CORS-3261: GCP cluster api add disk encryption

** Add the disk encryption key information for the CAPG machines. The new feature
includes the encryption for bootstrap as well as control plane machines created by the
gcp cluster api provider.

** Note: CAPG supports Customer Managed (CMEK) and Customer Supplied (CSEK) Keys. The installer only
supports Customer Supplied Keys.
** Note: CAPG supports multiple disks through the GCPMachine.Spec.AdditionDisks, but the installer
only uses a single disk, so this PR will not fill out the disk encryption data for multiple disks.

Author: barbacbd

pkg/asset/machines/gcp/gcpmachines.go

@@ -17,7 +17,19 @@ import (
 	gcptypes "github.com/openshift/installer/pkg/types/gcp"
 )
 
-const masterRole = "master"
+const (
+	masterRole = "master"
+
+	kmsKeyNameFmt = "projects/%s/locations/%s/keyRings/%s/cryptoKeys/%s"
+)
+
+func generateDiskEncryptionKeyLink(kmsKey *gcptypes.KMSKeyReference, projectID string) string {
+	if kmsKey.ProjectID != "" {
+		projectID = kmsKey.ProjectID
+	}
+
+	return fmt.Sprintf(kmsKeyNameFmt, projectID, kmsKey.Location, kmsKey.KeyRing, kmsKey.Name)
+}
 
 // GenerateMachines returns manifests and runtime objects to provision control plane nodes using CAPI.
 func GenerateMachines(installConfig *installconfig.InstallConfig, infraID string, pool *types.MachinePool, imageName string) ([]*asset.RuntimeFile, error) {
@@ -160,6 +172,17 @@ func createGCPMachine(name string, installConfig *installconfig.InstallConfig, i
 	}
 	gcpMachine.Spec.ServiceAccount = serviceAccount
 
+	if mpool.OSDisk.EncryptionKey != nil {
+		encryptionKey := &capg.CustomerEncryptionKey{
+			KeyType:              capg.CustomerManagedKey,
+			KMSKeyServiceAccount: ptr.To(mpool.OSDisk.EncryptionKey.KMSKeyServiceAccount),
+			ManagedKey: &capg.ManagedKey{
+				KMSKeyName: generateDiskEncryptionKeyLink(mpool.OSDisk.EncryptionKey.KMSKey, installConfig.Config.GCP.ProjectID),
+			},
+		}
+		gcpMachine.Spec.RootDiskEncryptionKey = encryptionKey
+	}
+
 	return gcpMachine
 }