aws-controllers-k8s
ACK RDS: can't create encrypted db from snapshot.
Good day!
I have an ACK toolkit RDS controller v.1.4.6.
I want to create a DB from snapshot encrypted by KMS.
I prepared the next manifest:
apiVersion: kms.services.k8s.aws/v1alpha1
kind: Key
metadata:
name: dbserver5
spec:
description: "Key for dbserver5"
enableKeyRotation: true
tags:
- tagKey: Name
tagValue: dbserver5
- tagKey: env
tagValue: uat
---
apiVersion: kms.services.k8s.aws/v1alpha1
kind: Alias
metadata:
name: dbserver5
spec:
name: alias/dbserver5
targetKeyRef:
from:
name: dbserver5
for KMS and these resources were applied properly.
Then I want to create DB:
apiVersion: rds.services.k8s.aws/v1alpha1
kind: DBInstance
metadata:
name: dbserver-5
spec:
dbSnapshotIdentifier: "arn:aws:rds:eu-west-2:******:snapshot:******"
allocatedStorage: 20
dbInstanceClass: db.r5.large
dbInstanceIdentifier: dbserver-5
engine: mysql
engineVersion: "5.7"
masterUsername: "root"
masterUserPassword:
namespace: infra-uat
name: dbserver-5-db-password
key: password
dbSubnetGroupRef:
from:
name: rds-subnet
publiclyAccessible: false
availabilityZone: 'eu-west-2c'
storageEncrypted: true
kmsKeyRef:
from:
name: dbserver5
In fact I am getting the next:
apiVersion: rds.services.k8s.aws/v1alpha1
kind: DBInstance
metadata:
annotations:
rds.services.k8s.aws/last-applied-secret-reference: infra-uat/dbserver-5-db-password.password
resourceVersion: '642548767'
name: dbserver-5-uat
namespace: infra-uat
finalizers:
- finalizers.rds.services.k8s.aws/DBInstance
labels:
kustomize.toolkit.fluxcd.io/name: infra-management
kustomize.toolkit.fluxcd.io/namespace: flux-system
spec:
engine: mysql
preferredMaintenanceWindow: 'fri:23:40-sat:00:10'
caCertificateIdentifier: rds-ca-rsa2048-g1
kmsKeyRef:
from:
name: dbserver5
dbInstanceClass: db.r5.large
storageThroughput: 0
deletionProtection: false
availabilityZone: eu-west-2c
masterUserPassword:
key: password
name: dbserver-5-db-password
namespace: infra-uat
licenseModel: general-public-license
storageEncrypted: false
autoMinorVersionUpgrade: true
dbSnapshotIdentifier: 'arn:aws:rds:eu-west-2:*****:snapshot:*****'
publiclyAccessible: false
monitoringInterval: 0
copyTagsToSnapshot: false
dbSubnetGroupRef:
from:
name: rds-subnet
multiAZ: false
preferredBackupWindow: '05:01-05:31'
allocatedStorage: 20
storageType: gp2
engineVersion: '5.7'
performanceInsightsEnabled: false
masterUsername: root
dbInstanceIdentifier: dbserver-5
backupRetentionPeriod: 1
status:
pendingModifiedValues: {}
dbSubnetGroup:
dbSubnetGroupDescription: ololo
dbSubnetGroupName: rds-subnet
subnetGroupStatus: Complete
subnets:
- subnetAvailabilityZone:
name: eu-west-2a
subnetIdentifier: *****
subnetOutpost: {}
subnetStatus: Active
- subnetAvailabilityZone:
name: eu-west-2b
subnetIdentifier: *****
subnetOutpost: {}
subnetStatus: Active
- subnetAvailabilityZone:
name: eu-west-2c
subnetIdentifier: *****
subnetOutpost: {}
subnetStatus: Active
vpcID: *****
latestRestorableTime: '2024-10-19T09:25:00Z'
dbInstanceStatus: available
ackResourceMetadata:
arn: 'arn:aws:rds:eu-west-2:*****:db:dbserver-5'
ownerAccountID: '474417630776'
region: eu-west-2
certificateDetails:
cAIdentifier: rds-ca-rsa2048-g1
validTill: '2027-10-19T09:10:58Z'
optionGroupMemberships:
- optionGroupName: 'default:mysql-5-7'
status: in-sync
customerOwnedIPEnabled: false
dbInstancePort: 0
dbiResourceID: *****
endpoint:
address: *****
hostedZoneID: *****
port: 3306
conditions:
- lastTransitionTime: '2024-10-19T09:30:15Z'
status: 'True'
type: ACK.ReferencesResolved
- lastTransitionTime: '2024-10-19T09:30:16Z'
status: 'False'
type: ACK.ResourceSynced
- lastTransitionTime: '2024-10-19T09:30:16Z'
message: Late initialization successful
reason: Late initialization successful
status: 'True'
type: ACK.LateInitialized
iamDatabaseAuthenticationEnabled: true
vpcSecurityGroups:
- status: active
vpcSecurityGroupID: *****
instanceCreateTime: '2024-10-19T09:11:46Z'
dbParameterGroups:
- dbParameterGroupName: default.mysql5.7
parameterApplyStatus: in-sync
I want to point out that kmsID is not put into the target object for some reason and the flag storageEncrypted is false.
No meaningful errors found in logs of RDS controller. Also putting kustomize.toolkit.fluxcd.io/ssa: Merge annotation on RDS object does not help.
Hi @gecube - thank you for reporting this! I quickly checked the RestoreDBInstanceFromSnapshot API and it doesn't look like it provides a way to restore DBInstances with encrypted storage https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_RestoreDBInstanceFromDBSnapshot.html - looks like this is only possible with DBClusters
Issues go stale after 180d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 60d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/aws-controllers-k8s/community.
/lifecycle stale
Issues go stale after 180d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 60d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/aws-controllers-k8s/community.
/lifecycle stale