Uploaded image for project: 'OpenShift Hosted Control Plane'
  1. OpenShift Hosted Control Plane
  2. HOSTEDCP-700

AWSKMSAuthSpec API is suboptimal

    XMLWordPrintable

Details

    • Story
    • Resolution: Done
    • Undefined
    • None
    • None
    • None
    • Hypershift Sprint 22, Hypershift Sprint 23
    • 0
    • 0
    • 0

    Description

      Context:

      To enable AWS KMS encryption we request a ref to a secret via API atm. Then we generate the requirements via cli. E.g

      The secret is just a role_arn ref [1] to a role with the ability to assume [2] the policy [3] for the key

      [1] https://github.com/openshift/hypershift/blob/main/api/fixtures/example.go#L150-L157
      [2] https://github.com/openshift/hypershift/blob/a4fbc63f386561932e07253181d0fce788eb5ba4/cmd/infra/aws/iam.go#L677-L694
      [3] https://github.com/openshift/hypershift/blob/a4fbc63f386561932e07253181d0fce788eb5ba4/cmd/infra/aws/iam.go#L333

      https://coreos.slack.com/archives/C03TU14HLB0/p1672654814187489

       

      DoD:

      This is suboptimal api UX, we should only require the key arn in the API as input and let the backend controllers generate the above similar to what we did with AWSRolesRef.

       

       

      Attachments

        Activity

          People

            agarcial@redhat.com Alberto Garcia Lamela
            agarcial@redhat.com Alberto Garcia Lamela
            Jie Zhao Jie Zhao
            Votes:
            1 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: