Adds per volume encryption with Vault integration

- adds proposal document for PVC encryption from PR448 - adds per-volume encription by generating encryption passphrase for each volume and storing it in a KMS - adds HashiCorp Vault integration as a KMS for encryption passphrases - avoids encrypting volume second time if it was already encrypted but no file system created - avoids unnecessary checks if volume is a mapped device when encryption was not requested - prevents resizing encrypted volumes (it is not currently supported) - prevents creating snapshots from encrypted volumes to prevent attack on encryption key (security guard until re-encryption of volumes implemented) Signed-off-by: Vasyl Purchel vasyl.purchel@workday.com Signed-off-by: Andrea Baglioni andrea.baglioni@workday.com Fixes #420 Fixes #744
2025-06-13 10:33:35 +00:00 · 2020-01-29 11:44:45 +00:00
parent 1adef00c86
commit 419ad0dd8e
26 changed files with 1210 additions and 102 deletions
--- a/e2e/deploy-vault.go
+++ b/e2e/deploy-vault.go
@ -0,0 +1,54 @@
+package e2e
+
+import (
+	. "github.com/onsi/gomega" // nolint
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/kubernetes/test/e2e/framework"
+	e2elog "k8s.io/kubernetes/test/e2e/framework/log"
+)
+
+var (
+	vaultExamplePath = "../examples/kms/vault/"
+	vaultServicePath = "vault.yaml"
+	vaultPSPPath     = "vault-psp.yaml"
+	vaultRBACPath    = "csi-vaulttokenreview-rbac.yaml"
+	vaultConfigPath  = "kms-config.yaml"
+)
+
+func deployVault(c kubernetes.Interface, deployTimeout int) {
+	framework.RunKubectlOrDie("create", "-f", vaultExamplePath+vaultServicePath)
+	framework.RunKubectlOrDie("create", "-f", vaultExamplePath+vaultPSPPath)
+	framework.RunKubectlOrDie("create", "-f", vaultExamplePath+vaultRBACPath)
+	framework.RunKubectlOrDie("create", "-f", vaultExamplePath+vaultConfigPath)
+
+	opt := metav1.ListOptions{
+		LabelSelector: "app=vault",
+	}
+
+	pods, err := c.CoreV1().Pods("default").List(opt)
+	Expect(err).Should(BeNil())
+	Expect(len(pods.Items)).Should(Equal(1))
+	name := pods.Items[0].Name
+	err = waitForPodInRunningState(name, "default", c, deployTimeout)
+	Expect(err).Should(BeNil())
+}
+
+func deleteVault() {
+	_, err := framework.RunKubectl("delete", "-f", vaultExamplePath+vaultServicePath)
+	if err != nil {
+		e2elog.Logf("failed to delete vault statefull set %v", err)
+	}
+	_, err = framework.RunKubectl("delete", "-f", vaultExamplePath+vaultRBACPath)
+	if err != nil {
+		e2elog.Logf("failed to delete vault statefull set %v", err)
+	}
+	_, err = framework.RunKubectl("delete", "-f", vaultExamplePath+vaultConfigPath)
+	if err != nil {
+		e2elog.Logf("failed to delete vault config map %v", err)
+	}
+	_, err = framework.RunKubectl("delete", "-f", vaultExamplePath+vaultPSPPath)
+	if err != nil {
+		e2elog.Logf("failed to delete vault psp %v", err)
+	}
+}