aws/karpenter-provider-aws

feat: Allow specifying kms key alias in the ec2 node class spec for `blockDeviceMappings`

shabbskagalwala opened this issue · 1 comments

shabbskagalwala commented

Description

What problem are you trying to solve?

This is a feature request to introduce the ability to specify a kmsKeyAlias in the blockDeviceMappings for the EC2 node class object, in addition to the currently supported kmsKeyID.

At present, only the kmsKeyID can be provided for the EC2 node class, this approach presents challenges in managing configurations across multiple clusters, environments, regions, and AWS accounts.

When operating at scale with multiple clusters, managing and manually entering the kmsKeyID in each template can become cumbersome and error-prone, specially with tools like Helm charts for nodepools and node classes when Terraform is not used in the setup. . The kmsKeyAlias is a logical identifier that remains consistent across environments, accounts, and regions making it more suitable for use in infrastructure templates. Relying solely on kmsKeyID increases the risk of misconfiguration, especially when managing EC2 node classes in environments where IDs vary but the alias always remains the same.

An example would be something like

spec:
  amiFamily: AL2
  amiSelectorTerms:
  - id: ami-1234567890
  blockDeviceMappings:
  - deviceName: /dev/xvda
    ebs:
      deleteOnTermination: true
      encrypted: true
      iops: 3000
      kmsKeyAlias: us-west-2/eks-cluster-ebs-key
      throughput: 750
      volumeSize: 100Gi
      volumeType: gp3
  detailedMonitoring: true

How important is this feature to you?

This would make cluster management at scale with Karpenter easier and simplify the process where multiple node pools are being used in 100s of EKS clusters.

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment
jmdeal commented

Going to close as a duplicate of #3643.