diff --git a/pkg/clients/eks/eks.go b/pkg/clients/eks/eks.go index 0c7b939b82..e57963e8dd 100644 --- a/pkg/clients/eks/eks.go +++ b/pkg/clients/eks/eks.go @@ -60,6 +60,7 @@ type Client interface { TagResource(ctx context.Context, input *eks.TagResourceInput, opts ...func(*eks.Options)) (*eks.TagResourceOutput, error) UntagResource(ctx context.Context, input *eks.UntagResourceInput, opts ...func(*eks.Options)) (*eks.UntagResourceOutput, error) UpdateClusterVersion(ctx context.Context, input *eks.UpdateClusterVersionInput, opts ...func(*eks.Options)) (*eks.UpdateClusterVersionOutput, error) + AssociateEncryptionConfig(ctx context.Context, params *eks.AssociateEncryptionConfigInput, optFns ...func(*eks.Options)) (*eks.AssociateEncryptionConfigOutput, error) DescribeNodegroup(ctx context.Context, input *eks.DescribeNodegroupInput, opts ...func(*eks.Options)) (*eks.DescribeNodegroupOutput, error) CreateNodegroup(ctx context.Context, input *eks.CreateNodegroupInput, opts ...func(*eks.Options)) (*eks.CreateNodegroupOutput, error) @@ -118,15 +119,7 @@ func GenerateCreateClusterInput(name string, p *v1beta1.ClusterParameters) *eks. } if len(p.EncryptionConfig) > 0 { - c.EncryptionConfig = make([]ekstypes.EncryptionConfig, len(p.EncryptionConfig)) - for i, conf := range p.EncryptionConfig { - c.EncryptionConfig[i] = ekstypes.EncryptionConfig{ - Provider: &ekstypes.Provider{ - KeyArn: awsclients.String(conf.Provider.KeyArn), - }, - Resources: conf.Resources, - } - } + c.EncryptionConfig = GenerateEncryptionConfig(p) } c.ResourcesVpcConfig = &ekstypes.VpcConfigRequest{ @@ -158,6 +151,22 @@ func GenerateCreateClusterInput(name string, p *v1beta1.ClusterParameters) *eks. return c } +// GenerateEncryptionConfig creates the config needed to enable encryption +func GenerateEncryptionConfig(parameters *v1beta1.ClusterParameters) []ekstypes.EncryptionConfig { + encryptionConfig := make([]ekstypes.EncryptionConfig, len(parameters.EncryptionConfig)) + if len(parameters.EncryptionConfig) > 0 { + for i, conf := range parameters.EncryptionConfig { + encryptionConfig[i] = ekstypes.EncryptionConfig{ + Provider: &ekstypes.Provider{ + KeyArn: awsclients.String(conf.Provider.KeyArn), + }, + Resources: conf.Resources, + } + } + } + return encryptionConfig +} + // CreatePatch creates a *v1beta1.ClusterParameters that has only the changed // values between the target *v1beta1.ClusterParameters and the current // *ekstypes.Cluster. diff --git a/pkg/clients/eks/fake/fake.go b/pkg/clients/eks/fake/fake.go index 3891a2c656..657aa71019 100644 --- a/pkg/clients/eks/fake/fake.go +++ b/pkg/clients/eks/fake/fake.go @@ -26,13 +26,14 @@ import ( // MockClient is a fake implementation of eks.Client. type MockClient struct { - MockCreateCluster func(ctx context.Context, input *eks.CreateClusterInput, opts []func(*eks.Options)) (*eks.CreateClusterOutput, error) - MockDescribeCluster func(ctx context.Context, input *eks.DescribeClusterInput, opts []func(*eks.Options)) (*eks.DescribeClusterOutput, error) - MockUpdateClusterConfig func(ctx context.Context, input *eks.UpdateClusterConfigInput, opts []func(*eks.Options)) (*eks.UpdateClusterConfigOutput, error) - MockDeleteCluster func(ctx context.Context, input *eks.DeleteClusterInput, opts []func(*eks.Options)) (*eks.DeleteClusterOutput, error) - MockTagResource func(ctx context.Context, input *eks.TagResourceInput, opts []func(*eks.Options)) (*eks.TagResourceOutput, error) - MockUntagResource func(ctx context.Context, input *eks.UntagResourceInput, opts []func(*eks.Options)) (*eks.UntagResourceOutput, error) - MockUpdateClusterVersion func(ctx context.Context, input *eks.UpdateClusterVersionInput, opts []func(*eks.Options)) (*eks.UpdateClusterVersionOutput, error) + MockCreateCluster func(ctx context.Context, input *eks.CreateClusterInput, opts []func(*eks.Options)) (*eks.CreateClusterOutput, error) + MockDescribeCluster func(ctx context.Context, input *eks.DescribeClusterInput, opts []func(*eks.Options)) (*eks.DescribeClusterOutput, error) + MockUpdateClusterConfig func(ctx context.Context, input *eks.UpdateClusterConfigInput, opts []func(*eks.Options)) (*eks.UpdateClusterConfigOutput, error) + MockDeleteCluster func(ctx context.Context, input *eks.DeleteClusterInput, opts []func(*eks.Options)) (*eks.DeleteClusterOutput, error) + MockTagResource func(ctx context.Context, input *eks.TagResourceInput, opts []func(*eks.Options)) (*eks.TagResourceOutput, error) + MockUntagResource func(ctx context.Context, input *eks.UntagResourceInput, opts []func(*eks.Options)) (*eks.UntagResourceOutput, error) + MockUpdateClusterVersion func(ctx context.Context, input *eks.UpdateClusterVersionInput, opts []func(*eks.Options)) (*eks.UpdateClusterVersionOutput, error) + MockAssociateEncryptionConfig func(ctx context.Context, input *eks.AssociateEncryptionConfigInput, opts []func(*eks.Options)) (*eks.AssociateEncryptionConfigOutput, error) MockDescribeNodegroup func(ctx context.Context, input *eks.DescribeNodegroupInput, opts []func(*eks.Options)) (*eks.DescribeNodegroupOutput, error) MockCreateNodegroup func(ctx context.Context, input *eks.CreateNodegroupInput, opts []func(*eks.Options)) (*eks.CreateNodegroupOutput, error) @@ -97,6 +98,12 @@ func (c *MockClient) UpdateClusterVersion(ctx context.Context, input *eks.Update return c.MockUpdateClusterVersion(ctx, input, opts) } +// AssociateEncryptionConfig calls the underlying +// MockAssociateEncryptionConfig method. +func (c *MockClient) AssociateEncryptionConfig(ctx context.Context, input *eks.AssociateEncryptionConfigInput, opts ...func(*eks.Options)) (*eks.AssociateEncryptionConfigOutput, error) { + return c.MockAssociateEncryptionConfig(ctx, input, opts) +} + // DescribeNodegroup calls the underlying MockDescribeNodegroup // method. func (c *MockClient) DescribeNodegroup(ctx context.Context, input *eks.DescribeNodegroupInput, opts ...func(*eks.Options)) (*eks.DescribeNodegroupOutput, error) { diff --git a/pkg/controller/eks/cluster.go b/pkg/controller/eks/cluster.go index 44c8c76c67..9bdd254c70 100644 --- a/pkg/controller/eks/cluster.go +++ b/pkg/controller/eks/cluster.go @@ -189,6 +189,13 @@ func (e *external) Update(ctx context.Context, mg resource.Managed) (managed.Ext if err != nil { return managed.ExternalUpdate{}, awsclient.Wrap(err, errPatchCreationFailed) } + if patch.EncryptionConfig != nil { + _, err := e.client.AssociateEncryptionConfig(ctx, &awseks.AssociateEncryptionConfigInput{ + ClusterName: awsclient.String(meta.GetExternalName(cr)), + EncryptionConfig: eks.GenerateEncryptionConfig(&cr.Spec.ForProvider), + }) + return managed.ExternalUpdate{}, awsclient.Wrap(resource.Ignore(eks.IsErrorInUse, err), errUpdateVersionFailed) + } if patch.Version != nil { _, err := e.client.UpdateClusterVersion(ctx, &awseks.UpdateClusterVersionInput{Name: awsclient.String(meta.GetExternalName(cr)), Version: patch.Version}) return managed.ExternalUpdate{}, awsclient.Wrap(resource.Ignore(eks.IsErrorInUse, err), errUpdateVersionFailed)