Portworx
PORTWORX.COM

Google Cloud KMS

NOTE: Supported from Portworx Enterprise 2.0.2 onwards

Portworx integrates with Google Cloud KMS to store your Portworx secrets for Volume Encryption and Cloud Credentials. This guide will help configure Portworx with Google Cloud KMS.

Portworx requires the following Google Cloud credentials to use its APIs

  • Google Application Credentials [GOOGLE_APPLICATION_CREDENTIALS]

    Portworx requires permissions to use Google CloudKMS APIs. It requires the following two predefined roles

    • roles/cloudkms.cryptoKeyEncrypterDecrypter
    • roles/cloudkms.publicKeyViewer

    More info about these roles and the included permissions can be found here

  • Google KMS Public Key Resource ID [GOOGLE_KMS_RESOURCE_ID]

    Portworx uses Google’s asymmetric key pairs to encrypt and decrypt secrets. More information about asymmetric key pairs and how to create them can be found here

    Make sure that while creating the asymmetric key you specify the purpose of the key as Asymmetric decrypt

    Once the asymmetric key is created, provide its complete resourceID to Portworx. A typical asymmetric key pair’s resource ID looks like this

    projects/<Project ID>/locations/<Region>/keyRings/<Key Ring Name>/cryptoKeys/<Asymmetric Key Name>/cryptoKeyVersions/1

    Portworx requires the above resource ID as an input argument.

For Kubernetes Users

Provide the Google credentials to Portworx by using any one of these methods

Provide the instances running Portworx privileges to access the GCP API server. This is the preferred method since it requires the least amount of setup on each instance.

  • Owner and Compute Admin Roles

    These Roles provides Portworx access to the Google Cloud Storage APIs to provision persistent disks. Make sure the service account for the instances has these roles.

  • Cloud KMS predefined roles

    Following predefined roles provide Portworx access to the Google Cloud KMS APIs to manage secrets.

    roles/cloudkms.cryptoKeyEncrypterDecrypter
roles/cloudkms.publicKeyViewer

Google Service Accounts

Step 1: Create a service account

Alternatively, you can give Portworx access to the GCP API server via an account file and environment variables. First, you will need to create a service account in GCP and download the account file.

To access the GCP API server, Portworx needs a service account with the following roles

  • Owner and Compute Admin Roles

    These Roles provides Portworx access to the Google Cloud Storage APIs to provision persistent disks. Make sure the service account created below has these roles.

  • Cloud KMS predefined roles

    Following predefined roles provide Portworx access to the Google Cloud KMS APIs to manage secrets.

    roles/cloudkms.cryptoKeyEncrypterDecrypter
roles/cloudkms.publicKeyViewer

Follow these steps to create a service account and download its corresponding account file.

  1. Create a service account in the “Service Account” section that has the above permissions.
  2. Go to IAM & admin -> Service Accounts -> (Instance Service Account) -> Select “Create Key” and download the .json file

Step 2: Create a Kubernetes secret for the Google credentials.

Copy the downloaded account file in a directory gcloud-secrets/ and rename it gcloud.json to create a Kubernetes secret from it.

ls -1 gcloud-secrets
gcloud.json

Create a kubernetes secret with the following command

 kubectl -n kube-system create secret generic px-gcloud --from-file=gcloud-secrets/ --from-literal=gcloud-kms-resource-id=projects/<Project ID>/locations/<Region>/keyRings/<Key Ring Name>/cryptoKeys/<Asymmetric Key Name>/cryptoKeyVersions/1

Make sure to replace the Project ID, Key Ring Name and Asymmetric Key Name in the above command.

Step 3: Update the Portworx DaemonSet

  • New installation

When generating the Portworx Kubernetes spec file on the Portworx spec generator page in PX-Central), select Google Cloud KMS from the “Secrets type” list.

  • Existing installation

For an existing Portworx cluster follow these steps:

Step 3a: Update the Portworx DaemonSet to use the Google KMS secret store

Edit the Portworx DaemonSet’s secret_type field to gcloud-kms, so that all the new Portworx nodes will also start using Google Cloud KMS.

kubectl edit daemonset portworx -n kube-system

Add the "-secret_type", "gcloud-kms" arguments to the portworx container in the daemonset. It should look something like this:

containers:
  - args:
    - -c
    - testclusterid
    - -s
    - /dev/sdb
    - -x
    - kubernetes
    - -secret_type
    - gcloud-kms
    name: portworx
Step 3b: Patch the Portworx DaemonSet

Use the following command to patch the daemon set, so that it has access to the secret created Step 2

Create a patch file

cat <<EOF> patch.yaml
spec:
  template:
    spec:
      containers:
      - name: portworx
        env:
          - name: GOOGLE_KMS_RESOURCE_ID
            valueFrom:
              secretKeyRef:
                name: px-gcloud
                key: gcloud-kms-resource-id
          - name: GOOGLE_APPLICATION_CREDENTIALS
            value: /etc/pwx/gce/gcloud.json
        volumeMounts:
          - mountPath: /etc/pwx/gce
            name: gcloud-certs
      volumes:
        - name: gcloud-certs
          secret:
            secretName: px-gcloud
            items:
              - key: gcloud.json
                path: gcloud.json
EOF

Apply the patch

kubectl -n kube-system patch ds portworx --patch "$(cat patch.yaml)" --type=strategic

Known Issues

Fixed in Portworx Enterprise version 2.10.1
  • When creating Google Cloud credentials using Google KMS as the secret provider, users might encounter the error: crypto/rsa: message too long for RSA public key size

Other users

Step 1: Provide Google Cloud credentials to Portworx

Provide the following Google Cloud credentials (key value pairs) as environment variables to Portworx

  • [Required] GOOGLE_APPLICATION_CREDENTIALS=[/path/to/service/account file]
  • [Required] GOOGLE_KMS_RESOURCE_ID=[asymmetric_resource_id]
Important: The service account file needs to be present on all the nodes where Portworx is running.

Step 2: Set up Google Cloud KMS as the secrets provider for Portworx.

New installation

While installing Portworx set the input argument -secret_type to gcloud-kms.

Existing installation

Based on your installation method provide the -secret_type gcloud-kms input argument and restart Portworx on all the nodes.

Using Google Cloud KMS with Portworx

Last edited: Tuesday, May 9, 2023
Questions? Visit the Portworx forum.