Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature/s3 bucket encryption - Implements PR #4235 #5194

Merged
merged 2 commits into from
Jun 10, 2018
Merged

Feature/s3 bucket encryption - Implements PR #4235 #5194

merged 2 commits into from
Jun 10, 2018

Conversation

chrisz100
Copy link
Contributor

As @gekart postponed working on the bucket encryption I took this forward and made his implementaion mergable again.

Original PR #4235

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels May 23, 2018
@chrisz100
Copy link
Contributor Author

/assign @justinsb

@mikesplain
Copy link
Contributor

I was actually thinking about this the other day, great job @chrisz100! This looks good to me!

/ok-to-test
/lgtm

@k8s-ci-robot k8s-ci-robot added lgtm "Looks good to me", indicates that a PR is ready to be merged. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels May 24, 2018
@chrisz100
Copy link
Contributor Author

@justinsb any idea when this is likely to get integrated or if at all? Our client is having this on the timeline and just moving the issue without a real idea when and if at all doesn't satisfy stakeholders I'm afraid.

@justinsb justinsb added this to the 1.10 milestone Jun 2, 2018
@mikesplain
Copy link
Contributor

@chrisz100 Looks like @justinsb has slatted this for the 1.10 milestone so we can hopefully get this in for you soon.

justinsb
justinsb reviewed Jun 10, 2018
View reviewed changes
util/pkg/vfs/s3context.go
@@ -134,7 +142,7 @@ func (s *S3Context) getRegionForBucket(bucket string) (string, error) {
}

if err := validateRegion(awsRegion); err != nil {
return "", err
return bucketDetails, err
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Usually better to return nil, err here

util/pkg/vfs/s3context.go
}
return region, nil
return bucketDetails, nil
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we set defaultEncryption if S3_REGION is set? Also we aren't caching it here...

util/pkg/vfs/s3context.go
// the following cases might lead to the operation failing:
// 1. A deny policy on s3:GetEncryptionConfiguration
// 2. No default encryption policy set
glog.Warningf("Unable to read bucket encryption policy: will encrypt using AES256")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As a style thing, IMO it's often clearer to have the function return the value & error, and then have the caller decide whether to ignore the error.

util/pkg/vfs/s3fs.go
if p.bucketDetails == nil || p.bucketDetails.region == "" {
bucketDetails, err := p.s3Context.getDetailsForBucket(p.bucket)

p.bucketDetails = bucketDetails
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah I see what you're doing now returning the bucketDetails always. It's a slightly hard pattern to reason about though - because a retry will succeed I think.

@justinsb
Copy link
Member

Some nits / style ideas for the next PR :-)

Thanks @gekart and @chrisz100

/approve
/lgtm

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: chrisz100, justinsb, mikesplain

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 10, 2018
@justinsb justinsb mentioned this pull request Jun 10, 2018
Closed
@k8s-ci-robot k8s-ci-robot merged commit dd3381d into kubernetes:master Jun 10, 2018
@chrisz100 chrisz100 deleted the feature/s3_bucket_encryption branch June 11, 2018 08:28
@xanonid xanonid mentioned this pull request Oct 29, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@justinsb justinsb justinsb left review comments

Assignees

@justinsb justinsb

@mikesplain mikesplain

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
1.10
Development

Successfully merging this pull request may close these issues.
5 participants
@chrisz100 @mikesplain @justinsb @k8s-ci-robot @gekart