feat: Added support for adding boot/block volume and in-transit encryption for Operator (#472)

* feat: updated the operator version and added support for adding boot/block volume encryption and in-transit encryption in operator

Signed-off-by: Nikhil Kota <srinivasa.nikhil.kota@oracle.com>

Author: KSN2510

docs/configuration.adoc

@@ -250,16 +250,30 @@ The Kubernetes Metrics Server parameter controls the installation of {uri-metric
 
 The KMS integration parameters control whether {uri-oci-kms}[OCI Key Management Service] will be used for encrypting Kubernetes secrets and boot volumes/block volumes. Additionally, the bastion and operator hosts must be enabled as well as instance_principal on the operator.
 
+Bastion Variables
+
 ----
 create_bastion_host = true
-create_operator = true
-enable_operator_instance_principal = true
+----
+
+OKE Variables:-
+
+----
 use_encryption = true
 kms_key_id = <kms_key_id>
 enable_pv_encryption_in_transit = false
 node_pool_volume_kms_key_id = <node_pool_volume_kms_key_id>
 ----
 
+Operator Variables
+
+----
+create_operator = true
+enable_operator_instance_principal = true
+enable_operator_pv_encryption_in_transit = false
+operator_volume_kms_id = <operator_volume_kms_id>
+----
+
 OKE also supports enforcing the use of signed images. You can enforce the use of signed image using the following parameters:
 
 ----

docs/instructions.adoc

@@ -64,24 +64,37 @@ This section assumes you have completed the following:
 
 === KMS Integration
 
+==== OKE Variables
+
 If you wish to use {uri-oci-kms}[OCI KMS] to encrypt Kubernetes secrets, the following is required:
 
 * the Terraform user must have the following rights
 ** {uri-oci-manage-dynamic-groups}[manage dynamic groups]
 ** {uri-oci-manage-policies}[manage policies in root tenancy]
 * link:#adding-the-bastion-host[bastion must be enabled]
 * link:#enabling-instance_principal-on-the-operator-host[operator instance_principal must be enabled]
-* use_encryption must be set to _true_
-* kms_key_id must be provided
+
+use_encryption must be set to _true_
+kms_key_id must be provided
 
 If you wish to use {uri-oci-kms}[OCI KMS] to encrypt OKE nodepool boot/block volume, the following is required:
 
 * node_pool_volume_kms_key_id must be provided
 
-If you wish to encrypt data in transit between the instance, the boot volume, and the block volumes.
+If you wish to encrypt data in transit between the instance, the boot volume, and the block volumes in OKE node pool.
 
 * enable_pv_encryption_in_transit must be _true_
 
+==== Operator Variables
+
+If you wish to use {uri-oci-kms}[OCI KMS] to encrypt operator boot/block volume, the following is required:
+
+* operator_volume_kms_id must be provided
+
+If you wish to encrypt data in transit between the instance, the boot volume, and the block volumes in operator.
+
+* enable_operator_pv_encryption_in_transit must be _true_
+
 === Creating the OKE Cluster
 
 Initialize a working directory containing Terraform configuration files:

docs/terraformoptions.adoc

@@ -376,6 +376,11 @@ EOT
 |true/false
 |true
 
+|`enable_operator_pv_encryption_in_transit`
+|Whether to encrypt data in transit between the instance, the boot volume, and the block volumes in Operator.
+|true/false
+|false
+
 |operator_image_id
 |Custom image id for the operator host
 |image_id or Oracle. If the value is set to Oracle, an Oracle Platform image will be used instead.
@@ -407,6 +412,11 @@ EOT
 | RUNNING/STOPPED
 | RUNNING
 
+|`operator_volume_kms_id`
+|The id of the OCI KMS key to be used as the master encryption key for Operator's boot volume/block volume encryption..
+|`ocid1.key.oc1....`
+|
+
 |`operator_timezone`
 |The preferred timezone for the operator host. {uri-timezones}[List of timezones]. *Required*
 |e.g. Australia/Sydney

main.tf

@@ -85,7 +85,7 @@ module "bastion" {
 
 module "operator" {
   source  = "oracle-terraform-modules/operator/oci"
-  version = "3.0.2"
+  version = "3.0.3"
 
   tenancy_id = var.tenancy_id
 
@@ -104,13 +104,15 @@ module "operator" {
   # operator host parameters
   operator_image_id                  = var.operator_image_id
   enable_operator_instance_principal = var.enable_operator_instance_principal
+  enable_pv_encryption_in_transit    = var.enable_operator_pv_encryption_in_transit
   operator_os_version                = var.operator_os_version
   operator_shape                     = var.operator_shape
   operator_state                     = var.operator_state
   operator_timezone                  = var.operator_timezone
   ssh_public_key                     = var.ssh_public_key
   ssh_public_key_path                = var.ssh_public_key_path
   upgrade_operator                   = var.upgrade_operator
+  boot_volume_encryption_key         = var.operator_volume_kms_id
 
   # operator notification
   enable_operator_notification   = var.enable_operator_notification

modules/oke/iam.tf

@@ -41,5 +41,4 @@ resource "oci_identity_policy" "oke_volume_kms" {
   description    = "Policies for block volumes to access kms key"
   name           = var.label_prefix == "none" ? "oke-volume-kms" : "${var.label_prefix}-oke-volume-kms"
   statements     = local.oke_volume_kms_policy_statements
-  count          = var.node_pool_volume_kms_key_id == "" ? 0 : 1
 }

modules/oke/locals.tf

@@ -18,7 +18,7 @@ locals {
   policy_statement = (var.use_encryption == true) ? "Allow dynamic-group ${oci_identity_dynamic_group.oke_kms_cluster[0].name} to use keys in compartment id ${var.compartment_id} where target.key.id = '${var.kms_key_id}'" : ""
 
   # policy to allow block volumes inside oke to use kms
-  oke_volume_kms_policy_statements = [
+  oke_volume_kms_policy_statements = (var.node_pool_volume_kms_key_id == "") ? []: [
     "Allow service oke to use key-delegates in compartment id ${var.compartment_id} where target.key.id = '${var.node_pool_volume_kms_key_id}'",
     "Allow service blockstorage to use keys in compartment id ${var.compartment_id} where target.key.id = '${var.node_pool_volume_kms_key_id}'"
   ]

terraform.tfvars.example

@@ -104,6 +104,12 @@ operator_state    = "RUNNING"
 operator_timezone = "Australia/Sydney"
 upgrade_operator  = false
 
+# Operator in-transit encryption for the data volume's paravirtualized attachment.
+enable_operator_pv_encryption_in_transit = false
+
+# operator volume kms integration
+operator_volume_kms_id = ""
+
 ## operator notification
 enable_operator_notification   = false
 operator_notification_endpoint = ""

variables.tf

@@ -296,6 +296,18 @@ variable "operator_image_id" {
   type        = string
 }
 
+variable "operator_volume_kms_id" {
+  default     = ""
+  description = "The OCID of the OCI KMS key to assign as the master encryption key for the boot volume."
+  type        = string
+}
+
+variable "enable_operator_pv_encryption_in_transit" {
+  default     = false
+  description = "Whether to enable in-transit encryption for the data volume's paravirtualized attachment."
+  type        = bool
+}
+
 variable "enable_operator_instance_principal" {
   default     = true
   description = "Whether to enable the operator to call OCI API services without requiring api key."