Add config option to enable the encryption of AWS EKS secrets

[joneszc]

Reference Issues or PRs

Fixes #2681

What does this implement/fix?

Put a x in the boxes that apply

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds a feature)
• Breaking change (fix or feature that would cause existing features not to work as expected)
• Documentation Update
• Code style update (formatting, renaming)
• Refactoring (no functional changes, no API changes)
• Build related changes
• Other (please describe):

Testing

• Did you test the pull request locally?
• Did you add new tests?

How to test this PR?

Any other comments?

Allows user to set EKS encryption of secrets by specifying a KMS key ARN in nebari-config.yaml

amazon_web_services:
  eks_kms_arn: 'arn:aws:kms:us-east-1:010101010:key/3xxxxxxx-xxxxx-xxxxx-xxxxx'

The KMS key must meet the following conditions:

• Symmetric
• Can encrypt and decrypt data
• Created in the same AWS Region as the cluster
• If the KMS key was created in a different account, the IAM principal must have access to the KMS key.

[kenafoster]

LGTM but if this is merged we should open up a nebari-docs since it's a little tricky to implement and understand

I've confirmed that most of the mistakes you could make (wrong region, bad format, key doesn't exist or Nebari deploy user can't see it) will fail in the stage where it creates the IAM policy, so at least it won't get to modifying the EKS cluster before failing

[viniciusdc]

I would say that we could have a validator in the AWS Pydantic provider (similar to how we already do for the instance types and region) so that the feedback loop in case of errors is quicker for the user doing the deployment (instead of relying on terraform only for the "check").

[joneszc]

I would say that we could have a validator in the AWS Pydantic provider (similar to how we already do for the instance types and region) so that the feedback loop in case of errors is quicker for the user doing the deployment (instead of relying on terraform only for the "check").

@viniciusdc @tylergraff
As suggested, I have added initial kms-key arn validation steps here
I'm still testing these updates

[viniciusdc]

I think the issues with the tests below are due to the recent move from develop to main. Can you update your fork repo and update this branch?

[joneszc]

I think the issues with the tests below are due to the recent move from develop to main. Can you update your fork repo and update this branch?

@viniciusdc,
This branch should now, at time of writing, be up to date with nebari-dev/nebari:main. Thanks!

[joneszc]

@viniciusdc @tylergraff @kenafoster
Migrating this effort to new PR#2752