In this lab, you will learn how to deploy a Google Cloud Resource, specifically a Cloud KMS key ring and encryption key with Config Connector.
To begin, create a dedicated directory for this lab and switch into it:
cd ~
mkdir config-connector && cd config-connector
Creating an Identity for Config Connector #
In order for Config Connector to create and manage Google Cloud resources, it needs to authenticate with a GCP IAM service account. The recommended solution is to use a combination of this dedicated service account and GKE’s Workload Identity to bind the IAM service account with the Kubernetes service account.
Run the following command to create a new service account:
gcloud iam service-accounts create config-connector-sa --project <YOUR_PROJECT_ID>
Since you will just be using Config Connector to create and manage Cloud KMS, assign the cloudkms.admin role to the GCP IAM service account:
gcloud projects add-iam-policy-binding <YOUR_PROJECT_ID> \
--member="serviceAccount:config-connector-sa@<YOUR_PROJECT_ID>.iam.gserviceaccount.com" \
--role="roles/cloudkms.admin"
As a last step, you need to connect the GCP IAM service account you created above to the Kubernetes service account that is running the Config Connector controller.
gcloud iam service-accounts add-iam-policy-binding \
config-connector-sa@<YOUR_PROJECT_ID>.iam.gserviceaccount.com \
--member="serviceAccount:<YOUR_PROJECT_ID>.svc.id.goog[cnrm-system/cnrm-controller-manager]" \
--role="roles/iam.workloadIdentityUser"
Configuring Config Connector #
To complete the configuration of Config Connector, update the manifest below and apply it to your cluster to link the GCP IAM service account to Config Connector:
apiVersion: core.cnrm.cloud.google.com/v1beta1
kind: ConfigConnector
metadata:
name: configconnector.core.cnrm.cloud.google.com
spec:
mode: cluster
googleServiceAccount: "config-connector-sa@<YOUR_PROJECT_ID>.iam.gserviceaccount.com"
You can validate that your Config Connector instance is healthy with the following command:
kubectl get configconnector
You will see an output similar to the following:
NAME AGE HEALTHY
configconnector.core.cnrm.cloud.google.com 11m true
Deploy the Cloud KMS Key Ring and Encryption Key #
With Config Connector set up, you can now deploy your Cloud KMS key ring and encryption key.
Use the following snippet as a starting point to create your key ring:
apiVersion: kms.cnrm.cloud.google.com/v1beta1
kind: KMSKeyRing
metadata:
name: <YOUR_KMS_KEY_RING_NAME>
annotations:
cnrm.cloud.google.com/project-id: <YOUR_PROJECT_ID>
spec:
location: us-central1
Once you apply the configuration, you can validate the key ring was successfully created:
kubectl get kmskeyring
You will see an output similar to the following:
NAME AGE READY STATUS STATUS AGE
<YOUR_KMS_KEY_RING_NAME> 10s True UpToDate 9s
Navigate to the KMS page in your Google Cloud console to also validate the key ring was successfully created. You can also use the following gcloud command:
gcloud kms keyrings list --project <YOUR_PROJECT_ID> --location <YOUR_KMS_KEY_RING_LOCATION>
The final step is to create the encryption key. Use the following snippet as a starting point to create your encryption key:
apiVersion: kms.cnrm.cloud.google.com/v1beta1
kind: KMSCryptoKey
metadata:
name: <YOUR_ENCRYPTION_KEY_NAME>
spec:
keyRingRef:
name: <YOUR_KMS_KEY_RING_NAME>
purpose: ENCRYPT_DECRYPT
versionTemplate:
algorithm: GOOGLE_SYMMETRIC_ENCRYPTION
importOnly: false
Once you apply the configuration, you can validate the encryption key was successfully created:
kubectl get kmscryptokey
You will see an output similar to the following:
NAME AGE READY STATUS STATUS AGE
<YOUR_ENCRYPTION_KEY_NAME> 8s True UpToDate 8s
Navigate to the KMS page in your Google Cloud console to also validate the encryption key was successfully created. You can also use the following gcloud command:
gcloud kms keys list --keyring <YOUR_KMS_KEY_RING_NAME> --project <YOUR_PROJECT_ID> --location <YOUR_KMS_KEY_RING_LOCATION>
Once you have validated your KMS key ring and encryption key have been created, you can proceed to the next lab.