From 84a33c1af9e2c54f58c6106e243177dd5606f0fd Mon Sep 17 00:00:00 2001 From: Robert Lucian Chiriac Date: Wed, 16 Jun 2021 03:49:40 +0300 Subject: [PATCH 1/2] Enable SSE for cluster bucket (bucket-wide instead of per-object) (#2251) --- cli/cmd/cluster.go | 5 +++++ pkg/lib/aws/s3.go | 30 ++++++++++++++++++++++++------ 2 files changed, 29 insertions(+), 6 deletions(-) diff --git a/cli/cmd/cluster.go b/cli/cmd/cluster.go index 04431afc0c..c1b50923d6 100644 --- a/cli/cmd/cluster.go +++ b/cli/cmd/cluster.go @@ -1169,6 +1169,11 @@ func createS3BucketIfNotFound(awsClient *aws.Client, bucket string, tags map[str fmt.Print("\n\n") return err } + err = awsClient.EnableBucketEncryption(bucket) + if err != nil { + fmt.Print("\n\n") + return err + } } else { fmt.Print("○ using existing s3 bucket: ", bucket) } diff --git a/pkg/lib/aws/s3.go b/pkg/lib/aws/s3.go index b0d1357113..17b488de09 100644 --- a/pkg/lib/aws/s3.go +++ b/pkg/lib/aws/s3.go @@ -376,14 +376,32 @@ func (c *Client) CreateBucket(bucket string) error { return nil } +func (c *Client) EnableBucketEncryption(bucket string) error { + _, err := c.S3().PutBucketEncryption(&s3.PutBucketEncryptionInput{ + Bucket: aws.String(bucket), + ServerSideEncryptionConfiguration: &s3.ServerSideEncryptionConfiguration{ + Rules: []*s3.ServerSideEncryptionRule{ + { + ApplyServerSideEncryptionByDefault: &s3.ServerSideEncryptionByDefault{ + SSEAlgorithm: pointer.String("AES256"), + }, + }, + }, + }, + }) + if err != nil { + return errors.Wrap(err, "enabling encryption for bucket "+bucket) + } + return nil +} + func (c *Client) UploadReaderToS3(data io.Reader, bucket string, key string) error { _, err := c.S3Uploader().Upload(&s3manager.UploadInput{ - Bucket: aws.String(bucket), - Key: aws.String(key), - Body: data, - ACL: aws.String("private"), - ContentDisposition: aws.String("attachment"), - ServerSideEncryption: aws.String("AES256"), + Bucket: aws.String(bucket), + Key: aws.String(key), + Body: data, + ACL: aws.String("private"), + ContentDisposition: aws.String("attachment"), }) if err != nil { From c21f53b6386bd6457e379fd7c1d9366644ec8901 Mon Sep 17 00:00:00 2001 From: Robert Lucian Chiriac Date: Wed, 16 Jun 2021 03:50:00 +0300 Subject: [PATCH 2/2] Update k8s.go (#2250) --- pkg/workloads/k8s.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/workloads/k8s.go b/pkg/workloads/k8s.go index e75ca21cf3..6519d29012 100644 --- a/pkg/workloads/k8s.go +++ b/pkg/workloads/k8s.go @@ -386,9 +386,9 @@ func userPodContainers(api spec.API) ([]kcore.Container, []kcore.Volume) { if container.Compute.Inf > 0 { totalHugePages := container.Compute.Inf * _hugePagesMemPerInf - containerResourceList["nvidia.com/gpu"] = *kresource.NewQuantity(container.Compute.Inf, kresource.DecimalSI) + containerResourceList["aws.amazon.com/neuron"] = *kresource.NewQuantity(container.Compute.Inf, kresource.DecimalSI) containerResourceList["hugepages-2Mi"] = *kresource.NewQuantity(totalHugePages, kresource.BinarySI) - containerResourceLimitsList["nvidia.com/gpu"] = *kresource.NewQuantity(container.Compute.Inf, kresource.DecimalSI) + containerResourceLimitsList["aws.amazon.com/neuron"] = *kresource.NewQuantity(container.Compute.Inf, kresource.DecimalSI) containerResourceLimitsList["hugepages-2Mi"] = *kresource.NewQuantity(totalHugePages, kresource.BinarySI) securityContext.Capabilities = &kcore.Capabilities{