CNTRLPLANE-2241: Add KMS encryption mode into library-go encryption controllers

[ardaguclu]

This PR adds the implementation proposed in openshift/enhancements#1900.

This PR introduces KMS as a new mode in encryption controllers to be functioning along side with the other modes. Basically, the idea is to track the KMS configuration to detect any configuration changes. So that key_controller can create new Secret to initiate migration. KMS Secret will not contain any confidential data. It will simply store the KMS configuration.

For Tech Preview v1, we will only support static unix domain socket (i.e. unix:///var/run/kmsplugin/kms.sock). Consequently, in this version, we don't support KMS -> KMS migrations.

Ref: Previous attemps:

• NO-JIRA: Introduce KMS encryption mode into encryption controllers #2045
• API-1844: KMS Encryption Provider #1876

Notes:

• The changes here will be backported to 4.21
• Substantial portion of the changed lines are unit and integration tests.

[openshift-ci-robot]

@ardaguclu: This pull request references CNTRLPLANE-2241 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

This PR adds the implementation proposed in openshift/enhancements#1900.

This PR introduces KMS as a new mode in encryption controllers to be functioning along side with the other modes. Basically, the idea is to track the KMS configuration to detect any configuration changes. So that key_controller can create new Secret to initiate migration. KMS Secret will not contain any confidential data. It will simply store the KMS configuration.

For Tech Preview v1, we will only support static unix domain socket (i.e. unix:///var/run/kmsplugin/kms.sock). Consequently, in this version, we don't support KMS -> KMS migrations.

Ref: Previous attemps:

• NO-JIRA: Introduce KMS encryption mode into encryption controllers #2045
• API-1844: KMS Encryption Provider #1876

Notes:

• The changes here will be backported to 4.21
• Most of the changes are obsessively added unit tests

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@ardaguclu: This pull request references CNTRLPLANE-2241 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

This PR adds the implementation proposed in openshift/enhancements#1900.

This PR introduces KMS as a new mode in encryption controllers to be functioning along side with the other modes. Basically, the idea is to track the KMS configuration to detect any configuration changes. So that key_controller can create new Secret to initiate migration. KMS Secret will not contain any confidential data. It will simply store the KMS configuration.

For Tech Preview v1, we will only support static unix domain socket (i.e. unix:///var/run/kmsplugin/kms.sock). Consequently, in this version, we don't support KMS -> KMS migrations.

Ref: Previous attemps:

• NO-JIRA: Introduce KMS encryption mode into encryption controllers #2045
• API-1844: KMS Encryption Provider #1876

Notes:

• The changes here will be backported to 4.21
• Substantial portion of the changed lines are unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ardaguclu
Once this PR has been reviewed and has the lgtm label, please assign dgrisonnet for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• pkg/operator/encryption/OWNERS
• test/e2e-encryption/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@ardaguclu: This pull request references CNTRLPLANE-2241 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

This PR adds the implementation proposed in openshift/enhancements#1900.

This PR introduces KMS as a new mode in encryption controllers to be functioning along side with the other modes. Basically, the idea is to track the KMS configuration to detect any configuration changes. So that key_controller can create new Secret to initiate migration. KMS Secret will not contain any confidential data. It will simply store the KMS configuration.

For Tech Preview v1, we will only support static unix domain socket (i.e. unix:///var/run/kmsplugin/kms.sock). Consequently, in this version, we don't support KMS -> KMS migrations.

Ref: Previous attemps:

• NO-JIRA: Introduce KMS encryption mode into encryption controllers #2045
• API-1844: KMS Encryption Provider #1876

Notes:

• The changes here will be backported to 4.21
• Substantial portion of the changed lines are unit and integration tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[ardaguclu]

Fake imports;

• WIP: Fake vendor library-go cluster-kube-apiserver-operator#2013
• WIP: Fake vendor library-go cluster-openshift-apiserver-operator#639
• WIP: Fake vendor library-go cluster-authentication-operator#824

[ardaguclu]

/hold
These PRs are prerequisite of this;

• OCPBUGS-68343: Bump openshift/api to get new KMS FG #2091 -- conceptually be based on the new feature gate (Rebased)
• NO-JIRA: Enable test-e2e-encryption #2087 -- to be able to run integration tests (Rebased)

[ardaguclu]

/uncc @dgrisonnet
/cc @benluddy @bertinatto @p0lyn0mial

[p0lyn0mial]

I believe that finally this is ready for review

ok, thanks, i will start reviewing soon.

[p0lyn0mial]

I did a quick first pass.
Looked mostly at key_controller.go.

I posted my question / observation below. Let me know what you think.

[p0lyn0mial]

Since v1 assumes the KMS configuration is always the same and static, and we don’t know what future v2 will look like.

I’m wondering if we could slightly simplify the code by always putting the well-known configuration in the annotation when the current mode is KMS. This could simplify the code and potential places we would have to change.

[ardaguclu]

I'll investigate the possible implications tomorrow and get back to you. I think it would be simpler as you said.

[ardaguclu]

Initially I tried to adopt generic approach that would work also for v2 (except the API changes). But I think starting simple by dropping the unsupported parts in v1 alleviates both of us cognitive load.

Thus, generic KMSConfig is dropped, instead default endpoint is embedded. There isn't KMSConfig comparison anymore, because we don't support this already.

[p0lyn0mial]

i'm not sure that all changes/updates to a kms config should trigger a new key generation. rolling out a new key is expensive in terms of required shutdowns. also changing a timeout seems like an update that should not require a new key. something we need to figure out for v2.

[ardaguclu]

I completely agree with you. From the perspective of this line, it doesn't matter what secret includes. This line in any case need to compare the secret to detect new key or not.

https://github.com/openshift/library-go/pull/2086/changes#diff-de68f84fb611b486200c440adbdd1997edb7ab5ffbc520e485b39f73b18d339eR296-R304 this is where we decide which data should trigger new key or not (by forming the source of the secret)

[ardaguclu]

However, in v1, we don't support kms configurational changes. We always embed the same well-known endpoint. In order to keep the simplicity, I've removed secret comparison for KMS. Latest version of this PR embeds well known endpoint and keeps tracks of it.

[ardaguclu]

This should include the selective set of kms fields from APIServer config that will trigger new key. For now it is statically set.

[ardaguclu]

We can use hexadecimal instead base64

[ardaguclu]

In v1, key.KMSConfig equals to well known endpoint.

[p0lyn0mial]

thanks, left a few additional comments. ptal when you have time.

[p0lyn0mial]

nit could this be renamed to KMSConfiguration ?

[p0lyn0mial]

could KMSConfiguration be a struct ? why []bytes ?

could KMSConfiguration be:

KMSConfiguration *apiserverconfigv1.KMSConfiguration

?

[ardaguclu]

I tried to answer in #2086 (comment). KMSConfiguration refers to plugin specific configuration rather than apiserverconfigv1.KMSConfiguration

[ardaguclu]

I store as bytes array to keep the generality. Because each plugin type will have their own specific fields.

[p0lyn0mial]

could this be:

ks.KMSConfiguration = &apiserverv1.KMSConfiguration{
			APIVersion: "v2",
			Name:        fmt.Sprintf("%d", keyID),
			Endpoint:   kms.DefaultEndpoint,
			Timeout:    &metav1.Duration{Duration: kms.DefaultTimeout},
		}

?

[ardaguclu]

KMSConfig stores Plugin specific configurations (although this is obsolete, I just reference https://github.com/openshift/api/blob/81371d13d1fcad175a48627cf11524a94a80c377/config/v1/types_kmsencryption.go#L36 to show an example of a configuration). So it is bound to APIServer config rather than apiserverv1.KMSConfiguration.

For instance KMS config will likely store AppRole, etc. for Vault in v2.

[ardaguclu]

We need to trigger a new migration, if keyArn (or appRole, etc.) is changed, even though these are not represented in apiserverv1.KMSConfiguration.

[p0lyn0mial]

would it make sense to focus on v1 in this PR ?
we might change the approach for v2 once we start prototyping.

as far as i can tell a KMSConfig is actually apiserverconfigv1.KMSConfiguration
xref: https://github.com/openshift/library-go/pull/2086/changes#r2773184416

[p0lyn0mial]

keyArn (or appRole, etc.) is changed, even though these are not represented in apiserverv1.KMSConfiguration.

aren't these changes for a kms plugin ?

i think we need to distinguish two configs: one for a kms plugin and the other one for kms configuration (encryption-cfg)

[ardaguclu]

You are right actually. We may even need a third one to track key_id from Status endpoint. But for v1, I think we can have one.

[p0lyn0mial]

since the key is not used why it can't be 0 as for the identity ?

[ardaguclu]

It will definitely be used in v2. You mean we can remove it for v1, right?

[ardaguclu]

since the key is not used why it can't be 0 as for the identity ?

I think, for v1, we can remove indeed.

[p0lyn0mial]

I would like to keep this pr simple for v1.
Once we start developing v2 we might change the approach.

[ardaguclu]

yeah, agree. It makes sense. I'm updating.

[p0lyn0mial]

here, as far as i can tell a KMSConfig is actually apiserverconfigv1.KMSConfiguration.

as far as i can tell we will never store any additional data beyond apiserverconfigv1.KMSConfiguration .

[ardaguclu]

I'm marking this PR as WIP to make necessary changes based on this ^^.

[ardaguclu]

PR has been updated to store apiserverconfigv1.KMSConfiguration.

[ardaguclu]

/retitle WIP: CNTRLPLANE-2241: Add KMS encryption mode into library-go encryption controllers

[ardaguclu]

/retest

[ardaguclu]

/retitle CNTRLPLANE-2241: Add KMS encryption mode into library-go encryption controllers

[p0lyn0mial]

left a few more questions.
overall it lgtm

[p0lyn0mial]

would it make sense to define a var for it similar to emptyStaticIdentityKey ?(defined at the top of this file)

[ardaguclu]

yes, it would be nicer. Updated.

[p0lyn0mial]

shouldn't we also populate ks.KMSConfiguration ?

[ardaguclu]

Once we set correct keyId and secret to KeyState, backed secret will be found which includes any other field we need (including the KMSConfiguration). KeyState is enriched in here

library-go/pkg/operator/encryption/encryptionconfig/config.go

Lines 115 to 120 in b6adacb

	for _, k := range backedKeys {
	if state.EqualKeyAndEqualID(&ks, &k) {
	ks = k
	break
	}
	}

.

[p0lyn0mial]

could we create a private function for adding/removing the suffix ?

[ardaguclu]

That would be better. Updated.

[p0lyn0mial]

would it make sense to rename NewIdentityKey to something more generic ?(now used by state.Identity and state.KSM)

[ardaguclu]

Good point. Updated.

[p0lyn0mial]

I’m still wondering about encapsulation here.
I think other parts of the code won’t even be aware that the name has changed.

Only the code in encryptionconfig/config.go will encode and decode the new name, right?

Do we need to ensure that the name doesn’t already contain "-"?
For simplicity, we could add a comment in the key generation function describing this requirement.

[ardaguclu]

Only the code in encryptionconfig/config.go will encode and decode the new name, right?

That is correct. Rest of the code only deals with KeyState. They do not even know about the details of EncryptionConfiguration.

Do we need to ensure that the name doesn’t already contain "-"?

Kube-apiserver already fails, if it encounters a provider name without -. Because uniqueness has broken.

For simplicity, we could add a comment in the key generation function describing this requirement.

I've added a comment about the reasons behind this provider name generation mechanism. Please let me know your thoughts. Thanks.

[benluddy]

How should this handle an unexpected provider name?

[ardaguclu]

Although it may not be possible, it is better to handle the invalid provider name gracefully. I've updated the code. Please let me know your thoughts.

[benluddy]

OK, "kms v2 providers name must always be unique across all kms providers (v1 and v2)":

https://github.com/kubernetes/kubernetes/blob/870e2928bc1d9a48a8ef75289ea57ec6cdeb5cb3/staging/src/k8s.io/apiserver/pkg/apis/apiserver/validation/validation_encryption.go#L438-L444

[benluddy]

Are there going to be side effects from this naming scheme visible in things like metric labels?

[ardaguclu]

All the metrics that is about provider_name will be affected https://github.com/kubernetes/kubernetes/blob/90a76aaa9afbe9cdb3df5f0a4356018b6637648b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/metrics/metrics.go#L169.

[benluddy]

OK, this is at least less strange than smuggling identity names in phony AES-GCM provider configs. Later, I would be interested in coming up with alternatives that let the controllers correlate provider configs to their source secret without smuggling.

[ardaguclu]

I agree with you. It was error-prone and not nice. Since now we carry KMSConfigurations in backed Secrets, I think we won't need to carry anything in provider_names.

[benluddy]

IIUC, even if we did roll out a new encryption config in response to the "reason" update, we're not even capable of triggering a KEK rotation unless a specific provider happened to expose that capability independently.

[ardaguclu]

Good point. That is correct.

[benluddy]

Is there a real need to export these constants? IMO, duplicating the values in tests is good because it requires that changes in observable behavior are accompanied by changes to test expectations. And other code (doing related things like setting up volume mounts) should be observing effective values rather than using hardcoded defaults.

[ardaguclu]

The only reason is to be accessed by key_controller. If we move these constants in there, we don't need to export them.

[openshift-ci]

@ardaguclu: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.