Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

KMSKey doesn't validate the configuration on creating which leads to errors when trying to delete it #8

Open
danmx opened this issue Aug 7, 2020 · 2 comments
Open

KMSKey doesn't validate the configuration on creating which leads to errors when trying to delete it #8

danmx opened this issue Aug 7, 2020 · 2 comments
Labels
bug Something isn't working

Comments

@danmx
Copy link
Contributor

danmx commented Aug 7, 2020

AWS only supports deletionPendingWindowInDays from 7 to 30 days. When creating a resource there is no problem. It only raises the issue when you want to delete the key.

Creation:

cat << EOF | kubectl apply -f -
---
apiVersion: cert-manager.skyscanner.net/v1alpha1
kind: KMSKey
metadata:
  name: kmskey-example1
spec:
  aliasName: alias/k8s-certs-kmskey-example1
  description: a kms-issuer example kms key
  customerMasterKeySpec: RSA_2048
  tags:
    Project: k8s
  deletionPolicy: Delete
  deletionPendingWindowInDays: 1
EOF
kmskey.cert-manager.skyscanner.net/kmskey-example1 created

Logs:

 2020-08-07T08:44:29.300Z    ERROR    controllers.kmskey_controller    Failed to delete the KMS key    {"kmskey": "/kmskey-example1", "error": "ValidationException: PendingWindowInDays must be between 7 and 30\n\tstatus code: 400, request
 id: 16f988b6-51eb-46e7-8d7a-6dc92df5309f"}
 github.com/go-logr/zapr.(*zapLogger).Error
     /go/pkg/mod/github.com/go-logr/[email protected]/zapr.go:128
 github.com/Skyscanner/kms-issuer/controllers.(*KMSKeyReconciler).manageFailure
     /workspace/controllers/kmskey_controller.go:138
 github.com/Skyscanner/kms-issuer/controllers.(*KMSKeyReconciler).Reconcile
     /workspace/controllers/kmskey_controller.go:88
 sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler
     /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:256
 sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
     /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:232
 sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).worker
     /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:211
 k8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1
     /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:155
 k8s.io/apimachinery/pkg/util/wait.BackoffUntil
     /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:156
 k8s.io/apimachinery/pkg/util/wait.JitterUntil
     /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:133
 k8s.io/apimachinery/pkg/util/wait.Until
     /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:90

Mitigation:

Manually edit KMSKey deletionPendingWindowInDays value to correct one and kms-issuer will schedule deletion of the key in AWS
@danmx danmx added the bug Something isn't working label Aug 7, 2020
@helixphoenix helixphoenix mentioned this issue Oct 29, 2020
Closed
@helixphoenix
Copy link

I think we should fix it from the AWS sdk first as they are not checking this input at the creation https://github.com/aws/aws-sdk-go/blob/master/service/kms/api.go

@helixphoenix
Copy link

If we want a validation for mechanism, first we should be able to map it at aws sdk, another question is 0 accepted during deletion ? We mabe should not omit empty as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@danmx @helixphoenix