@@ -54,6 +54,9 @@ type AttachedDiskSpec struct {
5454 // Defaults to 30GB. For "local-ssd" size is always 375GB.
5555 // +optional
5656 Size * int64 `json:"size,omitempty"`
57+ // EncryptionKey defines the KMS key to be used to encrypt the disk.
58+ // +optional
59+ EncryptionKey * CustomerEncryptionKey `json:"encryptionKey,omitempty"`
5760}
5861
5962// IPForwarding represents the IP forwarding configuration for the GCP machine.
@@ -146,6 +149,65 @@ const (
146149 HostMaintenancePolicyTerminate HostMaintenancePolicy = "Terminate"
147150)
148151
152+ // KeyType is a type for disk encryption.
153+ type KeyType string
154+
155+ const (
156+ // CustomerManagedKey (CMEK) references an encryption key stored in Google Cloud KMS.
157+ CustomerManagedKey KeyType = "Managed"
158+ // CustomerSuppliedKey (CSEK) specifies an encryption key to use.
159+ CustomerSuppliedKey KeyType = "Supplied"
160+ )
161+
162+ // ManagedKey is a reference to a key managed by the Cloud Key Management Service.
163+ type ManagedKey struct {
164+ // KMSKeyName is the name of the encryption key that is stored in Google Cloud KMS. For example:
165+ // "kmsKeyName": "projects/kms_project_id/locations/region/keyRings/key_region/cryptoKeys/key
166+ // +kubebuilder:validation:Required
167+ KMSKeyName string `json:"kmsKeyName,omitempty"`
168+ }
169+
170+ // SuppliedKey contains a key for disk encryption.
171+ // +kubebuilder:validation:MinProperties=1
172+ type SuppliedKey struct {
173+ // RawKey specifies a 256-bit customer-supplied encryption key, encoded in RFC 4648
174+ // base64 to either encrypt or decrypt this resource. You can provide either the rawKey or the rsaEncryptedKey.
175+ // For example: "rawKey": "SGVsbG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0="
176+ // +optional
177+ RawKey []byte `json:"rawKey,omitempty"`
178+ // RSAEncryptedKey specifies an RFC 4648 base64 encoded, RSA-wrapped 2048-bit customer-supplied encryption
179+ // key to either encrypt or decrypt this resource. You can provide either the rawKey or the
180+ // rsaEncryptedKey.
181+ // For example: "rsaEncryptedKey": "ieCx/NcW06PcT7Ep1X6LUTc/hLvUDYyzSZPPVCVPTVEohpeHASqC8uw5TzyO9U+Fka9JFHi
182+ // z0mBibXUInrC/jEk014kCK/NPjYgEMOyssZ4ZINPKxlUh2zn1bV+MCaTICrdmuSBTWlUUiFoDi
183+ // D6PYznLwh8ZNdaheCeZ8ewEXgFQ8V+sDroLaN3Xs3MDTXQEMMoNUXMCZEIpg9Vtp9x2oe=="
184+ // The key must meet the following requirements before you can provide it to Compute Engine:
185+ // 1. The key is wrapped using a RSA public key certificate provided by Google.
186+ // 2. After being wrapped, the key must be encoded in RFC 4648 base64 encoding.
187+ // Gets the RSA public key certificate provided by Google at: https://cloud-certs.storage.googleapis.com/google-cloud-csek-ingress.pem
188+ // +optional
189+ RSAEncryptedKey []byte `json:"rsaEncryptedKey,omitempty"`
190+ }
191+
192+ // CustomerEncryptionKey supports both Customer-Managed or Customer-Supplied encryption keys .
193+ type CustomerEncryptionKey struct {
194+ // KeyType is the type of encryption key. Must be either Managed, aka Customer-Managed Encryption Key (CMEK) or
195+ // Supplied, aka Customer-Supplied EncryptionKey (CSEK).
196+ // +kubebuilder:validation:Enum=Managed;Supplied
197+ KeyType KeyType `json:"keyType"`
198+ // KMSKeyServiceAccount is the service account being used for the encryption request for the given KMS key.
199+ // If absent, the Compute Engine default service account is used. For example:
200+ // "kmsKeyServiceAccount": "name@project_id.iam.gserviceaccount.com/
201+ // +optional
202+ KMSKeyServiceAccount * string `json:"kmsKeyServiceAccount,omitempty"`
203+ // ManagedKey references keys managed by the Cloud Key Management Service. This should be set when KeyType is Managed.
204+ // +optional
205+ ManagedKey * ManagedKey `json:"managedKey,omitempty"`
206+ // SuppliedKey provides the key used to create or manage a disk. This should be set when KeyType is Managed.
207+ // +optional
208+ SuppliedKey * SuppliedKey `json:"suppliedKey,omitempty"`
209+ }
210+
149211// GCPMachineSpec defines the desired state of GCPMachine.
150212type GCPMachineSpec struct {
151213 // InstanceType is the type of instance to create. Example: n1.standard-2
@@ -252,6 +314,10 @@ type GCPMachineSpec struct {
252314 // +kubebuilder:validation:Enum=Enabled;Disabled
253315 // +optional
254316 ConfidentialCompute * ConfidentialComputePolicy `json:"confidentialCompute,omitempty"`
317+
318+ // RootDiskEncryptionKey defines the KMS key to be used to encrypt the root disk.
319+ // +optional
320+ RootDiskEncryptionKey * CustomerEncryptionKey `json:"rootDiskEncryptionKey,omitempty"`
255321}
256322
257323// MetadataItem defines a single piece of metadata associated with an instance.
0 commit comments