty - because the actual encryption key material is in the external KMS instance.

[ardaguclu]

In v2, we'll have to compare this field (or KMSConfiguration annotation) to detect configurational changes. But it sounds like this comment creates confusions. So I've removed it.

[ardaguclu]

Unrelated?
/test unit

[p0lyn0mial]

should we use strings.SplitN ?

[p0lyn0mial]

shouldn't this be fmt.Sprintf("%d", keyID) ?
the resource suffix is added later.

[p0lyn0mial]

should we check key.KMSConfiguration for nil ?

[ardaguclu]

Although this is not possible, it makes sense gracefully handling the empty KMSConfiguration by skipping it with a message. Please let me know your thoughts.

[p0lyn0mial]

yes, that would match the existing pattern. good idea.

[p0lyn0mial]

nit: ks shadows the outer ks, we could rename to ksJSON

[p0lyn0mial]

should we add resource and index too?

[ardaguclu]

I've added resource name in the log.

Index is not the index in EncryptionConfiguration providers. It is an index in the Backed Secrets. We have keyID already as discriminator. Would you still want me to insert index name?

[p0lyn0mial]

trying to find the test test failed:

https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_library-go/2086/pull-ci-openshift-library-go-master-unit/2023733071903199232

vs

https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_library-go/2086/pull-ci-openshift-library-go-master-unit/2023671487558324224

[ardaguclu]

All tests pass on my local. According to the junit results, all the tests passed in the CI jobs too https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/pr-logs/pull/openshift_library-go/2086/pull-ci-openshift-library-go-master-unit/2023755244520869888/artifacts/test/artifacts/junit_report.xml. It looks like a transient failure;
/test unit

[p0lyn0mial]

just a comment: as of today there a no restrictions on length for the provider name. the only restriction i found is that we are not allowed to use :

[bertinatto]

nit: all the others are lowercase ("KMS")

[ardaguclu]

Unfortunately this definition comes from https://github.com/openshift/api/blob/43090db3afe48e7dff0f6e39a866474d15cd0db5/config/v1/types_apiserver.go#L234 API. I agree that it should be lowercase, but we can't change it without API changes.

[bertinatto]

Do you also need to add a check to test if keyMode is KMS and key.KMSConfiguration is nil?

[ardaguclu]

This function (i.e. ToKeyState) is pure conversion from Secret to KeyState without any logic. The caller checks the emptiness of KMSConfiguration in https://github.com/openshift/library-go/pull/2086/changes#diff-9aecf0d61d4bb32f2825a75a37e02e2c1b612c000427f3f576d42853ac8d23aeR212-R215 (and silently ignores it). In my opinion, it would be better to leave the decision to user of KMSConfiguration (i.e. stateToProviders).

[ardaguclu]

We can add a check in here though. Once we add it, since ToKeyState is used by all controllers, any misconfiguration (KMS mode is enabled, but somehow KMSConfiguration is nil) will cause the failure of the controllers. On the other hand, this condition must not happen anyway. I'd like to hear opinions from @p0lyn0mial

[p0lyn0mial]

We can be defensive and add additional checks. What kind of checks would we like to add ?

[ardaguclu]

Perhaps something like this;

	case state.KMS:
		if key.KMSConfiguration == nil {
			return state.KeyState{}, fmt.Errorf("KMSConfiguration can not be nil, when mode is KMS")
		}
		key.Mode = keyMode

[ardaguclu]

Updated. Please let me know your opinions.

[bertinatto]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ardaguclu, bertinatto

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• pkg/operator/encryption/OWNERS [bertinatto]
• test/e2e-encryption/OWNERS [bertinatto]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@ardaguclu: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.