Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Obsolete/Closed: Add config option to enable the encryption of AWS EKS secrets #2723

Closed
wants to merge 17 commits into from
Closed

Obsolete/Closed: Add config option to enable the encryption of AWS EKS secrets #2723

wants to merge 17 commits into from

Conversation

joneszc
Copy link
Contributor

@joneszc joneszc commented Sep 17, 2024
edited
Loading

Reference Issues or PRs

Fixes #2681

What does this implement/fix?

Put a x in the boxes that apply

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds a feature)
  • Breaking change (fix or feature that would cause existing features not to work as expected)
  • Documentation Update
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes, no API changes)
  • Build related changes
  • Other (please describe):

Testing

  • Did you test the pull request locally?
  • Did you add new tests?

How to test this PR?

Any other comments?

Allows user to set EKS encryption of secrets by specifying a KMS key ARN in nebari-config.yaml

amazon_web_services:
  eks_kms_arn: 'arn:aws:kms:us-east-1:010101010:key/3xxxxxxx-xxxxx-xxxxx-xxxxx'
image

The KMS key must meet the following conditions:

  • Symmetric
  • Can encrypt and decrypt data
  • Created in the same AWS Region as the cluster
  • If the KMS key was created in a different account, the IAM principal must have access to the KMS key.

@joneszc joneszc mentioned this pull request Sep 17, 2024
Closed
1 task
@joneszc joneszc self-assigned this Sep 17, 2024
@joneszc joneszc removed the request for review from dcmcand September 17, 2024 16:11
@kenafoster kenafoster self-requested a review September 19, 2024 21:39
kenafoster
kenafoster approved these changes Sep 19, 2024
View reviewed changes
Copy link
Contributor

@kenafoster kenafoster left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM but if this is merged we should open up a nebari-docs since it's a little tricky to implement and understand

I've confirmed that most of the mistakes you could make (wrong region, bad format, key doesn't exist or Nebari deploy user can't see it) will fail in the stage where it creates the IAM policy, so at least it won't get to modifying the EKS cluster before failing

@joneszc joneszc mentioned this pull request Sep 24, 2024
Open
@viniciusdc
Copy link
Contributor

I would say that we could have a validator in the AWS Pydantic provider (similar to how we already do for the instance types and region) so that the feedback loop in case of errors is quicker for the user doing the deployment (instead of relying on terraform only for the "check").

@tylergraff tylergraff mentioned this pull request Sep 26, 2024
Closed
@joneszc
Copy link
Contributor Author

joneszc commented Sep 27, 2024

I would say that we could have a validator in the AWS Pydantic provider (similar to how we already do for the instance types and region) so that the feedback loop in case of errors is quicker for the user doing the deployment (instead of relying on terraform only for the "check").

@viniciusdc @tylergraff
As suggested, I have added initial kms-key arn validation steps here
I'm still testing these updates

@viniciusdc
Copy link
Contributor

viniciusdc commented Oct 3, 2024
edited
Loading

I think the issues with the tests below are due to the recent move from develop to main. Can you update your fork repo and update this branch?

@joneszc joneszc closed this Oct 3, 2024
@joneszc joneszc deleted the eks-cluster-encryption branch October 3, 2024 16:55
@joneszc
Copy link
Contributor Author

joneszc commented Oct 3, 2024

I think the issues with the tests below are due to the recent move from develop to main. Can you update your fork repo and update this branch?

@viniciusdc,
This branch should now, at time of writing, be up to date with nebari-dev/nebari:main. Thanks!

@joneszc
Copy link
Contributor Author

joneszc commented Oct 3, 2024
edited
Loading

@viniciusdc @tylergraff @kenafoster
Migrating this effort to new PR#2752

@joneszc joneszc mentioned this pull request Oct 3, 2024
Closed
10 tasks
@joneszc joneszc mentioned this pull request Oct 22, 2024
Merged
10 tasks
@joneszc joneszc changed the title Add config option to enable the encryption of AWS EKS secrets Obsolete/Closed: Add config option to enable the encryption of AWS EKS secrets Oct 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kenafoster kenafoster kenafoster approved these changes

Assignees

@joneszc joneszc

Labels
area: security 🔐
Projects
🪴 Nebari Project Management
Status: Done 💪🏾
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Fix code scanning alert - EKS should have the encryption of secrets enabled
3 participants
@joneszc @viniciusdc @kenafoster