Merge pull request #30880 from markturansky/add_encryption

Automatic merge from submit-queue Add encryption to EBS dynamic provisioner Resolves #30792 Adds encryption to the EBS cloud provider and provisioner. Follow up to #29006 (all commits but the one in this PR will drop out). @kubernetes/sig-storage ```release-note ```
kubernetes · Aug 22, 2016 · a316e6d · a316e6d
2 parents 4136771 + 9a2645a
commit a316e6d
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 0 deletions.
diff --git a/examples/experimental/persistent-volume-provisioning/README.md b/examples/experimental/persistent-volume-provisioning/README.md
@@ -64,6 +64,8 @@ parameters:
 * `type`: `io1`, `gp2`, `sc1`, `st1`. See AWS docs for details. Default: `gp2`.
 * `zone`: AWS zone. If not specified, a random zone in the same region as controller-manager will be chosen.
 * `iopsPerGB`: only for `io1` volumes. I/O operations per second per GiB. AWS volume plugin multiplies this with size of requested volume to compute IOPS of the volume and caps it at 20 000 IOPS (maximum supported by AWS, see AWS docs).
+* `encrypted`: denotes whether the EBS volume should be encrypted or not. Valid values are `true` or `false`.
+* `kmsKeyId`: optional. The full Amazon Resource Name of the key to use when encrypting the volume. If none is supplied but `encrypted` is true, a key is generated by AWS. See AWS docs for valid ARN value.
 
 #### GCE
 

diff --git a/pkg/cloudprovider/providers/aws/aws.go b/pkg/cloudprovider/providers/aws/aws.go
@@ -232,6 +232,10 @@ type VolumeOptions struct {
 	// IOPSPerGB must be bigger than zero and smaller or equal to 30.
 	// Calculated total IOPS will be capped at 20000 IOPS.
 	IOPSPerGB int
+	Encrypted bool
+	// fully qualified resource name to the key to use for encryption.
+	// example: arn:aws:kms:us-east-1:012345678910:key/abcd1234-a123-456a-a12b-a123b4cd56ef
+	KmsKeyId string
 }
 
 // Volumes is an interface for managing cloud-provisioned volumes
@@ -1531,6 +1535,12 @@ func (c *Cloud) CreateDisk(volumeOptions *VolumeOptions) (string, error) {
 	volSize := int64(volumeOptions.CapacityGB)
 	request.Size = &volSize
 	request.VolumeType = &createType
+	request.Encrypted = &volumeOptions.Encrypted
+	request.KmsKeyId = &volumeOptions.KmsKeyId
+	if len(*request.KmsKeyId) > 0 {
+		b := true
+		request.Encrypted = &b
+	}
 	if iops > 0 {
 		request.Iops = &iops
 	}

diff --git a/pkg/volume/aws_ebs/aws_util.go b/pkg/volume/aws_ebs/aws_util.go
@@ -98,6 +98,13 @@ func (util *AWSDiskUtil) CreateVolume(c *awsElasticBlockStoreProvisioner) (strin
 			if err != nil {
 				return "", 0, nil, fmt.Errorf("invalid iopsPerGB value %q, must be integer between 1 and 30: %v", v, err)
 			}
+		case "encrypted":
+			volumeOptions.Encrypted, err = strconv.ParseBool(v)
+			if err != nil {
+				return "", 0, nil, fmt.Errorf("invalid encrypted boolean value %q, must be true or false: %v", v, err)
+			}
+		case "kmskeyid":
+			volumeOptions.KmsKeyId = v
 		default:
 			return "", 0, nil, fmt.Errorf("invalid option %q for volume plugin %s", k, c.plugin.GetPluginName())
 		}