Merge pull request #1450 from akesser/feature/secrets-encryption

Feature/secrets encryption
crossplane-contrib · Aug 25, 2022 · 70879e6 · 70879e6
2 parents 4040d5c + 2f31add
commit 70879e6
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 16 deletions.
diff --git a/pkg/clients/eks/eks.go b/pkg/clients/eks/eks.go
@@ -60,6 +60,7 @@ type Client interface {
 	TagResource(ctx context.Context, input *eks.TagResourceInput, opts ...func(*eks.Options)) (*eks.TagResourceOutput, error)
 	UntagResource(ctx context.Context, input *eks.UntagResourceInput, opts ...func(*eks.Options)) (*eks.UntagResourceOutput, error)
 	UpdateClusterVersion(ctx context.Context, input *eks.UpdateClusterVersionInput, opts ...func(*eks.Options)) (*eks.UpdateClusterVersionOutput, error)
+	AssociateEncryptionConfig(ctx context.Context, params *eks.AssociateEncryptionConfigInput, optFns ...func(*eks.Options)) (*eks.AssociateEncryptionConfigOutput, error)
 
 	DescribeNodegroup(ctx context.Context, input *eks.DescribeNodegroupInput, opts ...func(*eks.Options)) (*eks.DescribeNodegroupOutput, error)
 	CreateNodegroup(ctx context.Context, input *eks.CreateNodegroupInput, opts ...func(*eks.Options)) (*eks.CreateNodegroupOutput, error)
@@ -118,15 +119,7 @@ func GenerateCreateClusterInput(name string, p *v1beta1.ClusterParameters) *eks.
 	}
 
 	if len(p.EncryptionConfig) > 0 {
-		c.EncryptionConfig = make([]ekstypes.EncryptionConfig, len(p.EncryptionConfig))
-		for i, conf := range p.EncryptionConfig {
-			c.EncryptionConfig[i] = ekstypes.EncryptionConfig{
-				Provider: &ekstypes.Provider{
-					KeyArn: awsclients.String(conf.Provider.KeyArn),
-				},
-				Resources: conf.Resources,
-			}
-		}
+		c.EncryptionConfig = GenerateEncryptionConfig(p)
 	}
 
 	c.ResourcesVpcConfig = &ekstypes.VpcConfigRequest{
@@ -158,6 +151,22 @@ func GenerateCreateClusterInput(name string, p *v1beta1.ClusterParameters) *eks.
 	return c
 }
 
+// GenerateEncryptionConfig creates the config needed to enable encryption
+func GenerateEncryptionConfig(parameters *v1beta1.ClusterParameters) []ekstypes.EncryptionConfig {
+	encryptionConfig := make([]ekstypes.EncryptionConfig, len(parameters.EncryptionConfig))
+	if len(parameters.EncryptionConfig) > 0 {
+		for i, conf := range parameters.EncryptionConfig {
+			encryptionConfig[i] = ekstypes.EncryptionConfig{
+				Provider: &ekstypes.Provider{
+					KeyArn: awsclients.String(conf.Provider.KeyArn),
+				},
+				Resources: conf.Resources,
+			}
+		}
+	}
+	return encryptionConfig
+}
+
 // CreatePatch creates a *v1beta1.ClusterParameters that has only the changed
 // values between the target *v1beta1.ClusterParameters and the current
 // *ekstypes.Cluster.

diff --git a/pkg/clients/eks/fake/fake.go b/pkg/clients/eks/fake/fake.go
@@ -26,13 +26,14 @@ import (
 
 // MockClient is a fake implementation of eks.Client.
 type MockClient struct {
-	MockCreateCluster        func(ctx context.Context, input *eks.CreateClusterInput, opts []func(*eks.Options)) (*eks.CreateClusterOutput, error)
-	MockDescribeCluster      func(ctx context.Context, input *eks.DescribeClusterInput, opts []func(*eks.Options)) (*eks.DescribeClusterOutput, error)
-	MockUpdateClusterConfig  func(ctx context.Context, input *eks.UpdateClusterConfigInput, opts []func(*eks.Options)) (*eks.UpdateClusterConfigOutput, error)
-	MockDeleteCluster        func(ctx context.Context, input *eks.DeleteClusterInput, opts []func(*eks.Options)) (*eks.DeleteClusterOutput, error)
-	MockTagResource          func(ctx context.Context, input *eks.TagResourceInput, opts []func(*eks.Options)) (*eks.TagResourceOutput, error)
-	MockUntagResource        func(ctx context.Context, input *eks.UntagResourceInput, opts []func(*eks.Options)) (*eks.UntagResourceOutput, error)
-	MockUpdateClusterVersion func(ctx context.Context, input *eks.UpdateClusterVersionInput, opts []func(*eks.Options)) (*eks.UpdateClusterVersionOutput, error)
+	MockCreateCluster             func(ctx context.Context, input *eks.CreateClusterInput, opts []func(*eks.Options)) (*eks.CreateClusterOutput, error)
+	MockDescribeCluster           func(ctx context.Context, input *eks.DescribeClusterInput, opts []func(*eks.Options)) (*eks.DescribeClusterOutput, error)
+	MockUpdateClusterConfig       func(ctx context.Context, input *eks.UpdateClusterConfigInput, opts []func(*eks.Options)) (*eks.UpdateClusterConfigOutput, error)
+	MockDeleteCluster             func(ctx context.Context, input *eks.DeleteClusterInput, opts []func(*eks.Options)) (*eks.DeleteClusterOutput, error)
+	MockTagResource               func(ctx context.Context, input *eks.TagResourceInput, opts []func(*eks.Options)) (*eks.TagResourceOutput, error)
+	MockUntagResource             func(ctx context.Context, input *eks.UntagResourceInput, opts []func(*eks.Options)) (*eks.UntagResourceOutput, error)
+	MockUpdateClusterVersion      func(ctx context.Context, input *eks.UpdateClusterVersionInput, opts []func(*eks.Options)) (*eks.UpdateClusterVersionOutput, error)
+	MockAssociateEncryptionConfig func(ctx context.Context, input *eks.AssociateEncryptionConfigInput, opts []func(*eks.Options)) (*eks.AssociateEncryptionConfigOutput, error)
 
 	MockDescribeNodegroup      func(ctx context.Context, input *eks.DescribeNodegroupInput, opts []func(*eks.Options)) (*eks.DescribeNodegroupOutput, error)
 	MockCreateNodegroup        func(ctx context.Context, input *eks.CreateNodegroupInput, opts []func(*eks.Options)) (*eks.CreateNodegroupOutput, error)
@@ -97,6 +98,12 @@ func (c *MockClient) UpdateClusterVersion(ctx context.Context, input *eks.Update
 	return c.MockUpdateClusterVersion(ctx, input, opts)
 }
 
+// AssociateEncryptionConfig calls the underlying
+// MockAssociateEncryptionConfig method.
+func (c *MockClient) AssociateEncryptionConfig(ctx context.Context, input *eks.AssociateEncryptionConfigInput, opts ...func(*eks.Options)) (*eks.AssociateEncryptionConfigOutput, error) {
+	return c.MockAssociateEncryptionConfig(ctx, input, opts)
+}
+
 // DescribeNodegroup calls the underlying MockDescribeNodegroup
 // method.
 func (c *MockClient) DescribeNodegroup(ctx context.Context, input *eks.DescribeNodegroupInput, opts ...func(*eks.Options)) (*eks.DescribeNodegroupOutput, error) {

diff --git a/pkg/controller/eks/cluster.go b/pkg/controller/eks/cluster.go
@@ -189,6 +189,13 @@ func (e *external) Update(ctx context.Context, mg resource.Managed) (managed.Ext
 	if err != nil {
 		return managed.ExternalUpdate{}, awsclient.Wrap(err, errPatchCreationFailed)
 	}
+	if patch.EncryptionConfig != nil {
+		_, err := e.client.AssociateEncryptionConfig(ctx, &awseks.AssociateEncryptionConfigInput{
+			ClusterName:      awsclient.String(meta.GetExternalName(cr)),
+			EncryptionConfig: eks.GenerateEncryptionConfig(&cr.Spec.ForProvider),
+		})
+		return managed.ExternalUpdate{}, awsclient.Wrap(resource.Ignore(eks.IsErrorInUse, err), errUpdateVersionFailed)
+	}
 	if patch.Version != nil {
 		_, err := e.client.UpdateClusterVersion(ctx, &awseks.UpdateClusterVersionInput{Name: awsclient.String(meta.GetExternalName(cr)), Version: patch.Version})
 		return managed.ExternalUpdate{}, awsclient.Wrap(resource.Ignore(eks.IsErrorInUse, err), errUpdateVersionFailed)