community icon indicating copy to clipboard operation
community copied to clipboard
verified publisher icon aws-controllers-k8s

KMS controller - can't create an alias

Open gecube opened this issue 2 years ago • 5 comments

Describe the bug

I want to create an alias for the key managed by ACK but it is impossible

Steps to reproduce

Create a KMS key with manifest like:

apiVersion: kms.services.k8s.aws/v1alpha1
kind: Key
metadata:
  name: rds-dbserver-8
  namespace: infra-production
spec:
  description: "Key for rds-dbserver-8"
  enableKeyRotation: true
  tags:
    - tagKey: Name
      tagValue: rds-dbserver-8
    - tagKey: env
      tagValue: production

Then apply manifest for the alias:

apiVersion: kms.services.k8s.aws/v1alpha1
kind: Alias
metadata:
  name: alias-rds-dbserver-8
  namespace: infra-production
spec:
  name: alias-rds-dbserver-8
  targetKeyRef:
    from:
      name: rds-dbserver-8

The alias is not created:

status:
  ackResourceMetadata:
    ownerAccountID: '966321756598'
    region: eu-west-2
  conditions:
    - lastTransitionTime: '2023-08-22T13:41:53Z'
      status: 'True'
      type: ACK.ReferencesResolved
    - message: "ValidationException: Alias must start with the prefix \"alias/\". Please see https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html\n\tstatus code: 400, request id: 87750736-3cec-4256-99c7-3c41d7140492"
      status: 'True'
      type: ACK.Terminal
    - lastTransitionTime: '2023-08-22T13:41:53Z'
      message: Resource not synced
      reason: resource is in terminal condition
      status: 'False'
      type: ACK.ResourceSynced

Expected outcome

Alias is created within the appropriate key

gecube avatar Aug 22 '23 13:08 gecube

Finally it worked with the next manifest

apiVersion: kms.services.k8s.aws/v1alpha1
kind: Alias
metadata:
  name: rds-dbserver-8
  namespace: infra-production
spec:
  name: alias/rds-dbserver-8
  targetKeyRef:
    from:
      name: rds-dbserver-8

But it was a little bit ambiguous, as from the Amazon Web UI there is no necessity to add alias/ prefix... Probably the "alias/" prefix could be added programmatically or Alias object can be protected by admission controller to disallow creation of improper objects (just refuse to create an Alias without alias/ on k8s level)

gecube avatar Aug 22 '23 14:08 gecube

Issues go stale after 180d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 60d of inactivity and eventually close. If this issue is safe to close now please do so with /close. Provide feedback via https://github.com/aws-controllers-k8s/community. /lifecycle stale

ack-bot avatar Mar 13 '24 01:03 ack-bot

/remove-lifecycle stale

gecube avatar Mar 13 '24 06:03 gecube

Issues go stale after 180d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 60d of inactivity and eventually close. If this issue is safe to close now please do so with /close. Provide feedback via https://github.com/aws-controllers-k8s/community. /lifecycle stale

ack-bot avatar Sep 09 '24 10:09 ack-bot

/remove-lifecycle stale

gecube avatar Sep 09 '24 11:09 gecube

Issues go stale after 180d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 60d of inactivity and eventually close. If this issue is safe to close now please do so with /close. Provide feedback via https://github.com/aws-controllers-k8s/community. /lifecycle stale

ack-bot avatar Mar 08 '25 13:03 ack-bot

/remove-lifecycle stale

gecube avatar Mar 08 '25 16:03 gecube

Still actual:

{"level":"error","ts":"2025-04-02T04:39:48.562Z","msg":"Reconciler error","controller":"alias","controllerGroup":"kms.services.k8s.aws","controllerKind":"Alias","Alias":{"name":"artemis","namespace":"infra-production"},"namespace":"infra-production","name":"artemis","reconcileID":"1af8fce5-b456-4de9-bf69-9b18a11eaaa6","error":"operation error KMS: CreateAlias, https response error StatusCode: 400, RequestID: 97363de1-9d6c-46b4-8180-dfa209b3fa2d, api error ValidationException: Alias must start with the prefix \"alias/\". Please see https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).reconcileHandler\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:347\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).processNextWorkItem\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:294\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func2.2\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:255"}
{"level":"error","ts":"2025-04-02T04:39:48.640Z","msg":"Reconciler error","controller":"alias","controllerGroup":"kms.services.k8s.aws","controllerKind":"Alias","Alias":{"name":"artemis","namespace":"infra-uat"},"namespace":"infra-uat","name":"artemis","reconcileID":"e1c9ef3d-c3b7-43d7-8e4a-818d8ac971d1","error":"operation error KMS: CreateAlias, https response error StatusCode: 400, RequestID: 811197c0-27c6-456e-b678-3370532db942, api error ValidationException: Alias must start with the prefix \"alias/\". Please see https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).reconcileHandler\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:347\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).processNextWorkItem\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:294\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func2.2\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:255"}

Another good option could be to disallow creating improper aliases in k8s cluster with admission controller.

gecube avatar Apr 02 '25 04:04 gecube

Hi @gecube, this should be resolved now in v1.0.24...thank you for your patience

michaelhtm avatar Apr 04 '25 22:04 michaelhtm

@michaelhtm Hi! Thanks for the information. How would it be resolved? And what about reverse compatibility if I already created them with prefix?

gecube avatar Apr 05 '25 06:04 gecube

The new release ensures that we also maintain reverse compatibility, and even moving forward you should be able to create aliases with the prefix :)

michaelhtm avatar Apr 07 '25 17:04 michaelhtm

Closing for now. Please feel free to reopen if issue is not yet resolved /close

michaelhtm avatar Jul 25 '25 05:07 michaelhtm

@michaelhtm: Closing this issue.

In response to this:

Closing for now. Please feel free to reopen if issue is not yet resolved /close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

ack-prow[bot] avatar Jul 25 '25 05:07 ack-prow[bot]