aws-controllers-k8s / community

AWS Controllers for Kubernetes (ACK) is a project enabling you to manage AWS services from Kubernetes
https://aws-controllers-k8s.github.io/community/
Apache License 2.0
2.41k stars 254 forks source link

ACK RDS: can't create encrypted db from snapshot. #2198

Open gecube opened 1 week ago

gecube commented 1 week ago

Good day!

I have an ACK toolkit RDS controller v.1.4.6.

I want to create a DB from snapshot encrypted by KMS.

I prepared the next manifest:

apiVersion: kms.services.k8s.aws/v1alpha1
kind: Key
metadata:
  name: dbserver5
spec:
  description: "Key for dbserver5"
  enableKeyRotation: true
  tags:
    - tagKey: Name
      tagValue: dbserver5
    - tagKey: env
      tagValue: uat
---
apiVersion: kms.services.k8s.aws/v1alpha1
kind: Alias
metadata:
  name: dbserver5
spec:
  name: alias/dbserver5
  targetKeyRef:
    from:
      name: dbserver5

for KMS and these resources were applied properly.

Then I want to create DB:

apiVersion: rds.services.k8s.aws/v1alpha1
kind: DBInstance
metadata:
  name: dbserver-5
spec:
  dbSnapshotIdentifier: "arn:aws:rds:eu-west-2:******:snapshot:******"
  allocatedStorage: 20
  dbInstanceClass: db.r5.large
  dbInstanceIdentifier: dbserver-5
  engine: mysql
  engineVersion: "5.7"
  masterUsername: "root"
  masterUserPassword:
    namespace: infra-uat
    name: dbserver-5-db-password
    key: password
  dbSubnetGroupRef:
    from:
      name: rds-subnet
  publiclyAccessible: false
  availabilityZone: 'eu-west-2c'
  storageEncrypted: true
  kmsKeyRef:
    from:
      name: dbserver5

In fact I am getting the next:

apiVersion: rds.services.k8s.aws/v1alpha1
kind: DBInstance
metadata:
  annotations:
    rds.services.k8s.aws/last-applied-secret-reference: infra-uat/dbserver-5-db-password.password
  resourceVersion: '642548767'
  name: dbserver-5-uat
  namespace: infra-uat
  finalizers:
    - finalizers.rds.services.k8s.aws/DBInstance
  labels:
    kustomize.toolkit.fluxcd.io/name: infra-management
    kustomize.toolkit.fluxcd.io/namespace: flux-system
spec:
  engine: mysql
  preferredMaintenanceWindow: 'fri:23:40-sat:00:10'
  caCertificateIdentifier: rds-ca-rsa2048-g1
  kmsKeyRef:
    from:
      name: dbserver5
  dbInstanceClass: db.r5.large
  storageThroughput: 0
  deletionProtection: false
  availabilityZone: eu-west-2c
  masterUserPassword:
    key: password
    name: dbserver-5-db-password
    namespace: infra-uat
  licenseModel: general-public-license
  storageEncrypted: false
  autoMinorVersionUpgrade: true
  dbSnapshotIdentifier: 'arn:aws:rds:eu-west-2:*****:snapshot:*****'
  publiclyAccessible: false
  monitoringInterval: 0
  copyTagsToSnapshot: false
  dbSubnetGroupRef:
    from:
      name: rds-subnet
  multiAZ: false
  preferredBackupWindow: '05:01-05:31'
  allocatedStorage: 20
  storageType: gp2
  engineVersion: '5.7'
  performanceInsightsEnabled: false
  masterUsername: root
  dbInstanceIdentifier: dbserver-5
  backupRetentionPeriod: 1
status:
  pendingModifiedValues: {}
  dbSubnetGroup:
    dbSubnetGroupDescription: ololo
    dbSubnetGroupName: rds-subnet
    subnetGroupStatus: Complete
    subnets:
      - subnetAvailabilityZone:
          name: eu-west-2a
        subnetIdentifier: *****
        subnetOutpost: {}
        subnetStatus: Active
      - subnetAvailabilityZone:
          name: eu-west-2b
        subnetIdentifier: *****
        subnetOutpost: {}
        subnetStatus: Active
      - subnetAvailabilityZone:
          name: eu-west-2c
        subnetIdentifier: *****
        subnetOutpost: {}
        subnetStatus: Active
    vpcID: *****
  latestRestorableTime: '2024-10-19T09:25:00Z'
  dbInstanceStatus: available
  ackResourceMetadata:
    arn: 'arn:aws:rds:eu-west-2:*****:db:dbserver-5'
    ownerAccountID: '474417630776'
    region: eu-west-2
  certificateDetails:
    cAIdentifier: rds-ca-rsa2048-g1
    validTill: '2027-10-19T09:10:58Z'
  optionGroupMemberships:
    - optionGroupName: 'default:mysql-5-7'
      status: in-sync
  customerOwnedIPEnabled: false
  dbInstancePort: 0
  dbiResourceID: *****
  endpoint:
    address: *****
    hostedZoneID: *****
    port: 3306
  conditions:
    - lastTransitionTime: '2024-10-19T09:30:15Z'
      status: 'True'
      type: ACK.ReferencesResolved
    - lastTransitionTime: '2024-10-19T09:30:16Z'
      status: 'False'
      type: ACK.ResourceSynced
    - lastTransitionTime: '2024-10-19T09:30:16Z'
      message: Late initialization successful
      reason: Late initialization successful
      status: 'True'
      type: ACK.LateInitialized
  iamDatabaseAuthenticationEnabled: true
  vpcSecurityGroups:
    - status: active
      vpcSecurityGroupID: *****
  instanceCreateTime: '2024-10-19T09:11:46Z'
  dbParameterGroups:
    - dbParameterGroupName: default.mysql5.7
      parameterApplyStatus: in-sync
gecube commented 1 week ago

I want to point out that kmsID is not put into the target object for some reason and the flag storageEncrypted is false.

No meaningful errors found in logs of RDS controller. Also putting kustomize.toolkit.fluxcd.io/ssa: Merge annotation on RDS object does not help.

a-hilaly commented 1 week ago

Hi @gecube - thank you for reporting this! I quickly checked the RestoreDBInstanceFromSnapshot API and it doesn't look like it provides a way to restore DBInstances with encrypted storage https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_RestoreDBInstanceFromDBSnapshot.html - looks like this is only possible with DBClusters