From 9a2645aa5e206b9ba9afc8118811ea7ac4b23cc2 Mon Sep 17 00:00:00 2001 From: markturansky Date: Thu, 18 Aug 2016 14:58:39 -0400 Subject: [PATCH] add encryption to aws provisioner and cloud provider --- .../persistent-volume-provisioning/README.md | 2 ++ pkg/cloudprovider/providers/aws/aws.go | 10 ++++++++++ pkg/volume/aws_ebs/aws_util.go | 7 +++++++ 3 files changed, 19 insertions(+) diff --git a/examples/experimental/persistent-volume-provisioning/README.md b/examples/experimental/persistent-volume-provisioning/README.md index 0246498897a..ea3c2f91ed7 100644 --- a/examples/experimental/persistent-volume-provisioning/README.md +++ b/examples/experimental/persistent-volume-provisioning/README.md @@ -64,6 +64,8 @@ parameters: * `type`: `io1`, `gp2`, `sc1`, `st1`. See AWS docs for details. Default: `gp2`. * `zone`: AWS zone. If not specified, a random zone in the same region as controller-manager will be chosen. * `iopsPerGB`: only for `io1` volumes. I/O operations per second per GiB. AWS volume plugin multiplies this with size of requested volume to compute IOPS of the volume and caps it at 20 000 IOPS (maximum supported by AWS, see AWS docs). +* `encrypted`: denotes whether the EBS volume should be encrypted or not. Valid values are `true` or `false`. +* `kmsKeyId`: optional. The full Amazon Resource Name of the key to use when encrypting the volume. If none is supplied but `encrypted` is true, a key is generated by AWS. See AWS docs for valid ARN value. #### GCE diff --git a/pkg/cloudprovider/providers/aws/aws.go b/pkg/cloudprovider/providers/aws/aws.go index b736f52c225..e1d54fa1efb 100644 --- a/pkg/cloudprovider/providers/aws/aws.go +++ b/pkg/cloudprovider/providers/aws/aws.go @@ -232,6 +232,10 @@ type VolumeOptions struct { // IOPSPerGB must be bigger than zero and smaller or equal to 30. // Calculated total IOPS will be capped at 20000 IOPS. IOPSPerGB int + Encrypted bool + // fully qualified resource name to the key to use for encryption. + // example: arn:aws:kms:us-east-1:012345678910:key/abcd1234-a123-456a-a12b-a123b4cd56ef + KmsKeyId string } // Volumes is an interface for managing cloud-provisioned volumes @@ -1531,6 +1535,12 @@ func (c *Cloud) CreateDisk(volumeOptions *VolumeOptions) (string, error) { volSize := int64(volumeOptions.CapacityGB) request.Size = &volSize request.VolumeType = &createType + request.Encrypted = &volumeOptions.Encrypted + request.KmsKeyId = &volumeOptions.KmsKeyId + if len(*request.KmsKeyId) > 0 { + b := true + request.Encrypted = &b + } if iops > 0 { request.Iops = &iops } diff --git a/pkg/volume/aws_ebs/aws_util.go b/pkg/volume/aws_ebs/aws_util.go index 9fc7d1d3696..4b19ece4102 100644 --- a/pkg/volume/aws_ebs/aws_util.go +++ b/pkg/volume/aws_ebs/aws_util.go @@ -98,6 +98,13 @@ func (util *AWSDiskUtil) CreateVolume(c *awsElasticBlockStoreProvisioner) (strin if err != nil { return "", 0, nil, fmt.Errorf("invalid iopsPerGB value %q, must be integer between 1 and 30: %v", v, err) } + case "encrypted": + volumeOptions.Encrypted, err = strconv.ParseBool(v) + if err != nil { + return "", 0, nil, fmt.Errorf("invalid encrypted boolean value %q, must be true or false: %v", v, err) + } + case "kmskeyid": + volumeOptions.KmsKeyId = v default: return "", 0, nil, fmt.Errorf("invalid option %q for volume plugin %s", k, c.plugin.GetPluginName()) }