Uploaded image for project: 'OpenShift Hosted Control Plane'
  1. OpenShift Hosted Control Plane
  2. HOSTEDCP-700

AWSKMSAuthSpec API is suboptimal

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Done
    • Icon: Undefined Undefined
    • None
    • None
    • None
    • Hypershift Sprint 22, Hypershift Sprint 23
    • 0
    • 0
    • 0

      Context:

      To enable AWS KMS encryption we request a ref to a secret via API atm. Then we generate the requirements via cli. E.g

      The secret is just a role_arn ref [1] to a role with the ability to assume [2] the policy [3] for the key

      [1] https://github.com/openshift/hypershift/blob/main/api/fixtures/example.go#L150-L157
      [2] https://github.com/openshift/hypershift/blob/a4fbc63f386561932e07253181d0fce788eb5ba4/cmd/infra/aws/iam.go#L677-L694
      [3] https://github.com/openshift/hypershift/blob/a4fbc63f386561932e07253181d0fce788eb5ba4/cmd/infra/aws/iam.go#L333

      https://coreos.slack.com/archives/C03TU14HLB0/p1672654814187489

       

      DoD:

      This is suboptimal api UX, we should only require the key arn in the API as input and let the backend controllers generate the above similar to what we did with AWSRolesRef.

       

       

              agarcial@redhat.com Alberto Garcia Lamela
              agarcial@redhat.com Alberto Garcia Lamela
              Jie Zhao Jie Zhao
              Votes:
              1 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: