Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Obsolete/Closed: Add config option to enable the encryption of AWS EKS secrets #2723

Closed
wants to merge 17 commits into from

Conversation

joneszc
Copy link
Contributor

@joneszc joneszc commented Sep 17, 2024

Reference Issues or PRs

Fixes #2681

What does this implement/fix?

Put a x in the boxes that apply

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds a feature)
  • Breaking change (fix or feature that would cause existing features not to work as expected)
  • Documentation Update
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes, no API changes)
  • Build related changes
  • Other (please describe):

Testing

  • Did you test the pull request locally?
  • Did you add new tests?

How to test this PR?

Any other comments?

Allows user to set EKS encryption of secrets by specifying a KMS key ARN in nebari-config.yaml

amazon_web_services:
  eks_kms_arn: 'arn:aws:kms:us-east-1:010101010:key/3xxxxxxx-xxxxx-xxxxx-xxxxx'
image

The KMS key must meet the following conditions:

  • Symmetric
  • Can encrypt and decrypt data
  • Created in the same AWS Region as the cluster
  • If the KMS key was created in a different account, the IAM principal must have access to the KMS key.

@joneszc joneszc removed the request for review from dcmcand September 17, 2024 16:11
@kenafoster kenafoster self-requested a review September 19, 2024 21:39
Copy link
Contributor

@kenafoster kenafoster left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM but if this is merged we should open up a nebari-docs since it's a little tricky to implement and understand

I've confirmed that most of the mistakes you could make (wrong region, bad format, key doesn't exist or Nebari deploy user can't see it) will fail in the stage where it creates the IAM policy, so at least it won't get to modifying the EKS cluster before failing

@viniciusdc
Copy link
Contributor

I would say that we could have a validator in the AWS Pydantic provider (similar to how we already do for the instance types and region) so that the feedback loop in case of errors is quicker for the user doing the deployment (instead of relying on terraform only for the "check").

@joneszc
Copy link
Contributor Author

joneszc commented Sep 27, 2024

I would say that we could have a validator in the AWS Pydantic provider (similar to how we already do for the instance types and region) so that the feedback loop in case of errors is quicker for the user doing the deployment (instead of relying on terraform only for the "check").

@viniciusdc @tylergraff
As suggested, I have added initial kms-key arn validation steps here
I'm still testing these updates

@viniciusdc
Copy link
Contributor

viniciusdc commented Oct 3, 2024

I think the issues with the tests below are due to the recent move from develop to main. Can you update your fork repo and update this branch?

@joneszc joneszc closed this Oct 3, 2024
@joneszc joneszc deleted the eks-cluster-encryption branch October 3, 2024 16:55
@joneszc
Copy link
Contributor Author

joneszc commented Oct 3, 2024

I think the issues with the tests below are due to the recent move from develop to main. Can you update your fork repo and update this branch?

@viniciusdc,
This branch should now, at time of writing, be up to date with nebari-dev/nebari:main. Thanks!

@joneszc
Copy link
Contributor Author

joneszc commented Oct 3, 2024

@viniciusdc @tylergraff @kenafoster
Migrating this effort to new PR#2752

@joneszc joneszc changed the title Add config option to enable the encryption of AWS EKS secrets Obsolete/Closed: Add config option to enable the encryption of AWS EKS secrets Oct 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: Done 💪🏾
Development

Successfully merging this pull request may close these issues.

Fix code scanning alert - EKS should have the encryption of secrets enabled
3 participants