Added support for in-transit encryption in OKE and custom kms_key for boot volume encryption support (#456)

KSN2510 · Srinivasa Nikhil Kota · web-flow · commit 0920a678935e · 2022-01-25T16:33:58.000+11:00
* operator version changed to 3.0.1 from 3.0.0

Signed-off-by: Srinivasa Nikhil Kota &lt;“srinivasa.nikhil.kota@oracle.com”&gt;

* Added support for in-transit encryption for the data volume's paravirtualized attachment and custom bootvolume kms_key in OKE

Signed-off-by: Srinivasa Nikhil Kota &lt;“srinivasa.nikhil.kota@oracle.com”&gt;

* Modified few variables name and updated instructions, configuration, terraformoptions docs and terraform.tfvars.example file

Signed-off-by: Srinivasa Nikhil Kota &lt;“srinivasa.nikhil.kota@oracle.com”&gt;

* changed variable naming convention to imperative style and added documentation for volume encryption support

Signed-off-by: Srinivasa Nikhil Kota &lt;“srinivasa.nikhil.kota@oracle.com”&gt;

Co-authored-by: Srinivasa Nikhil Kota &lt;“srinivasa.nikhil.kota@oracle.com”&gt;
diff --git a/docs/configuration.adoc b/docs/configuration.adoc
@@ -248,14 +248,16 @@ The Kubernetes Metrics Server parameter controls the installation of {uri-metric
 
 == Configure KMS Integration parameters
 
-The KMS integration parameters control whether {uri-oci-kms}[OCI Key Management Service] will be used for encrypting Kubernetes secrets. Additionally, the bastion and operator hosts must be enabled as well as instance_principal on the operator.
+The KMS integration parameters control whether {uri-oci-kms}[OCI Key Management Service] will be used for encrypting Kubernetes secrets and boot volumes/block volumes. Additionally, the bastion and operator hosts must be enabled as well as instance_principal on the operator.
 
 ----
 create_bastion_host = true
 create_operator = true
 enable_operator_instance_principal = true
 use_encryption = true
 kms_key_id = <kms_key_id>
+enable_pv_encryption_in_transit = false
+node_pool_volume_kms_key_id = <node_pool_volume_kms_key_id>
 ----
 
 OKE also supports enforcing the use of signed images. You can enforce the use of signed image using the following parameters:
diff --git a/docs/instructions.adoc b/docs/instructions.adoc
@@ -74,6 +74,14 @@ If you wish to use {uri-oci-kms}[OCI KMS] to encrypt Kubernetes secrets, the fol
 * use_encryption must be set to _true_
 * kms_key_id must be provided
 
+If you wish to use {uri-oci-kms}[OCI KMS] to encrypt OKE nodepool boot/block volume, the following is required:
+
+* node_pool_volume_kms_key_id must be provided
+
+If you wish to encrypt data in transit between the instance, the boot volume, and the block volumes.
+
+* enable_pv_encryption_in_transit must be _true_
+
 === Creating the OKE Cluster
 
 Initialize a working directory containing Terraform configuration files:
diff --git a/docs/terraformoptions.adoc b/docs/terraformoptions.adoc
@@ -599,6 +599,16 @@ EOT
 |`ocid1.key.oc1....`
 |
 
+|enable_pv_encryption_in_transit
+|Whether to encrypt data in transit between the instance, the boot volume, and the block volumes.
+|true/false
+|false
+
+|node_pool_volume_kms_key_id
+|The id of the OCI KMS key to be used as the master encryption key for nodepools boot volume/block volume encryption..
+|`ocid1.key.oc1....`
+|
+
 |`use_signed_images`
 |Whether to enforce the use of signed images. If set to true, at least 1 RSA key must be provided through image_signing_keys.
 |true/false
diff --git a/main.tf b/main.tf
@@ -226,11 +226,13 @@ module "oke" {
   admission_controller_options                            = var.admission_controller_options
 
   # oke node pool parameters
-  node_pools            = var.node_pools
-  node_pool_name_prefix = var.node_pool_name_prefix
-  node_pool_image_id    = var.node_pool_image_id
-  node_pool_os          = var.node_pool_os
-  node_pool_os_version  = var.node_pool_os_version
+  node_pools                          = var.node_pools
+  node_pool_name_prefix               = var.node_pool_name_prefix
+  node_pool_image_id                  = var.node_pool_image_id
+  node_pool_os                        = var.node_pool_os
+  node_pool_os_version                = var.node_pool_os_version
+  enable_pv_encryption_in_transit     = var.enable_pv_encryption_in_transit
+  node_pool_volume_kms_key_id         = var.node_pool_volume_kms_key_id
 
   # oke load balancer parameters
   preferred_load_balancer = var.preferred_load_balancer
diff --git a/modules/oke/nodepools.tf b/modules/oke/nodepools.tf
@@ -21,9 +21,10 @@ resource "oci_containerengine_node_pool" "nodepools" {
       }
     }
     nsg_ids = var.worker_nsgs
-    
-    # allow zero-sized node pools 
-    size = max(0, lookup(each.value, "node_pool_size", 0))    
+    is_pv_encryption_in_transit_enabled = var.enable_pv_encryption_in_transit
+    kms_key_id                          = var.node_pool_volume_kms_key_id
+    # allow zero-sized node pools
+    size = max(0, lookup(each.value, "node_pool_size", 0))
   }
 
   dynamic "node_shape_config" {
diff --git a/modules/oke/variables.tf b/modules/oke/variables.tf
@@ -47,6 +47,12 @@ variable "use_encryption" {
 
 variable "kms_key_id" {}
 
+variable "enable_pv_encryption_in_transit" {
+  type = bool
+}
+
+variable "node_pool_volume_kms_key_id" {}
+
 # signed images
 variable "use_signed_images" {
   type = bool
@@ -77,4 +83,4 @@ variable "preferred_load_balancer" {}
 
 variable "worker_nsgs" {
   type = list(any)
-}
+}
diff --git a/terraform.tfvars.example b/terraform.tfvars.example
@@ -136,6 +136,10 @@ services_cidr                = "10.96.0.0/16"
 use_encryption = false
 kms_key_id     = ""
 
+### oke node pool volume kms integration
+enable_pv_encryption_in_transit = false
+node_pool_volume_kms_key_id = ""
+
 ## oke cluster container image policy and keys
 use_signed_images = false
 image_signing_keys = []
diff --git a/variables.tf b/variables.tf
@@ -477,6 +477,18 @@ variable "kms_key_id" {
   type        = string
 }
 
+variable "enable_pv_encryption_in_transit" {
+  description = "Whether to enable in-transit encryption for the data volume's paravirtualized attachment. This field applies to both block volumes and boot volumes. The default value is false"
+  type        = bool
+  default     = false
+}
+
+variable "node_pool_volume_kms_key_id" {
+  default     = ""
+  description = "The id of the OCI KMS key to be used as the master encryption key for Boot Volume and Block Volume encryption."
+  type        = string
+}
+
 ## oke cluster container image policy and keys
 variable "use_signed_images" {
   description = "Whether to enforce the use of signed images. If set to true, at least 1 RSA key must be provided through image_signing_keys."

Original file line number	Diff line number	Diff line change
`@@ -21,9 +21,10 @@ resource "oci_containerengine_node_pool" "nodepools" {`
`21`	`21`	`}`
`22`	`22`	`}`
`23`	`23`	`nsg_ids = var.worker_nsgs`
`24`		`-`
`25`		`- # allow zero-sized node pools`
`26`		`- size = max(0, lookup(each.value, "node_pool_size", 0))`
	`24`	`+ is_pv_encryption_in_transit_enabled = var.enable_pv_encryption_in_transit`
	`25`	`+ kms_key_id = var.node_pool_volume_kms_key_id`
	`26`	`+ # allow zero-sized node pools`
	`27`	`+ size = max(0, lookup(each.value, "node_pool_size", 0))`
`27`	`28`	`}`
`28`	`29`
`29`	`30`	`dynamic "node_shape_config" {`