From df14e5ba65a741247b2e8c2359f2dddd378f9051 Mon Sep 17 00:00:00 2001 From: Cody Hoag Date: Mon, 25 Jan 2021 13:29:16 -0500 Subject: [PATCH] Update GCP disk encryption docs based on KMS SA support issues --- .../installing-gcp-customizations.adoc | 4 ++++ ...installing-gcp-network-customizations.adoc | 4 ++++ .../installing-gcp-private.adoc | 4 ++++ .../installing_gcp/installing-gcp-vpc.adoc | 4 ++++ ...installation-configuration-parameters.adoc | 22 ++++++++++++++----- modules/installation-gcp-config-yaml.adoc | 5 ++--- 6 files changed, 34 insertions(+), 9 deletions(-) diff --git a/installing/installing_gcp/installing-gcp-customizations.adoc b/installing/installing_gcp/installing-gcp-customizations.adoc index 97a739260c..0f9d152fe2 100644 --- a/installing/installing_gcp/installing-gcp-customizations.adoc +++ b/installing/installing_gcp/installing-gcp-customizations.adoc @@ -37,6 +37,10 @@ include::modules/installation-configuration-parameters.adoc[leveloffset=+2] include::modules/installation-gcp-config-yaml.adoc[leveloffset=+2] +== Additional resources + +* xref:../../machine_management/creating_machinesets/creating-machineset-gcp.adoc#machineset-enabling-customer-managed-encryption_creating-machineset-gcp[Enabling customer-managed encryption keys for a machine set] + // Removing; Proxy not supported for GCP IPI for 4.2 // include::modules/installation-configure-proxy.adoc[leveloffset=+2] diff --git a/installing/installing_gcp/installing-gcp-network-customizations.adoc b/installing/installing_gcp/installing-gcp-network-customizations.adoc index e51799197f..bd05adcb6c 100644 --- a/installing/installing_gcp/installing-gcp-network-customizations.adoc +++ b/installing/installing_gcp/installing-gcp-network-customizations.adoc @@ -46,6 +46,10 @@ include::modules/nw-install-config-parameters.adoc[leveloffset=+2] include::modules/installation-gcp-config-yaml.adoc[leveloffset=+2] +== Additional resources + +* xref:../../machine_management/creating_machinesets/creating-machineset-gcp.adoc#machineset-enabling-customer-managed-encryption_creating-machineset-gcp[Enabling customer-managed encryption keys for a machine set] + // Removing; Proxy not supported for GCP IPI for 4.2 // include::modules/installation-configure-proxy.adoc[leveloffset=+2] diff --git a/installing/installing_gcp/installing-gcp-private.adoc b/installing/installing_gcp/installing-gcp-private.adoc index 6f607ad63d..5d2936b794 100644 --- a/installing/installing_gcp/installing-gcp-private.adoc +++ b/installing/installing_gcp/installing-gcp-private.adoc @@ -41,6 +41,10 @@ include::modules/installation-configuration-parameters.adoc[leveloffset=+2] include::modules/installation-gcp-config-yaml.adoc[leveloffset=+2] +== Additional resources + +* xref:../../machine_management/creating_machinesets/creating-machineset-gcp.adoc#machineset-enabling-customer-managed-encryption_creating-machineset-gcp[Enabling customer-managed encryption keys for a machine set] + include::modules/installation-configure-proxy.adoc[leveloffset=+2] include::modules/installation-launching-installer.adoc[leveloffset=+1] diff --git a/installing/installing_gcp/installing-gcp-vpc.adoc b/installing/installing_gcp/installing-gcp-vpc.adoc index d9e59c75d1..c753484fd2 100644 --- a/installing/installing_gcp/installing-gcp-vpc.adoc +++ b/installing/installing_gcp/installing-gcp-vpc.adoc @@ -35,6 +35,10 @@ include::modules/installation-configuration-parameters.adoc[leveloffset=+2] include::modules/installation-gcp-config-yaml.adoc[leveloffset=+2] +== Additional resources + +* xref:../../machine_management/creating_machinesets/creating-machineset-gcp.adoc#machineset-enabling-customer-managed-encryption_creating-machineset-gcp[Enabling customer-managed encryption keys for a machine set] + include::modules/installation-configure-proxy.adoc[leveloffset=+2] include::modules/installation-launching-installer.adoc[leveloffset=+1] diff --git a/modules/installation-configuration-parameters.adoc b/modules/installation-configuration-parameters.adoc index 9966d3199f..f4b96f9311 100644 --- a/modules/installation-configuration-parameters.adoc +++ b/modules/installation-configuration-parameters.adoc @@ -607,9 +607,14 @@ link:https://yaml.org/spec/1.2/spec.html#sequence//[YAML sequence]. |For control plane machines, the ID of the project in which the KMS key ring exists. This value defaults to the VM project ID if not set. |The GCP project ID. -|`controlPlane.platform.gcp.osDisk.encryptionKey.kmsKeyServiceAccount` -|The GCP Compute Engine System service account used for the encryption request for the given KMS key. The Compute Engine default service account is always used for control plane machines during installation, which follows this pattern: `service-@compute-system.iam.gserviceaccount.com`. The default service account must have access to the KMS key specified for the control plane machines. The custom service account defined is available for use during post-installation operations. For more information on GCP service accounts, see Google's documentation on link:https://cloud.google.com/iam/docs/service-accounts#types[Types of service accounts]. -|The GCP Compute Engine System service account email, like `@.iam.gserviceaccount.com`. +//// +`controlPlane.platform.gcp.osDisk.encryptionKey.kmsKeyServiceAccount` + +The GCP Compute Engine System service account used for the encryption request for the given KMS key. The Compute Engine default service account is always used for control plane machines during installation, which follows this pattern: `service-@compute-system.iam.gserviceaccount.com`. The default service account must have access to the KMS key specified for the control plane machines. The custom service account defined is available for use during post-installation operations. For more information on GCP service accounts, see Google's documentation on link:https://cloud.google.com/iam/docs/service-accounts#types[Types of service accounts]. + +The GCP Compute Engine System service account email, like `@.iam.gserviceaccount.com`. +//// +// kmsKeyServiceAccount not yet fully supported in 4.7. Re-add when more stable. |`compute.platform.gcp.osDisk.encryptionKey.kmsKey.name` |The name of the customer managed encryption key to be used for compute machine disk encryption. @@ -627,9 +632,14 @@ link:https://yaml.org/spec/1.2/spec.html#sequence//[YAML sequence]. |For compute machines, the ID of the project in which the KMS key ring exists. This value defaults to the VM project ID if not set. |The GCP project ID. -|`compute.platform.gcp.osDisk.encryptionKey.kmsKeyServiceAccount` -|For compute machines, the GCP Compute Engine System service account used for the encryption request for the given KMS key. If left undefined, the Compute Engine default service account is used, which follows this pattern: `service-@compute-system.iam.gserviceaccount.com`. For more information on GCP service accounts, see Google's documentation on link:https://cloud.google.com/iam/docs/service-accounts#types[Types of service accounts]. -|The GCP Compute Engine System service account email, like `@.iam.gserviceaccount.com`. +//// +`compute.platform.gcp.osDisk.encryptionKey.kmsKeyServiceAccount` + +For compute machines, the GCP Compute Engine System service account used for the encryption request for the given KMS key. If left undefined, the Compute Engine default service account is used, which follows this pattern: `service-@compute-system.iam.gserviceaccount.com`. For more information on GCP service accounts, see Google's documentation on link:https://cloud.google.com/iam/docs/service-accounts#types[Types of service accounts]. + +The GCP Compute Engine System service account email, like `@.iam.gserviceaccount.com`. +//// +// kmsKeyServiceAccount not yet fully supported in 4.7. Re-add when more stable. |==== endif::gcp[] diff --git a/modules/installation-gcp-config-yaml.adoc b/modules/installation-gcp-config-yaml.adoc index acc79772e0..a45cbc1d7e 100644 --- a/modules/installation-gcp-config-yaml.adoc +++ b/modules/installation-gcp-config-yaml.adoc @@ -1,6 +1,7 @@ // Module included in the following assemblies: // // * installing/installing_gcp/installing-gcp-customizations.adoc +// * installing/installing_gcp/installing-gcp-network-customizations.adoc // * installing/installing_gcp/installing-gcp-vpc.adoc // * installing/installing_gcp/installing-gcp-private.adoc @@ -50,7 +51,6 @@ controlPlane: <2> keyRing: test-machine-keys location: global projectID: project-id - kmsKeyServiceAccount: openshift-service-account@openshift-gcp-project.iam.gserviceaccount.com replicas: 3 compute: <2> - hyperthreading: Enabled <3> @@ -70,7 +70,6 @@ compute: <2> keyRing: test-machine-keys location: global projectID: project-id - kmsKeyServiceAccount: openshift-service-account@openshift-gcp-project.iam.gserviceaccount.com replicas: 3 metadata: name: test-cluster <1> @@ -119,7 +118,7 @@ endif::private[] ==== If you disable simultaneous multithreading, ensure that your capacity planning accounts for the dramatically decreased machine performance. Use larger machine types, such as `n1-standard-8`, for your machines if you disable simultaneous multithreading. ==== -<5> Optional: The custom encryption key section to encrypt both virtual machines and persistent volumes. +<5> Optional: The custom encryption key section to encrypt both virtual machines and persistent volumes. Your default compute service account must have the permissions granted to use your KMS key and have the correct IAM role assigned. The default service account name follows the `service-@compute-system.iam.gserviceaccount.com` pattern. For more information on granting the correct permissions for your service account, see "Machine management" -> "Creating machine sets" -> "Creating a machine set on GCP". ifdef::vpc[] <6> If you use an existing VPC, specify its name. <7> If you use an existing VPC, specify the name of the existing subnet to deploy the control plane machines to. The subnet must belong to the VPC that you specified.