Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: implements kms v2beta1 APIs #210

Merged
merged 1 commit into from
May 17, 2023
Merged

feat: implements kms v2beta1 APIs #210

merged 1 commit into from
May 17, 2023

Conversation

nilekhc
Copy link
Contributor

@nilekhc nilekhc commented Apr 11, 2023
edited by aramase
Loading

Reason for Change:

This PR adds KMS V2 Beta1 APIs to the plugin

Issue Fixed:

fixes #167

Notes for Reviewers:

nilekhc
nilekhc commented Apr 11, 2023
View reviewed changes
pkg/plugin/v2_server.go Outdated Show resolved Hide resolved
@nilekhc
Copy link
Contributor Author

nilekhc commented Apr 11, 2023

cc @enj

enj
enj requested changes Apr 11, 2023
View reviewed changes
cmd/server/main.go Outdated Show resolved Hide resolved
go.mod Outdated Show resolved Hide resolved
pkg/plugin/v2_server.go Outdated Show resolved Hide resolved
cmd/server/main.go Outdated Show resolved Hide resolved
pkg/plugin/v2_server.go Outdated Show resolved Hide resolved
pkg/plugin/v2_server.go Outdated Show resolved Hide resolved
pkg/plugin/v2_server.go Outdated Show resolved Hide resolved
pkg/plugin/v2_server.go Outdated Show resolved Hide resolved
@nilekhc nilekhc mentioned this pull request Apr 11, 2023
Merged
aramase
aramase requested changes Apr 11, 2023
View reviewed changes
cmd/server/main.go Outdated Show resolved Hide resolved
pkg/plugin/v2_server.go Outdated Show resolved Hide resolved
@enj
Copy link
Member

enj commented Apr 12, 2023

Thinking out loud: should we, at least for the time being, append the current UTC date to the KMS key ID? This would cause a daily DEK rotation on the API server (and thus limit how long a DEK is used for, which is one of the open concerns we have around this API).

enj
enj reviewed Apr 14, 2023
View reviewed changes
cmd/server/main.go Outdated Show resolved Hide resolved
@nilekhc nilekhc force-pushed the kms-v2beta1 branch 8 times, most recently from 590d38a to 733647c Compare April 18, 2023 00:32
@nilekhc nilekhc marked this pull request as ready for review April 18, 2023 00:38
@nilekhc
Copy link
Contributor Author

nilekhc commented Apr 18, 2023

@aramase @enj @ritazh This is ready for review. PTAL when you get a chance.

sozercan
sozercan reviewed Apr 18, 2023
View reviewed changes
Makefile Outdated Show resolved Hide resolved
sozercan
sozercan reviewed Apr 18, 2023
View reviewed changes
Makefile
e2e-kmsv2-setup-kind: setup-local-registry
./scripts/setup-kmsv2-kind-cluster.sh &
./scripts/connect-registry.sh &
sleep 90s
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is it possible to watch/poll something instead of hardcoded sleep?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tried with the wait but it didn't work. Though we do have a check in the CI for cluster health: https://github.com/Azure/kubernetes-kms/blob/master/.pipelines/templates/cluster-health-template.yml

Copy link
Member

@sozercan sozercan Apr 25, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we run both async and wait for pids to finish? similar to https://github.com/open-policy-agent/gatekeeper/blob/master/.github/workflows/release.yaml#L110-L120

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When we run the process in the background ADO marks the task as completed

The error is:

The STDIO streams did not close within 10 seconds of the exit event from process '/bin/bash'. This may indicate a child process inherited the STDIO streams and has not yet exited.

 
I think this is the reason we have sleep, to hold on to the task for enough time so that the registry can be connected to the Kind cluster and created successfully. 

@aramase to add any additional context.

@nilekhc nilekhc force-pushed the kms-v2beta1 branch 2 times, most recently from b319d0d to 42019af Compare April 18, 2023 20:51
@nilekhc
Copy link
Contributor Author

nilekhc commented Apr 18, 2023

Thanks for the review @sozercan. I have addressed your comments. PTAL when you get a chance.

aramase
aramase requested changes Apr 18, 2023
View reviewed changes
.pipelines/templates/e2e-kind-template.yml Outdated Show resolved Hide resolved
.pipelines/templates/e2e-kind-template.yml Outdated Show resolved Hide resolved
.pipelines/templates/e2e-kind-template.yml Outdated Show resolved Hide resolved
.pipelines/templates/e2e-kind-template.yml Outdated Show resolved Hide resolved
.pipelines/templates/e2e-kind-template.yml Outdated Show resolved Hide resolved
pkg/version/version.go Outdated Show resolved Hide resolved
pkg/version/version.go Outdated Show resolved Hide resolved
scripts/setup-kmsv2-kind-cluster.sh Show resolved Hide resolved
tests/e2e/kmsv2-encryption-config.yaml Outdated Show resolved Hide resolved
tests/e2e/testkmsv2.bats Outdated Show resolved Hide resolved
@nilekhc nilekhc force-pushed the kms-v2beta1 branch 3 times, most recently from 18453b6 to 52090e3 Compare April 20, 2023 00:12
@nilekhc nilekhc force-pushed the kms-v2beta1 branch 3 times, most recently from bdc25f7 to a209f44 Compare May 8, 2023 22:14
@nilekhc nilekhc requested review from enj and aramase May 8, 2023 22:19
enj
enj reviewed May 9, 2023
View reviewed changes
go.mod Outdated Show resolved Hide resolved
pkg/plugin/keyvault.go Outdated Show resolved Hide resolved
pkg/plugin/keyvault.go Outdated Show resolved Hide resolved
pkg/plugin/keyvault.go Outdated Show resolved Hide resolved
tests/e2e/testkmsv2.bats Outdated Show resolved Hide resolved
pkg/plugin/keyvault.go Outdated Show resolved Hide resolved
@nilekhc nilekhc mentioned this pull request May 11, 2023
Open
@nilekhc nilekhc requested a review from enj May 12, 2023 00:18
enj
enj previously approved these changes May 12, 2023
View reviewed changes
Copy link
Member

@enj enj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor stuff, this LGTM. @aramase PTAL at the metrics stuff.

docs/metrics.md Outdated Show resolved Hide resolved
cmd/server/main.go Show resolved Hide resolved
pkg/plugin/kms_v2_server_test.go Outdated Show resolved Hide resolved
pkg/plugin/kms_v2_server_test.go Outdated Show resolved Hide resolved
aramase
aramase requested changes May 12, 2023
View reviewed changes
docs/metrics.md Outdated Show resolved Hide resolved
pkg/metrics/stats_reporter.go Outdated Show resolved Hide resolved
pkg/plugin/healthz.go Outdated Show resolved Hide resolved
pkg/plugin/healthz_test.go Outdated Show resolved Hide resolved
pkg/plugin/keyvault.go Outdated Show resolved Hide resolved
pkg/plugin/keyvault.go Outdated Show resolved Hide resolved
pkg/plugin/keyvault.go Outdated Show resolved Hide resolved
pkg/plugin/kms_v2_server.go Outdated Show resolved Hide resolved
tests/client/client_test.go Show resolved Hide resolved
@enj
Copy link
Member

enj commented May 15, 2023

btw this line in the README will not be correct once this PR merges:

Check that the stored secret is prefixed with k8s:enc:kms:v1:azurekmsprovider. This indicates the Azure KMS provider has encrypted the data.

@nilekhc nilekhc mentioned this pull request May 15, 2023
Closed
@nilekhc nilekhc force-pushed the kms-v2beta1 branch 2 times, most recently from 64dc67b to 247278e Compare May 15, 2023 21:22
@nilekhc
Copy link
Contributor Author

nilekhc commented May 15, 2023

btw this line in the README will not be correct once this PR merges:

Check that the stored secret is prefixed with k8s:enc:kms:v1:azurekmsprovider. This indicates the Azure KMS provider has encrypted the data.

@enj, I have made an update to this.

@nilekhc nilekhc requested review from aramase and enj May 15, 2023 21:24
@nilekhc nilekhc force-pushed the kms-v2beta1 branch 2 times, most recently from 8ed0346 to f6a087f Compare May 15, 2023 21:38
@nilekhc nilekhc mentioned this pull request May 15, 2023
Merged
aramase
aramase reviewed May 17, 2023
View reviewed changes
Copy link
Member

@aramase aramase left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just few small nits, but overall lgtm!

README.md Outdated Show resolved Hide resolved
pkg/metrics/stats_reporter.go Outdated Show resolved Hide resolved
pkg/plugin/keyvault.go Outdated Show resolved Hide resolved
pkg/plugin/keyvault.go Outdated Show resolved Hide resolved
pkg/plugin/keyvault.go Outdated Show resolved Hide resolved
@nilekhc
feat: implements kms v2beta1 APIs
955274e 
Signed-off-by: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com>
aramase
aramase approved these changes May 17, 2023
View reviewed changes
Copy link
Member

@aramase aramase left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@nilekhc nilekhc merged commit 71ea631 into Azure:master May 17, 2023
@nilekhc nilekhc deleted the kms-v2beta1 branch May 17, 2023 18:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sozercan sozercan sozercan left review comments

@enj enj enj approved these changes

@aramase aramase aramase approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add support for KMS v2
4 participants
@nilekhc @enj @sozercan @aramase