-
Notifications
You must be signed in to change notification settings - Fork 560
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: eks encryption logic fix #3095
fix: eks encryption logic fix #3095
Conversation
The logic for when to update the EKS encryption had issues. This refactors the logic to be more explicit. Also updated the docs to say that the KMS key ARN needs to be used and not the alias ARN. Signed-off-by: Richard Case <richard@weave.works>
@richardcase: This issue is currently awaiting triage. If CAPA/CAPI contributors determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
record.Warnf(s.scope.ControlPlane, "FailedUpdateEKSControlPlane", "failed to update the EKS control plane: disabling EKS encryption is not allowed after it has been enabled") | ||
return errors.Errorf("failed to update the EKS control plane: disabling EKS encryption is not allowed after it has been enabled") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Once set, modifying or deleting the config is not allowed in the webhook, so not really needed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@richardcase What was the fix here? I could not see.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed it should never get here....although it was with the issue that this PR relates to. I'd be tempted to keep it as it would be good to get an error .
Changing to WIP as i will fix #3096 as part of this. |
More comments in Slack, but I built this and deployed it to my cluster - so far I'm able to build a cluster with no KMS error messages relating to trying to pull the encryption back off. Looking good @richardcase! Thank you! |
@rayterrill - thanks for confirming this fixes your issue. I'll do #3096 as a seperate PR after some thought so that we get this in. |
/test ? |
@richardcase: The following commands are available to trigger required jobs:
The following commands are available to trigger optional jobs:
Use
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/test pull-cluster-api-provider-aws-e2e-eks |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: sedefsavas The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What type of PR is this?
/kind bug
What this PR does / why we need it:
The logic for when to update the EKS encryption had issues. This
refactors the logic to be more explicit.
Also updated the docs to say that the KMS key ARN needs to be used and
not the alias ARN.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when PR gets merged):Fixes #3092
Special notes for your reviewer:
Checklist:
Release note: