Extend Etcd Encryption API and add more validations and defaults (#6708)

aws · Sep 21, 2023 · d7f7813 · d7f7813
1 parent 7419a27
commit d7f7813
Show file tree

Hide file tree

Showing 13 changed files with 396 additions and 53 deletions.
diff --git a/cmd/eksctl-anywhere/cmd/createcluster.go b/cmd/eksctl-anywhere/cmd/createcluster.go
@@ -84,6 +84,10 @@ func (cc *createClusterOptions) createCluster(cmd *cobra.Command, _ []string) er
 		}
 	}
 
+	if clusterConfig.Spec.EtcdEncryption != nil {
+		return errors.New("etcdEncryption is not supported during cluster creation")
+	}
+
 	docker := executables.BuildDockerExecutable()
 
 	if err := validations.CheckMinimumDockerVersion(ctx, docker); err != nil {

diff --git a/cmd/eksctl-anywhere/cmd/upgradecluster.go b/cmd/eksctl-anywhere/cmd/upgradecluster.go
@@ -84,6 +84,10 @@ func (uc *upgradeClusterOptions) upgradeCluster(cmd *cobra.Command) error {
 		}
 	}
 
+	if err := v1alpha1.ValidateEtcdEncryptionConfig(clusterConfig.Spec.EtcdEncryption); err != nil {
+		return err
+	}
+
 	if _, err := uc.commonValidations(ctx); err != nil {
 		return fmt.Errorf("common validations failed due to: %v", err)
 	}

diff --git a/config/crd/bases/anywhere.eks.amazonaws.com_clusters.yaml b/config/crd/bases/anywhere.eks.amazonaws.com_clusters.yaml
@@ -230,11 +230,28 @@ spec:
                             description: KMS defines the configuration for KMS Encryption
                               provider.
                             properties:
+                              cachesize:
+                                description: CacheSize defines the maximum number
+                                  of encrypted objects to be cached in memory. The
+                                  default value is 1000. You can set this to a negative
+                                  value to disable caching.
+                                format: int32
+                                type: integer
+                              name:
+                                description: Name defines the name of KMS plugin to
+                                  be used.
+                                type: string
                               socketListenAddress:
                                 description: SocketListenAddress defines a UNIX socket
                                   address that the KMS provider listens on.
                                 type: string
+                              timeout:
+                                description: Timeout for kube-apiserver to wait for
+                                  KMS plugin. Default is 3s.
+                                format: int64
+                                type: integer
                             required:
+                            - name
                             - socketListenAddress
                             type: object
                         required:

diff --git a/config/manifest/eksa-components.yaml b/config/manifest/eksa-components.yaml
@@ -3866,11 +3866,28 @@ spec:
                             description: KMS defines the configuration for KMS Encryption
                               provider.
                             properties:
+                              cachesize:
+                                description: CacheSize defines the maximum number
+                                  of encrypted objects to be cached in memory. The
+                                  default value is 1000. You can set this to a negative
+                                  value to disable caching.
+                                format: int32
+                                type: integer
+                              name:
+                                description: Name defines the name of KMS plugin to
+                                  be used.
+                                type: string
                               socketListenAddress:
                                 description: SocketListenAddress defines a UNIX socket
                                   address that the KMS provider listens on.
                                 type: string
+                              timeout:
+                                description: Timeout for kube-apiserver to wait for
+                                  KMS plugin. Default is 3s.
+                                format: int64
+                                type: integer
                             required:
+                            - name
                             - socketListenAddress
                             type: object
                         required:

diff --git a/go.sum b/go.sum
@@ -522,8 +522,6 @@ github.com/aws/aws-sdk-go v1.38.40/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2z
 github.com/aws/aws-sdk-go v1.42.23 h1:V0V5hqMEyVelgpu1e4gMPVCJ+KhmscdNxP/NWP1iCOA=
 github.com/aws/aws-sdk-go v1.42.23/go.mod h1:gyRszuZ/icHmHAVE4gc/r+cfCmhA1AD+vqfWbgI+eHs=
 github.com/aws/aws-sdk-go-v2 v1.16.2/go.mod h1:ytwTPBG6fXTZLxxeeCCWj2/EMYp/xDUgX+OET6TLNNU=
-github.com/aws/aws-sdk-go-v2 v1.16.14 h1:db6GvO4Z2UqHt5gvT0lr6J5x5P+oQ7bdRzczVaRekMU=
-github.com/aws/aws-sdk-go-v2 v1.16.14/go.mod h1:s/G+UV29dECbF5rf+RNj1xhlmvoNurGSr+McVSRj59w=
 github.com/aws/aws-sdk-go-v2 v1.21.0 h1:gMT0IW+03wtYJhRqTVYn0wLzwdnK9sRMcxmtfGzRdJc=
 github.com/aws/aws-sdk-go-v2 v1.21.0/go.mod h1:/RfNgGmRxI+iFOB1OeJUyxiU+9s88k3pfHvDagGEp0M=
 github.com/aws/aws-sdk-go-v2/config v1.15.3 h1:5AlQD0jhVXlGzwo+VORKiUuogkG7pQcLJNzIzK7eodw=
@@ -532,11 +530,9 @@ github.com/aws/aws-sdk-go-v2/credentials v1.11.2 h1:RQQ5fzclAKJyY5TvF+fkjJEwzK4h
 github.com/aws/aws-sdk-go-v2/credentials v1.11.2/go.mod h1:j8YsY9TXTm31k4eFhspiQicfXPLZ0gYXA50i4gxPE8g=
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.3 h1:LWPg5zjHV9oz/myQr4wMs0gi4CjnDN/ILmyZUFYXZsU=
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.3/go.mod h1:uk1vhHHERfSVCUnqSqz8O48LBYDSC+k6brng09jcMOk=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.9 h1:onz/VaaxZ7Z4V+WIN9Txly9XLTmoOh1oJ8XcAC3pako=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.9/go.mod h1:AnVH5pvai0pAF4lXRq0bmhbes1u9R8wTE+g+183bZNM=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.41 h1:22dGT7PneFMx4+b3pz7lMTRyN8ZKH7M2cW4GP9yUS2g=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.41/go.mod h1:CrObHAuPneJBlfEJ5T3szXOUkLEThaGfvnhTf33buas=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.3 h1:9stUQR/u2KXU6HkFJYlqnZEjBnbgrVbG6I5HN09xZh0=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.3/go.mod h1:ssOhaLpRlh88H3UmEcsBoVKq309quMvm3Ds8e9d4eJM=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.35 h1:SijA0mgjV8E+8G45ltVHs0fvKpTj8xmZJ3VwhGKtUSI=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.35/go.mod h1:SJC1nEVVva1g3pHAIdCp7QsRIkMmLAgoDquQ9Rr8kYw=
@@ -561,8 +557,6 @@ github.com/aws/etcdadm-bootstrap-provider v1.0.7-rc3/go.mod h1:PN7CO02LPlWz02Bjs
 github.com/aws/etcdadm-controller v1.0.6-rc3 h1:hTu0pagWPU467scMtaR2rmaNIgMcFMNeGYZAJvFa8g0=
 github.com/aws/etcdadm-controller v1.0.6-rc3/go.mod h1:60QVQeYClyeV22MpI+SMBDx/dXVf/pZNdyiWDM2OBZc=
 github.com/aws/smithy-go v1.11.2/go.mod h1:3xHYmszWVx2c0kIwQeEVf9uSm4fYZt67FBJnwub1bgM=
-github.com/aws/smithy-go v1.13.2 h1:TBLKyeJfXTrTXRHmsv4qWt9IQGYyWThLYaJWSahTOGE=
-github.com/aws/smithy-go v1.13.2/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA=
 github.com/aws/smithy-go v1.14.2 h1:MJU9hqBGbvWZdApzpvoF2WAIJDbtjK2NDJSiJP7HblQ=
 github.com/aws/smithy-go v1.14.2/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA=
 github.com/benbjohnson/clock v1.0.3/go.mod h1:bGMdMPoPVvcYyt1gHDf4J2KE153Yf9BuiUKYMaxlTDM=

diff --git a/pkg/api/v1alpha1/cluster_defaults.go b/pkg/api/v1alpha1/cluster_defaults.go
@@ -13,6 +13,7 @@ var clusterDefaults = []func(*Cluster) error{
 	setRegistryMirrorConfigDefaults,
 	setWorkerNodeGroupDefaults,
 	setCNIConfigDefault,
+	setEtcdEncryptionConfigDefaults,
 }
 
 func setClusterDefaults(cluster *Cluster) error {

diff --git a/pkg/api/v1alpha1/cluster_defaults_test.go b/pkg/api/v1alpha1/cluster_defaults_test.go
@@ -244,6 +244,75 @@ func TestSetClusterDefaults(t *testing.T) {
 			},
 			wantErr: "",
 		},
+		{
+			name: "etcd encryption - no cachesize and timeout specified",
+			in: &Cluster{
+				TypeMeta: metav1.TypeMeta{
+					Kind:       ClusterKind,
+					APIVersion: SchemeBuilder.GroupVersion.String(),
+				},
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "eksa-unit-test",
+				},
+				Spec: ClusterSpec{
+					KubernetesVersion: Kube119,
+					WorkerNodeGroupConfigurations: []WorkerNodeGroupConfiguration{{
+						Name:  "worker-0",
+						Count: ptr.Int(1),
+					}},
+					EtcdEncryption: &[]EtcdEncryption{
+						{
+							Providers: []EtcdEncryptionProvider{
+								{
+									KMS: &KMS{
+										Name:                "test-config",
+										SocketListenAddress: "unix:///kms/socket/path",
+									},
+								},
+							},
+							Resources: []string{"secrets"},
+						},
+					},
+				},
+			},
+			wantCluster: &Cluster{
+				TypeMeta: metav1.TypeMeta{
+					Kind:       ClusterKind,
+					APIVersion: SchemeBuilder.GroupVersion.String(),
+				},
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "eksa-unit-test",
+				},
+				Spec: ClusterSpec{
+					KubernetesVersion: Kube119,
+					ClusterNetwork: ClusterNetwork{
+						CNIConfig: &CNIConfig{
+							Cilium: nil,
+						},
+					},
+					WorkerNodeGroupConfigurations: []WorkerNodeGroupConfiguration{{
+						Name:  "worker-0",
+						Count: ptr.Int(1),
+					}},
+					EtcdEncryption: &[]EtcdEncryption{
+						{
+							Providers: []EtcdEncryptionProvider{
+								{
+									KMS: &KMS{
+										Name:                "test-config",
+										SocketListenAddress: "unix:///kms/socket/path",
+										CacheSize:           defaultKMSCacheSize,
+										Timeout:             &defaultKMSTimeout,
+									},
+								},
+							},
+							Resources: []string{"secrets"},
+						},
+					},
+				},
+			},
+			wantErr: "",
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

diff --git a/pkg/api/v1alpha1/cluster_webhook.go b/pkg/api/v1alpha1/cluster_webhook.go
@@ -66,12 +66,12 @@ func (r *Cluster) ValidateCreate() error {
 		return apierrors.NewBadRequest("creating new cluster on existing cluster is not supported for self managed clusters")
 	}
 
-	if err := r.Validate(); err != nil {
-		allErrs = append(allErrs, field.Invalid(field.NewPath("spec"), r.Spec, err.Error()))
+	if r.Spec.EtcdEncryption != nil {
+		allErrs = append(allErrs, field.Invalid(field.NewPath("spec.etcdEncryption"), r.Spec.EtcdEncryption, "etcdEncryption is not supported during cluster creation"))
 	}
 
-	if r.Spec.EtcdEncryption != nil {
-		allErrs = append(allErrs, field.Invalid(field.NewPath("spec"), r.Spec, "etcdEncryption is not supported during cluster creation"))
+	if err := r.Validate(); err != nil {
+		allErrs = append(allErrs, field.Invalid(field.NewPath("spec"), r.Spec, err.Error()))
 	}
 
 	if len(allErrs) != 0 {
@@ -107,8 +107,8 @@ func (r *Cluster) ValidateUpdate(old runtime.Object) error {
 
 	allErrs = append(allErrs, ValidateWorkerKubernetesVersionSkew(r, oldCluster)...)
 
-	if err := validateEtcdEncryptionConfig(r.Spec.EtcdEncryption); err != nil {
-		allErrs = append(allErrs, field.Invalid(field.NewPath("spec"), r.Spec, err.Error()))
+	if err := ValidateEtcdEncryptionConfig(r.Spec.EtcdEncryption); err != nil {
+		allErrs = append(allErrs, field.Invalid(field.NewPath("spec.etcdEncryption"), r.Spec.EtcdEncryption, err.Error()))
 	}
 
 	if len(allErrs) != 0 {