Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Implement support for KMS arguments #288

Merged
merged 10 commits into from
Jan 29, 2023
Merged

feat: Implement support for KMS arguments #288

merged 10 commits into from
Jan 29, 2023

Conversation

mkilchhofer
Copy link
Contributor

@mkilchhofer mkilchhofer commented Jan 6, 2023
edited
Loading

Describe your changes

This implements Add Key Management Service (KMS) etcd encryption to an Azure Kubernetes Service (AKS) cluster.

Feature is not yet available in azurerm provider, but also opened a PR over there:

Issue number

-

Checklist before requesting a review

  • The pr title can be used to describe what this pr did in CHANGELOG.md file
  • I have executed pre-commit on my machine
  • I have passed pr-check on my machine

Thanks for your cooperation!

@mkilchhofer mkilchhofer force-pushed the feature/secrets_kms_encryption branch 2 times, most recently from 06b70fa to fc2b23f Compare January 8, 2023 12:10
lonegunmanb
lonegunmanb requested changes Jan 8, 2023
View reviewed changes
Copy link
Member

@lonegunmanb lonegunmanb left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @mkilchhofer for opening this pr and submitting a new resource pr to terraform-azurerm-provider's repo, I've left some comments on provider's pr, once the pr has been merged into the provider, we can continue the code review for this pr.

Btw the review comments for your provider's pr are my personal suggestions, there's no guarantee that your pr would be accepted by HashiCorp if you accepted my suggestion.

main.tf Outdated
@@ -136,6 +136,16 @@ resource "azurerm_kubernetes_cluster" "main" {
subnet_id = var.ingress_application_gateway_subnet_id
}
}
dynamic "key_vault_kms" {
for_each = var.key_vault_kms_enabled ? ["key_vault_kms"] : []
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since we could turn enabled to false meanwhile keeping this key_vault_kms, I would recommend the following toggle expression:

for_each = var.key_vault_kms_enabled != null ? ["key_vault_kms"] : []

Copy link
Contributor Author

@mkilchhofer mkilchhofer Jan 20, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

refactored this anyways (source was the upstream implementation)

@mkilchhofer mkilchhofer force-pushed the feature/secrets_kms_encryption branch 2 times, most recently from a8c2e97 to 1eef1ef Compare January 20, 2023 09:52
@mkilchhofer mkilchhofer marked this pull request as ready for review January 20, 2023 09:53
@mkilchhofer
Copy link
Contributor Author

PR is now updated after the upstream provider PR got merged AND released ;-)

@lonegunmanb can you please review again?

@mkilchhofer mkilchhofer force-pushed the feature/secrets_kms_encryption branch from 1eef1ef to 25c45a7 Compare January 20, 2023 09:59
lonegunmanb
lonegunmanb requested changes Jan 21, 2023
View reviewed changes
Copy link
Member

@lonegunmanb lonegunmanb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @mkilchhofer for updating this pr, some issues need to be solved.

It would be nice if we could have an new example to demonstrate this new feature. We have already created a KeyValut in startup example, but for disk encryption key management for now, would you please estimate whether if we can make that KeyVault work for this new feature? We might need to update azurerm provider's restriction in providers.tf file in startup folder. Or we can just crate a new example folder to do so, your call.

Again, thanks for your contribution!

variables.tf Show resolved Hide resolved
variables.tf Outdated Show resolved Hide resolved
zioproto
zioproto requested changes Jan 23, 2023
View reviewed changes
main.tf Show resolved Hide resolved
@mkilchhofer mkilchhofer force-pushed the feature/secrets_kms_encryption branch from 56eb644 to 2058adc Compare January 23, 2023 12:50
@mkilchhofer
Copy link
Contributor Author

I cannot test the examples as we @swisspost have no subscriptions which allows usage of public IPs.
Can someone test that for us?

@zioproto
Copy link
Collaborator

@mkilchhofer I can do that ! thanks

@zioproto
Copy link
Collaborator

@mkilchhofer could you please run the pre-commit step on your local machine ?:

docker run --rm -v $(pwd):/src -w /src mcr.microsoft.com/azterraform:latest make pre-commit

You patched the example and you have duplicated definitions for identity_type and identity_ids. See the error:

Error: Attribute redefined
│
│   on examples/named_cluster/main.tf line 88, in module "aks_cluster_name":
│   88:   identity_type         = "UserAssigned"
│
│ The argument "identity_type" was already set at
│ examples/named_cluster/main.tf:66,3-16. Each argument may be set only once.
╵

╷
│ Error: Attribute redefined
│
│   on examples/named_cluster/main.tf line 89, in module "aks_cluster_name":
│   89:   identity_ids          = [azurerm_user_assigned_identity.test.id]
│
│ The argument "identity_ids" was already set at
│ examples/named_cluster/main.tf:65,3-15. Each argument may be set only once.

@mkilchhofer
chore: Apply changes from code review
0d2123c 
- nullable=false on `kms_enabled`
- Validate kms_enabled and UserAssigned identity
@mkilchhofer mkilchhofer force-pushed the feature/secrets_kms_encryption branch from 54029b0 to c0cde66 Compare January 23, 2023 14:56
zioproto
zioproto requested changes Jan 23, 2023
View reviewed changes
Copy link
Collaborator

@zioproto zioproto left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you patch only the named_cluster example ?

We dont need to the KMS in the others, it would also require more work because the needed UserAssigned identity_type is not set in the others. Thanks

examples/named_cluster/main.tf Outdated Show resolved Hide resolved
examples/named_cluster/main.tf Outdated Show resolved Hide resolved
@mkilchhofer mkilchhofer force-pushed the feature/secrets_kms_encryption branch from c0cde66 to eda1086 Compare January 23, 2023 19:02
@mkilchhofer mkilchhofer requested review from zioproto and lonegunmanb and removed request for zioproto January 24, 2023 08:08
@mkilchhofer mkilchhofer force-pushed the feature/secrets_kms_encryption branch from 56d79c3 to f61f35c Compare January 24, 2023 09:13
@zioproto
Copy link
Collaborator

commit 7012178 is now passing both pre-commit and pr-check steps.

@lonegunmanb could you please review and run the e2e tests ? thanks

lonegunmanb
lonegunmanb requested changes Jan 27, 2023
View reviewed changes
variables.tf Outdated Show resolved Hide resolved
examples/named_cluster/kms.tf Outdated Show resolved Hide resolved
@mkilchhofer
Copy link
Contributor Author

@lonegunmanb can you trigger E2E again? 😇

lonegunmanb
lonegunmanb requested changes Jan 28, 2023
View reviewed changes
Copy link
Member

@lonegunmanb lonegunmanb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @mkilchhofer for this update, we've met some issues when we ran the test.

We've added network_acl on the KeyVault to restrict the source IP which can access this Key Vault, but the Aks's public IP is unpredictable so the original code would meet a 403 error.

We need config the aks to access the KeyVault via private network as this document described.

examples/named_cluster/kms.tf Show resolved Hide resolved
examples/named_cluster/main.tf
@@ -77,4 +77,12 @@ module "aks_cluster_name" {
rbac_aad = true
rbac_aad_managed = true
role_based_access_control_enabled = true

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need the following line below line 31:

service_endpoints                              = ["Microsoft.KeyVault"]

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Service endpoint is not needed (at least in our scenario). I think its only needed if some part inside the VNET wants to access the keyvault.

examples/named_cluster/main.tf Show resolved Hide resolved
examples/named_cluster/main.tf Outdated Show resolved Hide resolved
examples/named_cluster/kms.tf Show resolved Hide resolved
@mkilchhofer mkilchhofer temporarily deployed to acctests January 28, 2023 14:36 — with GitHub Actions Inactive
lonegunmanb
lonegunmanb approved these changes Jan 29, 2023
View reviewed changes
Copy link
Member

@lonegunmanb lonegunmanb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @mkilchhofer, LGTM! 🚀

@lonegunmanb lonegunmanb merged commit 5443398 into Azure:master Jan 29, 2023
@mkilchhofer
Copy link
Contributor Author

Thanks alot for your patience with me 👍

@mkilchhofer mkilchhofer deleted the feature/secrets_kms_encryption branch January 30, 2023 10:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zioproto zioproto zioproto requested changes

@lonegunmanb lonegunmanb lonegunmanb approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mkilchhofer @zioproto @lonegunmanb