feat: add ReplicaKey support for KMS key replication#112
feat: add ReplicaKey support for KMS key replication#112sandeepbathina wants to merge 13 commits intoaws-controllers-k8s:mainfrom
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: sandeepbathina The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
ack-prow
Bot
added
the
needs-ok-to-test
|
Hi @sandeepbathina. Thanks for your PR. I'm waiting for a aws-controllers-k8s member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/ok-to-test |
ack-prow
Bot
added
ok-to-test
|
/retest |
|
/retest |
4 similar comments
|
/retest |
|
/retest |
|
/retest |
|
/retest |
knottnt
left a comment
knottnt
left a comment
There was a problem hiding this comment.
Thanks for the contribution @sandeepbathina!
| find_operation: | ||
| custom_method_name: customFind | ||
| update_operation: | ||
| custom_method_name: updateNotSupported |
There was a problem hiding this comment.
Q: Do ReplicaKeys support updating tags?
There was a problem hiding this comment.
Similarly, from the ReplicateKey documentation it sounds like the Policy field is not replicated from the primary key. Does the PutKeyPolicy operation apply to replica keys as well?
There was a problem hiding this comment.
Yes, PutKeyPolicy works on replica keys. Added support for policy updates via customUpdate
|
|
||
| Regex Pattern: `^[\u0009\u000A\u000D\u0020-\u00FF]+$` | ||
| type: string | ||
| replicaTags: |
There was a problem hiding this comment.
This seems to be duplicating the spec.tags field. If this is due to a mismatch between the input and output field name we may want to configure a rename of the output field in the generator.yaml.
There was a problem hiding this comment.
Fixed! added output field rename in generator.yaml to avoid duplication.
| format: date-time | ||
| type: string | ||
| type: object | ||
| replicaPolicy: |
There was a problem hiding this comment.
This seems to be duplicating the spec.policy field. May need to rename the output field here as well.
There was a problem hiding this comment.
Fixed by adding output field rename.
| class TestReplicaKey: | ||
| """Test suite for ReplicaKey resource""" | ||
|
|
||
| def test_create_delete_replica_key(self, simple_replica_key): |
There was a problem hiding this comment.
This test should also check the state of the AWS resource out of band from ACK to validate that desired state is being correctly propagated. There should be a kms_client pytest fixture defined in tests/e2e/conftest.py.
There was a problem hiding this comment.
Thanks! added out of band validation using replica_kms_client which validates the AWS resource state directly. Used replica_kms_client instead of the kms_client fixture because the replica key exists in a different region. Let me know if I need to follow any other approach.
|
/hold |
ack-prow
Bot
added
the
do-not-merge/hold
knottnt
left a comment
knottnt
left a comment
There was a problem hiding this comment.
@sandeepbathina Thanks for the contribution. Testing these changes locally I'm seeing some unexpected behavior with the Read, Update, and Delete calls interacting with the primary key instead of the replica.
| build_date: "2025-10-31T03:59:17Z" | ||
| build_hash: eaabefb6bd7b2be8a1baf4478f22b3310e6921c8 | ||
| go_version: go1.25.1 | ||
| version: v0.52.0-6-geaabefb-dirty |
There was a problem hiding this comment.
It looks like there were some changes made to the code generator in the most recent build. If they aren't needed could you rebuild with a clean version of the code-generator?
|
|
||
| var resp *svcsdk.ReplicateKeyOutput | ||
| _ = resp | ||
| resp, err = rm.sdkapi.ReplicateKey(ctx, input) |
There was a problem hiding this comment.
Looking at the documentation for ReplicateKey I think the way that API interacts with AWS regions require some extra work and possibly some runtime/code-generation improvements to properly model the replica key as its own resource. ReplicateKey needs to be called against the same region as the primary key. However, the resulting region is created in another AWS region. This means that the Read, Update, and Delete calls need to performed in the replica region. So, the ACK controller needs configure it's SDK client region specified by Spec.replicaRegion for these operations.
Testing this PR locally I'm seeing the Create operation successfully replicate the specified primary key. However, other operations continue to interact with the primary key. This appears to happen because the replica and primary keys share the same KeyID.
|
@sandeepbathina: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
2 participants
Issue #, if available:
aws-controllers-k8s/community#2664
Description of changes:
Add support for ReplicaKey resource to enable multi-region key management
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.