CNTRLPLANE-2993: Add KMS TPv2 foundations

[ardaguclu]

This PR adds KMS foundations in encryption controllers in library-go for Tech Preview v2 work.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci-robot]

@ardaguclu: This pull request references CNTRLPLANE-2993 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

This PR adds KMS foundations in encryption controllers in library-go for Tech Preview v2 work.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[ardaguclu]

/uncc @cybertron @jsafrane

[ardaguclu]

/cc @p0lyn0mial @bertinatto @benluddy @flavianmissi

[flavianmissi]

Looking great, left some minor comments.

[p0lyn0mial]

did a first quick pass, will revisit this pr.

[p0lyn0mial]

does it mean we will update this document in the future with details on plugin HC ?

[ardaguclu]

I think yes, it would be better to reflect the HC mechanism (including monitoring the key_id) here.

[p0lyn0mial]

ok, so this is our goal. Would it make sense to slightly restructure the docs and maybe introduce phases or different beta stages e.g. Beta1/Beta2) and then specify which work belongs to each stage?

That could help highlight our goals and non-goals in one section, while also making it easier to track progress across the beta stages.

[ardaguclu]

That would be better to track the progress and reflect our future plans. I've updated based on it. There is new TechPreview v3 section and some of the goals are defined in there.

I've added configuring timeout via unsupportedOverrides in TP v3 as well.

[p0lyn0mial]

last time we discussed this, we said we didn't want to support this recovery mode.

[ardaguclu]

Correct. Since this is already in non-goals section, I'll just remove the GA.

[p0lyn0mial]

I would just keep it in non-goals section. I think that we could justify the decision so that future reads know why we decided to not implement the support for it.

[p0lyn0mial]

This field will hold common configuration for all KMS providers. I’m wondering if we should expose it to admins in case the default values (e.g., timeout) are incorrect.

[bertinatto]

This field will hold common configuration for all KMS providers.

nit: might be worth mentioning that

[ardaguclu]

apiVersion is static v2. Name and endpoints are generated by us. Only remaining field is timeout which can be discussed #1954. If we decide to expose timeout, it will be a part of in-place fields.

[p0lyn0mial]

would it make sense to discuss during the standup meeting?

[p0lyn0mial]

I think that this field will hold structured versioned data, right ? if yes, would it make sense to emphasize that ?

[ardaguclu]

Yes, it will store https://github.com/kubernetes/kubernetes/blob/bc15d50fd246bef83aa9b00fcc475d1959296294/staging/src/k8s.io/apiserver/pkg/apis/apiserver/types_encryption.go#L134. I've updated to make it more clear.

[ardaguclu]

Also I've added configuring timeout via unsupportedOverrides as a goal for TP v3.

[p0lyn0mial]

do we need to support migration from v1 to v2? For example, what happens if a user enables TP v1 and then provides a Vault KMS configuration that indicates v2?

[ardaguclu]

According to my analysis, key controller can successfully decide to generate new key for the new configuration and every other controller will handle this correct. Of course, it would be desirable to test this.

[p0lyn0mial]

Should we describe and show how credentials for the KMS plugin will be stored?
Should we also explain how the public key used to verify the remote KMS instance will be stored?

[ardaguclu]

That is a good point. I've updated the EP by mentioning how we are planning to manage Secret and ConfigMap references and keep the our Secrets (i.e. key, encryption-config) up to date.

[p0lyn0mial]

Should we describe what happens if the previous key/plugin hasn’t finished (our invariants)?

Should we describe how we are going to recover from incorrect configuration in various fields? (the ones that lead to new key generation and the ones that just update existing cfg)

Should we describe how we are going to recover if an admin overwrites the current configuration?

[ardaguclu]

Good point. I've briefly mentioned about these points based on the design document.

[p0lyn0mial]

We also need a section that explains how we will report the current progress to platform users (e.g. which KMS plugins are in use)

[ardaguclu]

What about we handle this when we design the removal of the unused kms plugins #1960 (comment). So that it lists active kms plugins as well as the ones that can be decommisioned.

[p0lyn0mial]

sure, this could be Beta2/3/4. I would just mark this is TODO.

[ardaguclu]

Good idea. This is added a new goal under TP v3.

[p0lyn0mial]

we could explain why this (removing unused plugins from EC) is important.

[p0lyn0mial]

do we want to share details on how are we going to implement the removal ?

[ardaguclu]

we could explain why this (removing unused plugins from EC) is important.

Yes, we should. I've updated the EP.

do we want to share details on how are we going to implement the removal ?

I think we are not ready yet to design this flow, so maybe we should add it later?

[p0lyn0mial]

sure, this could be Beta2/3/4. I would just mark this is TODO.

[ardaguclu]

Good idea. This is added a new goal under TP v3.

[p0lyn0mial]

would it make sense to mark this as our goal and point to an external doc/EP?

[ardaguclu]

Yes it makes sense. I've moved API definition and plugin lifecycle under goals section. I've referenced API definition EP. Since plugin lifecycle does not have any doc or EP, I couldn't reference it.

[p0lyn0mial]

would it make sense to mark this as our goal and point to an external doc/EP, Beta2/BetaN seciton?

[ardaguclu]

I've moved this as a goal under TP v3. But there is no public doc or EP for it.

[p0lyn0mial]

I think that this could hold structured per provider data, maybe even versioned. Thoughts ?

[ardaguclu]

I was thinking that this will hold generic structured KMSConfig https://github.com/openshift/api/blob/master/config/v1/types_kmsencryption.go#L7. So everyone can access all the data after deserializing it.

[ardaguclu]

So that kms-sidecar-config will always be deserialized to same KMSConfig but the internal data may vary per provider.

[p0lyn0mial]

I think that this field will hold structured versioned data, right ? if yes, would it make sense to emphasize that ?

[p0lyn0mial]

would it make sense to rename this field to kms-encryption-configuration ?

[ardaguclu]

I've renamed all the fields;

• kms-encryption-config -- stores EncryptionConfiguration which will be stored as encryption-config Data in encryption-config Secret due to backwards compatilibity
• kms-provider-config -- stores KMSConfig https://github.com/openshift/api/blob/464776f9520793f0f20645fbcb82d945abb0a05b/config/v1/types_kmsencryption.go#L7 which is supposed to store provider specific data.
• kms-secret-data -- stores secret data
• kms-configmap-data -- stores configurational data

Please let me know your thoughts.

[p0lyn0mial]

just wondering if we could encode the type information and the resource name, so we could build a small utility function that automatically resolves the type, name, and content. wdyt ?

[ardaguclu]

I think, I don't understand the motivation and mechanism here. Would you mind elaborating?

[p0lyn0mial]

in case we would like to be more specific, we could say:

Storing all related data in a single secret avoids race conditions caused by reading live, independently changing configuration. 

In kas-o, the targetConfigController operates on live data and may generate a manifest based on the current sidecar configuration. However, this configuration can change before the RevisionController creates a revision. As a result, the generated manifest may no longer match the actual configuration state at the time the revision is created. 

Keeping all dependent configuration in a single secret ensures consistency and guarantees that both controllers operate on the same, atomic snapshot of data. 

Additionally, consolidating the data in a single secret leverages existing revisioning and cleanup mechanisms.

[ardaguclu]

This is better. Updated.

[p0lyn0mial]

I think that this paragraph is too detailed. Would it make sense to keep it high-level similar to the Tech Preview v1 paragraph?

[ardaguclu]

I've updated by removing redundant details. Please let me know your opinions.

[bertinatto]

This field will hold common configuration for all KMS providers.

nit: might be worth mentioning that

[bertinatto]

nit: not sure if kms-config and kms-sidecar-config express well the diff between these 2 configurations. Maybe something like kms-api-config and kms-provider-config would be better?

[ardaguclu]

What about these #1960 (comment)?

[bertinatto]

It actually splits the configuration into more fields (other than these 2), right?

[ardaguclu]

Yes, you are right. I've updated that section to reflect it better.

[bertinatto]

I'm confused: the state controller doesn't seem to create the secret with the key in the name, nor it creates the secret in this namespace. Or am I missing something here?

As far as I see, the state controller creates this secret instead:

name: encryption-config-openshift-kube-apiserver
namespace: openshift-config-managed

[ardaguclu]

That is correct. As far as I understand there is a copying mechanism (in operators) that automatically copies encryption-config-openshift-*-apiserver Secrets in openshift-config-managed (which are created by state_controller as you said) under dedicated operator namespaces in revisioned format.

So when state_controller updates encryption-config-openshift-kube-apiserver in openshift-config-managed, the mechanism will generated new encryption-config-kube-apiserver-10 under openshift-kube-apiserver ns.

[bertinatto]

Thanks. Just for completeness, the copying is done by the resourcesynccontroller: https://github.com/openshift/library-go/blob/HEAD/pkg/operator/resourcesynccontroller/resourcesync_controller.go#L31-L31

[ardaguclu]

It is good to know that. Thank you

[bertinatto]

For my knowledge, could you explain why this isn't kms-ec-config-1?

[ardaguclu]

This field encryption-config has existed for a long time and it is used by all encryption modes. Due to backwards compatibility reasons, we need to keep it. It is identical to kms-ec-config-1.

[bertinatto]

Oh, this is the synced secret, not the secret created by the state controller, right?

[ardaguclu]

yes, exactly. But content is identical of the Secret that is managed by state controller.

[bertinatto]

Technically the state controller just updates the secret (and the revision controller actually triggers the new revision), correct?

[ardaguclu]

yes, correct

[bertinatto]

Status conditions notify the admin that the KMS plugin can be safely decommissioned.

Is the admin responsible for decommissioning the KSM plugin? Shouldn't the lifecycle management take care of that?

[ardaguclu]

Lifecycle management will only run kms plugins listed in encryption-config Secret. So once encryption controllers do not populate the old kms plugin in the Secret, Lifecycle won't run old kms plugin anyway.

But decommisioning of the kms plugin requires some action on the respective kms provider. So we can only notify about the current state and it is up to cluster admin. I'd like to hear opinions from @p0lyn0mial

[bertinatto]

Lifecycle management will only run kms plugins listed in encryption-config Secret.

That's a good point, the plugin will simply not be started. Thanks

[p0lyn0mial]

did another pass this morning. ptal and let me know if my comments make sense. thanks!

[p0lyn0mial]

for each failure mode we would like to have detection and mitigation mechanism. maybe worth mentioning.

the failures modes we discussed were captured at https://docs.google.com/document/d/1htjUQmCk60AVkcOe1QzLSYNrBhO7T8hVsFDiTbR4AJM/edit?tab=t.0#heading=h.7q1jphnlk300

would it make sense to group supported failures (by type/category)and be more specific which modes exactly we would like to support ?

[ardaguclu]

Drilled down to subsections.

[p0lyn0mial]

should state why we don't want to support this mode (for future readers) ?

[ardaguclu]

Added a statement about how we exclude this.

[p0lyn0mial]

what does it mean ? how can we validate credentials ?

[ardaguclu]

By validation of Secret/ConfigMap, I meant this #1960 (comment). I will clarify this statement.

[ardaguclu]

We'll need another design session about this.

[p0lyn0mial]

won't migration progress be already reported ?

[ardaguclu]

I've removed migration progress to not confuse

[p0lyn0mial]

wdym by that ?
migration will be supported because we mentioned it in the prev section v2 goals.
key rotation is already mentioned in this section.
do we have special monitoring for encryption ?

[ardaguclu]

This became redundant. Removed.

[p0lyn0mial]

pasting my prev comment just in case we would like to add more context (justifies why):

Storing all related data in a single secret avoids race conditions caused by reading live, independently changing configuration. 

In kas-o, the targetConfigController operates on live data and may generate a manifest based on the current sidecar configuration. However, this configuration can change before the RevisionController creates a revision. As a result, the generated manifest may no longer match the actual configuration state at the time the revision is created. 

Keeping all dependent configuration in a single secret ensures consistency and guarantees that both controllers operate on the same, atomic snapshot of data. 

Additionally, consolidating the data in a single secret leverages existing revisioning and cleanup mechanisms.

[ardaguclu]

Updated.

[p0lyn0mial]

how can we validate credential/ConfigMap ?

[ardaguclu]

Validation of Secret/ConfigMap means that we'll check the existence of the Secret/ConfigMap and if it doesn't exist, we'll degrade until cluster admin recreates the same resource. I think, I should clarify this, since it is ambiguous.

[p0lyn0mial]

should we also mention that controller will propagate updates from the API configuration ?

[ardaguclu]

Good idea. Updated.

[p0lyn0mial]

We have the precondition of passing the preflight-checks before the configured KMS plugin can be enabled for the first time, no ?

[ardaguclu]

I've updated statement by mentioning about preflight checks.

As a side note: Maybe we should apply pre-flight checks not only key creation but all of them (including the updates). So that we can always verify that any update will work properly. WDYT?

[p0lyn0mial]

Would it make sens to link to the Preconditions for Configuration Changes (Tech Preview v2) section for more details on when a new key will be created ?

[ardaguclu]

Referenced.

[p0lyn0mial]

I think that we should provide more context.

[p0lyn0mial]

For example:

Recovery from this situation would require deleting all resources that we are unable to decode and then recreating them from scratch. This process is costly and complex to implement (for example, all certificates would need to be reissued, the etcd cluster rebuilt, etc.), and is comparable in effort to implementing a full re-bootstrap. Additionally, the recovery flow would need to be covered by CI tests to catch potential regressions.

Moreover, the platform itself would not be able to recreate resources required by user workloads, since only users have the necessary knowledge about them. In practice, this means users must have their own mechanisms for restoring these resources.

On the Vault side, the key (the KEK used to encrypt the cluster seed, which Kubernetes then uses to generate DEKs for encrypting cluster data) is stored in Vault’s Transit secrets engine. By default, keys in Transit have `deletion_allowed set` to `false`. A Vault administrator would need to explicitly change this setting to true in order to allow key deletion. In general standard best practices should be followed. This includes enforcing least-privilege access to sensitive API endpoints, such as those used for key deletion or key configuration updates. It is also recommended to periodically back up keys, so they can be restored if needed.

[ardaguclu]

I've created a dedicated section for this and referenced from the non-goal.

[p0lyn0mial]

I like this document. I’m convinced the mechanics described in it will work. There are still sections that require experimentation and design (e.g. key rotation), but those can be updated later. I’d like to focus on the internal v2 version for now. Thank you for putting this document together and thanks to everyone who reviewed it.

[openshift-ci]

@ardaguclu: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[benluddy]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: benluddy

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [benluddy]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[p0lyn0mial]

/lgtm