Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

✨ SSM (AWS Systems Manager Parameter Store) as a Secret Backend #1924

Merged
merged 1 commit into from
Oct 14, 2020
Merged

✨ SSM (AWS Systems Manager Parameter Store) as a Secret Backend #1924

merged 1 commit into from
Oct 14, 2020

Conversation

Promaethius
Copy link
Contributor

@Promaethius Promaethius commented Sep 4, 2020
edited
Loading

What this PR does / why we need it:
Adds an additional secret backend for environments which do not have access to AWS Secrets Manager. SSM is available as an EC2 feature in all possible scopes: https://aws.amazon.com/compliance/services-in-scope/

Additionally, the format of SSM API and CLI calls are similar to SecretsManager so this should be a relatively painless addition.

Which issue(s) this PR fixes:
Fixes #1900

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Sep 4, 2020
@k8s-ci-robot
Copy link
Contributor

Hi @Promaethius. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. label Sep 4, 2020
richardcase
richardcase reviewed Sep 7, 2020
View reviewed changes
api/v1alpha3/awscluster_types.go Outdated Show resolved Hide resolved
api/v1alpha3/awscluster_types.go Outdated Show resolved Hide resolved
controllers/awsmachine_controller.go Outdated Show resolved Hide resolved
randomvariable
randomvariable suggested changes Sep 8, 2020
View reviewed changes
pkg/cloud/scope/managedcontrolplane.go Outdated Show resolved Hide resolved
controllers/awsmachine_controller.go Outdated Show resolved Hide resolved
api/v1alpha3/awscluster_types.go Outdated Show resolved Hide resolved
pkg/cloud/services/ssm/helpers.go Outdated Show resolved Hide resolved
api/v1alpha3/awscluster_types.go Outdated Show resolved Hide resolved
@Promaethius
Copy link
Contributor Author

Promaethius commented Sep 8, 2020
edited
Loading

@randomvariable struggling with the GenerateCloudInitMIMEDocument functionality since I moved it from being a generic function to a service specific function. Not enough experience with go/mock:

Unexpected call to *mock_services.MockSecretInterface.GenerateCloudInitMIMEDocument([test 1 ]) at /root/go/src/sigs.k8s.io/cluster-api-provider-aws/pkg/cloud/services/mock_services/secretsmanager_machine_interface_mock.go:85 because: there are no expected calls of the method "GenerateCloudInitMIMEDocument" for that receiver

Had to generalize the SecretsManagerInterface and the SSMInterface into SecretInterface to allow either backend in function arguments or return values. With the possibility of S3 for Ignition in the back of my skull, I'm trying to make it easier for the next secret backend integrator.

@randomvariable
Copy link
Member

@randomvariable struggling with the GenerateCloudInitMIMEDocument functionality since I moved it from being a generic function to a service specific function. Not enough experience with go/mock:

I'll take a look as to how best to unblock you after doing the v0.6.0 release. Also, apologies if I don't recognise you in Slack, but worth joining the channel in https://kubernetes.slack.com/archives/CD6U2V71N and we can pair, zoom etc...

@randomvariable
Copy link
Member

/milestone v0.6.1

@k8s-ci-robot k8s-ci-robot added this to the v0.6.1 milestone Sep 9, 2020
@Promaethius Promaethius force-pushed the ssm branch 2 times, most recently from e1458e0 to 94189f8 Compare September 10, 2020 23:11
@Promaethius
Copy link
Contributor Author

@randomvariable took some of your advice in half and broke the MIME generation out into an external package and unit test while leaving UserData generation Service specific.

@randomvariable
Copy link
Member

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Sep 11, 2020
randomvariable
randomvariable suggested changes Sep 11, 2020
View reviewed changes
Copy link
Member

@randomvariable randomvariable left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

some changes, but otherwise looking good I think

api/v1alpha3/awsmachine_types.go Outdated Show resolved Hide resolved
api/v1alpha2/awsmachine_types.go Outdated Show resolved Hide resolved
api/v1alpha2/awsmachine_types.go Outdated Show resolved Hide resolved
api/v1alpha3/awsmachine_types.go Outdated Show resolved Hide resolved
api/v1alpha3/awsmachine_types.go Outdated Show resolved Hide resolved
@Promaethius
Copy link
Contributor Author

with #1858 in the same release, it's important to note that this PR would require it

@Promaethius
Copy link
Contributor Author

/hold

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Sep 22, 2020
@Promaethius Promaethius force-pushed the ssm branch 2 times, most recently from 206e747 to e346938 Compare September 24, 2020 03:48
@k8s-ci-robot k8s-ci-robot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label Oct 3, 2020
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 3, 2020
@Promaethius
Copy link
Contributor Author

/test pull-cluster-api-provider-aws-e2e

@Promaethius
Copy link
Contributor Author

/test pull-cluster-api-provider-aws-e2e

@Promaethius
Copy link
Contributor Author

@randomvariable changes made, tests passing. Am I missing anything?

richardcase
richardcase reviewed Oct 13, 2020
View reviewed changes
cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_node.go
"secretsmanager:GetSecretValue",
},
func (t Template) secretPolicy(secureSecretsBackend infrav1.SecretBackend) iamv1.StatementEntry {
switch secureSecretsBackend {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is very similar to cluster_api_controller.go above. Do you think it would be possible to consolidate into 1 place and add the additional actions for the controller policy?

Not essential though.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This kinda thing pops up a lot in the clusterctl code, I think it can be handled in a separate PR as a mini refactor?

@richardcase
Copy link
Member

This seems ok to me, small comment about the policies but generally

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 13, 2020
@randomvariable
Copy link
Member

One last git pull upstream --rebase to account for the addition of the machinepool webhook

This should do it.

---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
  creationTimestamp: null
  name: mutating-webhook-configuration
webhooks:
- clientConfig:
    caBundle: Cg==
    service:
      name: webhook-service
      namespace: system
      path: /mutate-infrastructure-cluster-x-k8s-io-v1alpha3-awscluster
  failurePolicy: Fail
  matchPolicy: Equivalent
  name: default.awscluster.infrastructure.cluster.x-k8s.io
  rules:
  - apiGroups:
    - infrastructure.cluster.x-k8s.io
    apiVersions:
    - v1alpha3
    operations:
    - CREATE
    - UPDATE
    resources:
    - awsclusters
  sideEffects: None
- clientConfig:
    caBundle: Cg==
    service:
      name: webhook-service
      namespace: system
      path: /mutate-infrastructure-cluster-x-k8s-io-v1alpha3-awsmachine
  failurePolicy: Fail
  name: mutation.awsmachine.infrastructure.cluster.x-k8s.io
  rules:
  - apiGroups:
    - infrastructure.cluster.x-k8s.io
    apiVersions:
    - v1alpha3
    operations:
    - CREATE
    - UPDATE
    resources:
    - awsmachines
  sideEffects: None
- clientConfig:
    caBundle: Cg==
    service:
      name: webhook-service
      namespace: system
      path: /mutate-infrastructure-cluster-x-k8s-io-v1alpha3-awsmachinepool
  failurePolicy: Fail
  matchPolicy: Equivalent
  name: default.awsmachinepool.infrastructure.cluster.x-k8s.io
  rules:
  - apiGroups:
    - infrastructure.cluster.x-k8s.io
    apiVersions:
    - v1alpha3
    operations:
    - CREATE
    - UPDATE
    resources:
    - awsmachinepools
  sideEffects: None
- clientConfig:
    caBundle: Cg==
    service:
      name: webhook-service
      namespace: system
      path: /mutate-infrastructure-cluster-x-k8s-io-v1alpha3-awsmanagedmachinepool
  failurePolicy: Fail
  matchPolicy: Equivalent
  name: default.awsmanagedmachinepool.infrastructure.cluster.x-k8s.io
  rules:
  - apiGroups:
    - infrastructure.cluster.x-k8s.io
    apiVersions:
    - v1alpha3
    operations:
    - CREATE
    - UPDATE
    resources:
    - awsmanagedmachinepools
  sideEffects: None

---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
  creationTimestamp: null
  name: validating-webhook-configuration
webhooks:
- clientConfig:
    caBundle: Cg==
    service:
      name: webhook-service
      namespace: system
      path: /validate-infrastructure-cluster-x-k8s-io-v1alpha3-awscluster
  failurePolicy: Fail
  matchPolicy: Equivalent
  name: validation.awscluster.infrastructure.cluster.x-k8s.io
  rules:
  - apiGroups:
    - infrastructure.cluster.x-k8s.io
    apiVersions:
    - v1alpha3
    operations:
    - CREATE
    - UPDATE
    resources:
    - awsclusters
  sideEffects: None
- clientConfig:
    caBundle: Cg==
    service:
      name: webhook-service
      namespace: system
      path: /validate-infrastructure-cluster-x-k8s-io-v1alpha3-awsmachine
  failurePolicy: Fail
  matchPolicy: Equivalent
  name: validation.awsmachine.infrastructure.cluster.x-k8s.io
  rules:
  - apiGroups:
    - infrastructure.cluster.x-k8s.io
    apiVersions:
    - v1alpha3
    operations:
    - CREATE
    - UPDATE
    resources:
    - awsmachines
  sideEffects: None
- clientConfig:
    caBundle: Cg==
    service:
      name: webhook-service
      namespace: system
      path: /validate-infrastructure-cluster-x-k8s-io-v1alpha3-awsmachinetemplate
  failurePolicy: Fail
  matchPolicy: Equivalent
  name: validation.awsmachinetemplate.infrastructure.x-k8s.io
  rules:
  - apiGroups:
    - infrastructure.cluster.x-k8s.io
    apiVersions:
    - v1alpha3
    operations:
    - CREATE
    - UPDATE
    resources:
    - awsmachinetemplates
  sideEffects: None
- clientConfig:
    caBundle: Cg==
    service:
      name: webhook-service
      namespace: system
      path: /validate-infrastructure-cluster-x-k8s-io-v1alpha3-awsmachinepool
  failurePolicy: Fail
  matchPolicy: Equivalent
  name: validation.awsmachinepool.infrastructure.cluster.x-k8s.io
  rules:
  - apiGroups:
    - infrastructure.cluster.x-k8s.io
    apiVersions:
    - v1alpha3
    operations:
    - CREATE
    - UPDATE
    resources:
    - awsmachinepools
  sideEffects: None
- clientConfig:
    caBundle: Cg==
    service:
      name: webhook-service
      namespace: system
      path: /validate-infrastructure-cluster-x-k8s-io-v1alpha3-awsmanagedmachinepool
  failurePolicy: Fail
  matchPolicy: Equivalent
  name: validation.awsmanagedmachinepool.infrastructure.cluster.x-k8s.io
  rules:
  - apiGroups:
    - infrastructure.cluster.x-k8s.io
    apiVersions:
    - v1alpha3
    operations:
    - CREATE
    - UPDATE
    resources:
    - awsmanagedmachinepools
  sideEffects: None

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 14, 2020
@randomvariable randomvariable mentioned this pull request Oct 14, 2020
Closed
@k8s-ci-robot k8s-ci-robot removed lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Oct 14, 2020
@randomvariable
Copy link
Member

@detiber asks:

Not sure if this was discussed previously, but is there a specific use case in mind for having this as an API field rather than a configuration option on the controller manager?
Is there a specific use case in mind where one would want to choose different backends for individual Clusters/Machines vs having it a global configuration for an instance of the infrastructure provider?

In retrospect, yes, maybe we could have done at the controller flag level. I think we should be working towards finding a better solution overall for v1alpha4, given the issues we've run into with cloud-init.

The one use case I did however have in mind for having it on the AWSMachineTemplate is for FlatCar Linux which doesn't support multi-part MIME docs, but where Ignition does natively support S3.

@randomvariable
Copy link
Member

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 14, 2020
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: randomvariable

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 14, 2020
@k8s-ci-robot k8s-ci-robot merged commit a229052 into kubernetes-sigs:master Oct 14, 2020
@Promaethius Promaethius mentioned this pull request Oct 16, 2020
Closed
6 tasks
This was referenced Jan 18, 2024
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@richardcase richardcase richardcase left review comments

@randomvariable randomvariable randomvariable approved these changes

@chuckha chuckha Awaiting requested review from chuckha

@rudoi rudoi Awaiting requested review from rudoi

Assignees

@richardcase richardcase

@randomvariable randomvariable

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Milestone
v0.6.1
Development

Successfully merging this pull request may close these issues.

Secret Backend Support
4 participants
@Promaethius @k8s-ci-robot @randomvariable @richardcase