Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

🌱 Add encrypted AMI copy #2203

Merged
merged 3 commits into from
Jan 14, 2021

Conversation

sedefsavas
Copy link
Contributor

What this PR does / why we need it:
This PR is a follow up to clusterawsadm ami copy PR: #2112

clusterawsadm ami encrypted-copy, by taking K8s version, OS, region as parameters:
1- Copy and encrypt the requested AMIs snapshot to the user AWS account
2- Create and encrypt AMI using the copied snapshot

Encrypt using a non-default KmsKeyId specified using Key alias:
clusterawsadm ami encrypted-copy --os centos-7 --kubernetes-version=v1.19.4 --kms-key-id=alias/ExampleAlias

Fixes ##2041

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jan 14, 2021
@sedefsavas
Copy link
Contributor Author

There is an issue with using the provided kms key. Even Though passing the key id it still defaults to another KMS key.
Might be an SDK issue.

Comment on lines +98 to +100
if kmsKeyID == "" {
kmsKeyIDPtr = nil
}
kmsKeyIDPtr = &kmsKeyID
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if kmsKeyID == "" {
kmsKeyIDPtr = nil
}
kmsKeyIDPtr = &kmsKeyID

@sedefsavas
Copy link
Contributor Author

sedefsavas commented Jan 14, 2021

Passing KMS key id via aws cli works, I am fairly sure there is an SDK issue. Tried updating SDK, did not help.

@sedefsavas
Copy link
Contributor Author

After adding a pre-signed url to the copy snapshot request, it started using the provided kms key id correctly.
This PR is ready.

@randomvariable
Copy link
Member

/lgtm
/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: randomvariable

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added lgtm "Looks good to me", indicates that a PR is ready to be merged. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Jan 14, 2021
@k8s-ci-robot k8s-ci-robot merged commit 91a7dcb into kubernetes-sigs:master Jan 14, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants