fix: eks encryption logic fix #3095
Conversation
The logic for when to update the EKS encryption had issues. This refactors the logic to be more explicit. Also updated the docs to say that the KMS key ARN needs to be used and not the alias ARN. Signed-off-by: Richard Case <richard@weave.works>
k8s-ci-robot
added
release-note
|
@richardcase: This issue is currently awaiting triage. If CAPA/CAPI contributors determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
needs-triage
k8s-ci-robot
added
the
size/S
richardcase
changed the title
| record.Warnf(s.scope.ControlPlane, "FailedUpdateEKSControlPlane", "failed to update the EKS control plane: disabling EKS encryption is not allowed after it has been enabled") | ||
| return errors.Errorf("failed to update the EKS control plane: disabling EKS encryption is not allowed after it has been enabled") |
There was a problem hiding this comment.
Once set, modifying or deleting the config is not allowed in the webhook, so not really needed.
There was a problem hiding this comment.
@richardcase What was the fix here? I could not see.
There was a problem hiding this comment.
Agreed it should never get here....although it was with the issue that this PR relates to. I'd be tempted to keep it as it would be good to get an error .
|
Changing to WIP as i will fix #3096 as part of this. |
richardcase
changed the title
k8s-ci-robot
added
the
do-not-merge/work-in-progress
|
More comments in Slack, but I built this and deployed it to my cluster - so far I'm able to build a cluster with no KMS error messages relating to trying to pull the encryption back off. Looking good @richardcase! Thank you! |
richardcase
changed the title
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
@rayterrill - thanks for confirming this fixes your issue. I'll do #3096 as a seperate PR after some thought so that we get this in. |
|
/test ? |
|
@richardcase: The following commands are available to trigger required jobs:
The following commands are available to trigger optional jobs:
Use
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/test pull-cluster-api-provider-aws-e2e-eks |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: sedefsavas The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
What type of PR is this?
/kind bug
What this PR does / why we need it:
The logic for when to update the EKS encryption had issues. This
refactors the logic to be more explicit.
Also updated the docs to say that the KMS key ARN needs to be used and
not the alias ARN.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #3092
Special notes for your reviewer:
Checklist:
Release note: