Merge pull request #28818 from codyhoag/gcp-disk-encrypt-update

Update GCP disk encryption docs based on KMS SA support issues
2026-02-06 15:46:57 +01:00 · 2021-02-09 09:49:10 -05:00
parent 26e9c913ce df14e5ba65
commit bd97c1b6ae
6 changed files with 34 additions and 9 deletions
--- a/installing/installing_gcp/installing-gcp-customizations.adoc
+++ b/installing/installing_gcp/installing-gcp-customizations.adoc
@@ -37,6 +37,10 @@ include::modules/installation-configuration-parameters.adoc[leveloffset=+2]

 include::modules/installation-gcp-config-yaml.adoc[leveloffset=+2]

+== Additional resources
+
+* xref:../../machine_management/creating_machinesets/creating-machineset-gcp.adoc#machineset-enabling-customer-managed-encryption_creating-machineset-gcp[Enabling customer-managed encryption keys for a machine set]
+
 // Removing; Proxy not supported for GCP IPI for 4.2
 // include::modules/installation-configure-proxy.adoc[leveloffset=+2]

--- a/installing/installing_gcp/installing-gcp-network-customizations.adoc
+++ b/installing/installing_gcp/installing-gcp-network-customizations.adoc
@@ -46,6 +46,10 @@ include::modules/nw-install-config-parameters.adoc[leveloffset=+2]

 include::modules/installation-gcp-config-yaml.adoc[leveloffset=+2]

+== Additional resources
+
+* xref:../../machine_management/creating_machinesets/creating-machineset-gcp.adoc#machineset-enabling-customer-managed-encryption_creating-machineset-gcp[Enabling customer-managed encryption keys for a machine set]
+
 // Removing; Proxy not supported for GCP IPI for 4.2
 // include::modules/installation-configure-proxy.adoc[leveloffset=+2]

--- a/installing/installing_gcp/installing-gcp-private.adoc
+++ b/installing/installing_gcp/installing-gcp-private.adoc
@@ -41,6 +41,10 @@ include::modules/installation-configuration-parameters.adoc[leveloffset=+2]

 include::modules/installation-gcp-config-yaml.adoc[leveloffset=+2]

+== Additional resources
+
+* xref:../../machine_management/creating_machinesets/creating-machineset-gcp.adoc#machineset-enabling-customer-managed-encryption_creating-machineset-gcp[Enabling customer-managed encryption keys for a machine set]
+
 include::modules/installation-configure-proxy.adoc[leveloffset=+2]

 include::modules/installation-launching-installer.adoc[leveloffset=+1]
--- a/installing/installing_gcp/installing-gcp-vpc.adoc
+++ b/installing/installing_gcp/installing-gcp-vpc.adoc
@@ -35,6 +35,10 @@ include::modules/installation-configuration-parameters.adoc[leveloffset=+2]

 include::modules/installation-gcp-config-yaml.adoc[leveloffset=+2]

+== Additional resources
+
+* xref:../../machine_management/creating_machinesets/creating-machineset-gcp.adoc#machineset-enabling-customer-managed-encryption_creating-machineset-gcp[Enabling customer-managed encryption keys for a machine set]
+
 include::modules/installation-configure-proxy.adoc[leveloffset=+2]

 include::modules/installation-launching-installer.adoc[leveloffset=+1]
--- a/modules/installation-configuration-parameters.adoc
+++ b/modules/installation-configuration-parameters.adoc
@@ -627,9 +627,14 @@ link:https://yaml.org/spec/1.2/spec.html#sequence//[YAML sequence].
 |For control plane machines, the ID of the project in which the KMS key ring exists. This value defaults to the VM project ID if not set.
 |The GCP project ID.

-|`controlPlane.platform.gcp.osDisk.encryptionKey.kmsKeyServiceAccount`
-|The GCP Compute Engine System service account used for the encryption request for the given KMS key. The Compute Engine default service account is always used for control plane machines during installation, which follows this pattern: `service-<project_number>@compute-system.iam.gserviceaccount.com`. The default service account must have access to the KMS key specified for the control plane machines. The custom service account defined is available for use during post-installation operations. For more information on GCP service accounts, see Google's documentation on link:https://cloud.google.com/iam/docs/service-accounts#types[Types of service accounts].
-|The GCP Compute Engine System service account email, like `<service_account_name>@<project_id>.iam.gserviceaccount.com`.
+////
+`controlPlane.platform.gcp.osDisk.encryptionKey.kmsKeyServiceAccount`
+
+The GCP Compute Engine System service account used for the encryption request for the given KMS key. The Compute Engine default service account is always used for control plane machines during installation, which follows this pattern: `service-<project_number>@compute-system.iam.gserviceaccount.com`. The default service account must have access to the KMS key specified for the control plane machines. The custom service account defined is available for use during post-installation operations. For more information on GCP service accounts, see Google's documentation on link:https://cloud.google.com/iam/docs/service-accounts#types[Types of service accounts].
+
+The GCP Compute Engine System service account email, like `<service_account_name>@<project_id>.iam.gserviceaccount.com`.
+////
+// kmsKeyServiceAccount not yet fully supported in 4.7. Re-add when more stable.

 |`compute.platform.gcp.osDisk.encryptionKey.kmsKey.name`
 |The name of the customer managed encryption key to be used for compute machine disk encryption.
@@ -647,9 +652,14 @@ link:https://yaml.org/spec/1.2/spec.html#sequence//[YAML sequence].
 |For compute machines, the ID of the project in which the KMS key ring exists. This value defaults to the VM project ID if not set.
 |The GCP project ID.

-|`compute.platform.gcp.osDisk.encryptionKey.kmsKeyServiceAccount`
-|For compute machines, the GCP Compute Engine System service account used for the encryption request for the given KMS key. If left undefined, the Compute Engine default service account is used, which follows this pattern: `service-<project_number>@compute-system.iam.gserviceaccount.com`. For more information on GCP service accounts, see Google's documentation on link:https://cloud.google.com/iam/docs/service-accounts#types[Types of service accounts].
-|The GCP Compute Engine System service account email, like `<service_account_name>@<project_id>.iam.gserviceaccount.com`.
+////
+`compute.platform.gcp.osDisk.encryptionKey.kmsKeyServiceAccount`
+
+For compute machines, the GCP Compute Engine System service account used for the encryption request for the given KMS key. If left undefined, the Compute Engine default service account is used, which follows this pattern: `service-<project_number>@compute-system.iam.gserviceaccount.com`. For more information on GCP service accounts, see Google's documentation on link:https://cloud.google.com/iam/docs/service-accounts#types[Types of service accounts].
+
+The GCP Compute Engine System service account email, like `<service_account_name>@<project_id>.iam.gserviceaccount.com`.
+////
+// kmsKeyServiceAccount not yet fully supported in 4.7. Re-add when more stable.
 |====

 endif::gcp[]
--- a/modules/installation-gcp-config-yaml.adoc
+++ b/modules/installation-gcp-config-yaml.adoc
@@ -1,6 +1,7 @@
 // Module included in the following assemblies:
 //
 // * installing/installing_gcp/installing-gcp-customizations.adoc
+// * installing/installing_gcp/installing-gcp-network-customizations.adoc
 // * installing/installing_gcp/installing-gcp-vpc.adoc
 // * installing/installing_gcp/installing-gcp-private.adoc

@@ -50,7 +51,6 @@ controlPlane: <2>
            keyRing: test-machine-keys
            location: global
            projectID: project-id
-          kmsKeyServiceAccount: openshift-service-account@openshift-gcp-project.iam.gserviceaccount.com
  replicas: 3
 compute: <2>
 - hyperthreading: Enabled <3>
@@ -70,7 +70,6 @@ compute: <2>
            keyRing: test-machine-keys
            location: global
            projectID: project-id
-          kmsKeyServiceAccount: openshift-service-account@openshift-gcp-project.iam.gserviceaccount.com
  replicas: 3
 metadata:
  name: test-cluster <1>
@@ -124,7 +123,7 @@ endif::private[]
 ====
 If you disable simultaneous multithreading, ensure that your capacity planning accounts for the dramatically decreased machine performance. Use larger machine types, such as `n1-standard-8`, for your machines if you disable simultaneous multithreading.
 ====
-<5> Optional: The custom encryption key section to encrypt both virtual machines and persistent volumes.
+<5> Optional: The custom encryption key section to encrypt both virtual machines and persistent volumes. Your default compute service account must have the permissions granted to use your KMS key and have the correct IAM role assigned. The default service account name follows the `service-<project_number>@compute-system.iam.gserviceaccount.com` pattern. For more information on granting the correct permissions for your service account, see "Machine management" -> "Creating machine sets" -> "Creating a machine set on GCP".
 ifdef::vpc[]
 <6> If you use an existing VPC, specify its name.
 <7> If you use an existing VPC, specify the name of the existing subnet to deploy the control plane machines to. The subnet must belong to the VPC that you specified.