CNTRLPLANE-2120: Add KMS foundations in encryption controllers in library-go

[ardaguclu]

This PR is based on #1872 (changes in enhancements/kube-apiserver/kms-encryption-foundations.md).

There are many aspects that need to be implemented to support KMS in OpenShift. We have decided to open more granular EPs to better track the work.

This EPs main aim is to focus on the encryption controller changes in library-go. This EP defers some concepts to future in order to start with simpler, manageable iterations.

[openshift-ci-robot]

@ardaguclu: This pull request references CNTRLPLANE-2120 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set.

Details

In response to this:

This PR is based on #1872 (changes in enhancements/kube-apiserver/kms-encryption-foundations.md).

There are many aspects that need to be implemented to support KMS in OpenShift. We have decided to open more granular EPs to better track the work.

This EPs main aim is to focus on the encryption controller changes in library-go. This EP defers some concepts to future in order to start with simpler, manageable iterations.

PoC PR openshift/library-go#2045 (this is just a PoC, original PR will be opened when this EP merges).

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[flavianmissi]

Have to take a short break from reviewing, but leaving the comments I got so far.

[ardaguclu]

/cc @ibihim @flavianmissi

[ardaguclu]

@flavianmissi I was uncomfortable about the disconnects between the sections and the verbosity. So I overhauled the EP to have better clarity. Please let me know your thoughts.

[flavianmissi]

/lgtm

[ardaguclu]

/cc @benluddy

[ardaguclu]

As we agreed with @flavianmissi, in next iterations there will be another condition to notify users to delete unused kms plugins from cluster, when prune_controller prunes them.

[ibihim]

Great work. I have some questions though as a beginner to downstream e2ee with kms

[ibihim]

What is a deterministic Unix Socket path? Are there probabilistic paths?

Why do we want this? To identify if the KMS is out of date and the address changed? To run several KMS plugins somehow in parallel?

[ardaguclu]

To run several KMS plugins somehow in parallel?

This is one of the reasons. Deterministic implies that plugin lifecycle runs kms plugin with a unix socket that can be generated by the encryption controllers to communicate with (plugin lifecycle and encryption controllers are not organically related). So that this works as a contract that provides a deterministic communication.

However, since we likely decide to only support external kms plugins. We won't need this functionality. I proposed this openshift/api#2622 API definition to directly use whatever user sets. Thus, this unix socket generation logic will be removed from the EP.

[benluddy]

Won't the socket path observed by an apiserver be chosen by the operator that mounts it as a host volume? In that case, the endpoints in the apiserver-facing config file wouldn't be 1:1 with user-provided absolute paths.

[ardaguclu]

I've updated the EP to directly use unix domain socket path from apiserver.config.openshift.io. This field will be set by cluster admin and we'll directly use it. There isn't any unix domain socket generation mechanism any more.

[ardaguclu]

I'll update this EP base on the changes in openshift/api#2622
/hold

[benluddy]

Won't the socket path observed by an apiserver be chosen by the operator that mounts it as a host volume? In that case, the endpoints in the apiserver-facing config file wouldn't be 1:1 with user-provided absolute paths.

[benluddy]

We don't imagine plugins will run as true sidecar containers anymore, correct?

[ardaguclu]

That is correct. I've updated the EP based on the last discussions. Please let me know your thoughts about this.

[benluddy]

Isn't key_id -- or a hash of key_id -- sufficient by itself to consider previously-encrypted resources "stale"? I would have expected any significant change to a KMS provider config to result in a new key_id (and insignificant changes would not).

[ardaguclu]

Isn't key_id -- or a hash of key_id -- sufficient by itself to consider previously-encrypted resources "stale"?

There are 2 dimensions. First one is to detect key rotation in the same KMS Plugin (we'll track key_id to detect this). Another one is to migrate to new KMS Plugin from old one (we track unix domain socket path to detect this).

[benluddy]

Do we have any mechanism to provide backpressure in a situation where a KMS provider is rotating key_id very quickly?

[ardaguclu]

That is a good point. I don't think we have any, since this is entirely managed externally. But in the future maybe we can provide a new degraded condition by detecting the frequency (I'm not sure how). cc: @flavianmissi

[openshift-ci]

New changes are detected. LGTM label has been removed.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from flavianmissi. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@ardaguclu: This pull request references CNTRLPLANE-2120 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

This PR is based on #1872 (changes in enhancements/kube-apiserver/kms-encryption-foundations.md).

There are many aspects that need to be implemented to support KMS in OpenShift. We have decided to open more granular EPs to better track the work.

This EPs main aim is to focus on the encryption controller changes in library-go. This EP defers some concepts to future in order to start with simpler, manageable iterations.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[ardaguclu]

/hold cancel
This PR is ready for another round of review.

/cc @flavianmissi @ibihim @benluddy

could you PTAL?. Thank you

[openshift-ci]

@ardaguclu: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[ardaguclu]

Plugin lifecycle management decision may have an impact on this EP. So I'm adding hold until the decision is made
/hold