cluster-api-provider-aws icon indicating copy to clipboard operation
cluster-api-provider-aws copied to clipboard

Published 20 hours ago verified publisher icon kubernetes-sigs

Refactor `EncryptionConfig` for AWSManagedControlPlane

Open richardcase opened this issue 4 years ago • 12 comments
trafficstars

/area provider/eks /kind api-change /kind refactor /milestone v0.7.0 /help /priority important-soon

Describe the solution you'd like You can optionally enable encryption for EKS by supplying details in AWSManagedControlPlane.Spec.EncryptionConfig. As its optional, it is a pointer and marked as optional and omitempty.

If you want to enable encryption, then you must supply the provider and resources. Currently, these are pointers and not marked as required. We should mark these as required using kubebuilder validation and remove the pointers/omitempty.

This was noticed whilst making a change for #2505

Anything else you would like to add: So perhaps something like this:

// EncryptionConfig specifies the encryption configuration for the EKS clsuter.
type EncryptionConfig struct {
	// Provider specifies the ARN or alias of the CMK (in AWS KMS)
	// +kubebuilder:validation:Required
	Provider string `json:"provider"`
	// Resources specifies the resources to be encrypted
	// +kubebuilder:validation:Required
	// +kubebuilder:validation:MinItems=1
	Resources []string `json:"resources"`
}

This will cause problems with the generated deepcopy and conversion functions which will need to be fixed.

Environment:

  • Cluster-api-provider-aws version: 0.6.6

richardcase avatar Jun 24 '21 14:06 richardcase

@richardcase: This request has been marked as needing help from a contributor.

Please ensure the request meets the requirements listed here.

If this request no longer meets these requirements, the label can be removed by commenting with the /remove-help command.

In response to this:

/area provider/eks /kind api-change /kind refactor /milestone v0.7.0 /help /priority important-soon

Describe the solution you'd like You can optionally enable encryption for EKS by supplying details in AWSManagedControlPlane.Spec.EncryptionConfig. As its optional, it is a pointer and marked as optional and omitempty.

If you want to enable encryption, then you must supply the provider and resources. Currently, these are pointers and not marked as required. We should mark these as required using kubebuilder validation and remove the pointers/omitempty.

This was noticed whilst making a change for #2505

Anything else you would like to add: So perhaps something like this:

// EncryptionConfig specifies the encryption configuration for the EKS clsuter.
type EncryptionConfig struct {
  // Provider specifies the ARN or alias of the CMK (in AWS KMS)
  // +kubebuilder:validation:Required
  Provider string `json:"provider"`
  // Resources specifies the resources to be encrypted
  // +kubebuilder:validation:Required
  // +kubebuilder:validation:MinItems=1
  Resources []string `json:"resources"`
}

This will cause problems with the generated deepcopy and conversion functions which will need to be fixed.

Environment:

  • Cluster-api-provider-aws version: 0.6.6

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot avatar Jun 24 '21 14:06 k8s-ci-robot

Hii @richardcase, I am new to open source and will like to contribute to this project so can you assign it to me.

slayer321 avatar Jun 24 '21 18:06 slayer321

Welcome @slayer321, thanks for wanting to work on this issue. If you have any questions feel free to ask on here or in the slack channel.

/assign slayer321

richardcase avatar Jun 24 '21 19:06 richardcase

Hii @richardcase, I made changes in the EncryptionConfig struct as you have mentioned above but there are some errors that I am getting in generated deepcopy and conversion file and I am a bit confused about what exact changes need to be done in that file.

Ps: I am new to Golang so it is getting a bit difficult for me to understand the problem.

slayer321 avatar Jun 25 '21 13:06 slayer321

@slayer321 - feel free to ping me on slack and we can chat.

Sometimes with the auto generated code you need to make manual changes so that the code is regenerated properly.

richardcase avatar Jul 01 '21 14:07 richardcase

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Sep 29 '21 15:09 k8s-triage-robot

@slayer321 - how are you getting on with this?

richardcase avatar Sep 30 '21 10:09 richardcase

Hii @richardcase, Sorry due to some college work I was not able to work on this issue. But now I'm looking to work on this issue.

As you mention ..... when I change the pointers in this struct there are some change in deepcopy and conversion function which I'm not able to understand can you point me to some resources where I can learn about it.

slayer321 avatar Sep 30 '21 12:09 slayer321

@slayer321 - when there are changes to the API definitions (like this change) then you need to run make generate. This does many things, some steps run various code generation tools that handle creating deepcopy functions or API conversions. If you run this and then perhaps ping me on slack?

richardcase avatar Sep 30 '21 13:09 richardcase

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

k8s-triage-robot avatar Oct 30 '21 14:10 k8s-triage-robot

/lifecycle frozen

richardcase avatar Oct 30 '21 16:10 richardcase

/remove-lifecycle frozen

richardcase avatar Jul 12 '22 16:07 richardcase

The Kubernetes project currently lacks enough contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

  • Mark this PR as fresh with /remove-lifecycle stale
  • Close this PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Feb 08 '23 05:02 k8s-triage-robot