Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: implement support for clusters with CMEK encryption #855

Merged
merged 2 commits into from May 5, 2021
Merged

feat: implement support for clusters with CMEK encryption #855

merged 2 commits into from May 5, 2021

Conversation

stephenplusplus
Copy link
Contributor

@stephenplusplus stephenplusplus commented Apr 6, 2021
edited by kolea2

edit (kolea2): removing doc

This adds support for CMEK configuration of a Cluster when it is created.

Creating an instance

await bigtable.createInstance('my-instance', {
  clusters: [
    {
      id: 'my-cluster',
      encryption: {
        kmsKeyName: 'kms-key-name',
      },
      // ... other options
    },
  ],
});

Creating a cluster

await instance.createCluster('my-cluster', {
  encryption: {
    kmsKeyName: 'kms-key-name',
  },
  // ... other options
});

The key alias

Instead of providing the encryption option, the user has a choice to use the alias key:

await bigtable.createInstance('my-instance', {
  clusters: [
    {
      id: 'my-cluster',
-     encryption: {
-       kmsKeyName: 'kms-key-name',
-     },
+     key: 'kms-key-name',
      // ... other options
    },
  ],
});

await instance.createCluster('my-cluster', {
- encryption: {
-   kmsKeyName: 'kms-key-name',
- },
+ key: 'kms-key-name',
  // ... other options
});

If both options are set, an error is thrown.

@product-auto-label product-auto-label bot added the api: bigtable Issues related to the googleapis/nodejs-bigtable API. label Apr 6, 2021
@google-cla google-cla bot added the cla: yes This human has signed the Contributor License Agreement. label Apr 6, 2021
@codecov
Copy link

codecov bot commented Apr 6, 2021
edited

Codecov Report

Merging #855 (6e0d033) into master (0ef8976) will increase coverage by 0.00%.
The diff coverage is 100.00%.

Impacted file tree graph

@@           Coverage Diff            @@
##           master     #855    +/-   ##
========================================
  Coverage   99.22%   99.23%            
========================================
  Files          18       18            
  Lines       17416    17539   +123     
  Branches     1025      977    -48     
========================================
+ Hits        17281    17404   +123     
  Misses        132      132            
  Partials        3        3
Impacted Files Coverage Δ
src/app-profile.ts 99.59% <100.00%> (ø)
src/backup.ts 100.00% <100.00%> (ø)
src/cluster.ts 99.72% <100.00%> (+<0.01%) ⬆️
src/family.ts 99.58% <100.00%> (ø)
src/index.ts 100.00% <100.00%> (ø)
src/instance.ts 100.00% <100.00%> (ø)
src/row.ts 100.00% <100.00%> (ø)
src/table.ts 99.89% <100.00%> (ø)
src/v2/bigtable_client.ts 96.55% <100.00%> (ø)
src/v2/bigtable_instance_admin_client.ts 98.79% <100.00%> (+<0.01%) ⬆️
... and 1 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update bac490d...6e0d033. Read the comment docs.

@stephenplusplus stephenplusplus marked this pull request as ready for review April 6, 2021 20:53
@stephenplusplus stephenplusplus requested review from a team as code owners April 6, 2021 20:53
kolea2
kolea2 requested changes Apr 13, 2021
View reviewed changes
Copy link
Contributor

@kolea2 kolea2 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for working on this! For this to be feature complete, I think we will need to add API to both backups and table as well, specifically to get encryption info on them - see the java impl for more details https://github.com/googleapis/java-bigtable/pull/656/files. Let me know if I'm missing anything :)

@stephenplusplus
Copy link
Contributor Author

Thanks for the review @kolea2! Generally for anything that is accessible through the response from "getMetadata()", we won't create an additional method. However, we can of course make an exception if that's a requirement.

How it works now:

const [metadata] = await backup.getMetadata();
console.log(metadata.encryptionInfo);

craiglabenz
craiglabenz approved these changes Apr 27, 2021
View reviewed changes
Copy link

@craiglabenz craiglabenz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good from a Node perspective.

@kolea2
Copy link
Contributor

kolea2 commented Apr 27, 2021

Thanks for the review @kolea2! Generally for anything that is accessible through the response from "getMetadata()", we won't create an additional method. However, we can of course make an exception if that's a requirement.

How it works now:

const [metadata] = await backup.getMetadata();
console.log(metadata.encryptionInfo);

Thank you! Makes sense to me, thanks for the explanation. Will take a look at the rest.

kolea2
kolea2 requested changes Apr 30, 2021
View reviewed changes
system-test/bigtable.ts
const keyRingsBaseUrl = `https://cloudkms.googleapis.com/v1/projects/${projectId}/locations/us-central1/keyRings`;
kmsKeyName = `projects/${projectId}/locations/us-central1/keyRings/${keyRingId}/cryptoKeys/${cryptoKeyId}`;

await bigtable.auth.request({
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this creating a key per test run? If so, I think these will need to be cleaned up as well?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch, it was. I added a commit that uses the destroy method to schedule the destroy of the key. Please let me know if there's a better or more thorough way to remove these crypto key resources!

@kolea2 kolea2 merged commit 0d5d8e6 into googleapis:master May 5, 2021
gcf-merge-on-green bot pushed a commit that referenced this pull request May 5, 2021
@release-please
chore: release 3.5.0 (#872)
9777077 
🤖 I have created a release \*beep\* \*boop\*
---
## [3.5.0](https://www.github.com/googleapis/nodejs-bigtable/compare/v3.4.0...v3.5.0) (2021-05-05)


### Features

* implement support for clusters with CMEK encryption ([#855](https://www.github.com/googleapis/nodejs-bigtable/issues/855)) ([0d5d8e6](https://www.github.com/googleapis/nodejs-bigtable/commit/0d5d8e66bb3ce7947903795a5ea0c74362327ebf))
---


This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@craiglabenz craiglabenz craiglabenz approved these changes

@kolea2 kolea2 kolea2 approved these changes

Assignees
No one assigned
Labels
api: bigtable Issues related to the googleapis/nodejs-bigtable API. cla: yes This human has signed the Contributor License Agreement.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@stephenplusplus @kolea2 @craiglabenz