Skip to content

Commit

Permalink
Enable IMDSv2 for ManagedNodeGroup resources (#1146)
Browse files Browse the repository at this point in the history 
### Proposed changes
Exposes a new option for ManagedNodeGroups to enable IMDSv2. This PR is
stacked on top of #1131 which allows the creation of a LaunchTemplate to
implement these features.

Manual testing was done to ensure that we can create a ManagedNodeGroup
with IMDSv2 enabled using instructions from:
https://stackoverflow.com/questions/64595032/how-to-tell-what-version-of-instance-metadata-serviceimds-ec2-instance-is-usin

### Related issues (optional)

Fixes: #682
  • Loading branch information
@rquitales
rquitales authored May 21, 2024
1 parent 6d04bbe commit b6200bb
Show file tree
Hide file tree
Showing 13 changed files with 780 additions and 619 deletions.
7 changes: 2 additions & 5 deletions nodejs/eks/babel.config.js
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,3 @@
module.exports = {
presets: [
['@babel/preset-env', {targets: {node: 'current'}}],
'@babel/preset-typescript',
],
};
presets: [["@babel/preset-env", { targets: { node: "current" } }], "@babel/preset-typescript"],
};
102 changes: 51 additions & 51 deletions nodejs/eks/cluster.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -562,14 +562,14 @@ export function createCore(
let kubernetesNetworkConfig:
| pulumi.Output<aws.types.input.eks.ClusterKubernetesNetworkConfig>
| undefined;
if (args.kubernetesServiceIpAddressRange || args.ipFamily ) {
kubernetesNetworkConfig = pulumi.all([args.kubernetesServiceIpAddressRange, args.ipFamily]).apply(
([serviceIpv4Cidr, ipFamily = "ipv4"]) => ({
serviceIpv4Cidr: ipFamily === "ipv4" ? serviceIpv4Cidr : undefined, // only applicable for IPv4 IP family
ipFamily: ipFamily
}),
);
}
if (args.kubernetesServiceIpAddressRange || args.ipFamily) {
kubernetesNetworkConfig = pulumi
.all([args.kubernetesServiceIpAddressRange, args.ipFamily])
.apply(([serviceIpv4Cidr, ipFamily = "ipv4"]) => ({
serviceIpv4Cidr: ipFamily === "ipv4" ? serviceIpv4Cidr : undefined, // only applicable for IPv4 IP family
ipFamily: ipFamily,
}));
}

// Create the EKS cluster
const eksCluster = new aws.eks.Cluster(
Expand Down Expand Up @@ -657,54 +657,54 @@ export function createCore(
// its worker nodes have come up.
const genKubeconfig = (useProfileName: boolean) => {
const kubeconfig = pulumi
.all([
eksCluster.name,
endpoint,
eksCluster.certificateAuthority,
args.providerCredentialOpts,
])
.apply(
([
clusterName,
clusterEndpoint,
clusterCertificateAuthority,
providerCredentialOpts,
]) => {
let config = {};

if (args.creationRoleProvider) {
config = args.creationRoleProvider.role.arn.apply((arn) => {
const opts: KubeconfigOptions = { roleArn: arn };
return generateKubeconfig(
.all([
eksCluster.name,
endpoint,
eksCluster.certificateAuthority,
args.providerCredentialOpts,
])
.apply(
([
clusterName,
clusterEndpoint,
clusterCertificateAuthority,
providerCredentialOpts,
]) => {
let config = {};

if (args.creationRoleProvider) {
config = args.creationRoleProvider.role.arn.apply((arn) => {
const opts: KubeconfigOptions = { roleArn: arn };
return generateKubeconfig(
clusterName,
clusterEndpoint,
useProfileName,
clusterCertificateAuthority?.data,
opts,
);
});
} else if (providerCredentialOpts) {
config = generateKubeconfig(
clusterName,
clusterEndpoint,
useProfileName,
clusterCertificateAuthority?.data,
opts,
providerCredentialOpts,
);
});
} else if (providerCredentialOpts) {
config = generateKubeconfig(
clusterName,
clusterEndpoint,
useProfileName,
clusterCertificateAuthority?.data,
providerCredentialOpts,
);
} else {
config = generateKubeconfig(
clusterName,
clusterEndpoint,
useProfileName,
clusterCertificateAuthority?.data,
);
}
return config;
},
);

} else {
config = generateKubeconfig(
clusterName,
clusterEndpoint,
useProfileName,
clusterCertificateAuthority?.data,
);
}
return config;
},
);

return kubeconfig;
}
};

// We need 2 forms of kubeconfig, one with the profile name and one without. The one with the profile name
// is required to interact with the cluster by this provider. The one without is used by the user to interact
Expand Down Expand Up @@ -1311,7 +1311,7 @@ export interface ClusterOptions {
/**
* The security group to use for the cluster API endpoint. If not provided, a new security group will be created
* with full internet egress and ingress from node groups.
*
*
* Note: The security group resource should not contain any inline ingress or egress rules.
*/
clusterSecurityGroup?: aws.ec2.SecurityGroup;
Expand Down
4 changes: 2 additions & 2 deletions nodejs/eks/cmd/provider/cni.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ describe("updateImage", () => {
};

expect(testCode).not.toThrow();
expect(testCode()).toBe(updatedManifest)
expect(testCode()).toBe(updatedManifest);
});
});

Expand Down Expand Up @@ -636,4 +636,4 @@ spec:
operator: NotIn
values:
- fargate
`;
`;
2 changes: 1 addition & 1 deletion nodejs/eks/cni/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,4 +3,4 @@ The CNI manfiest used has divergence between the
Pulumi's [approach](https://github.com/pulumi/pulumi-eks/blob/master/nodejs/eks/cni/aws-k8s-cni.yaml),
and what AWS does by [default](https://github.com/aws/amazon-vpc-cni-k8s/issues/755) for Fargate clusters.

Pulumi's fork of the manifest removes certain lines from the upstream manifest. This is showcased in our forked copy by commenting out such lines.
Pulumi's fork of the manifest removes certain lines from the upstream manifest. This is showcased in our forked copy by commenting out such lines.
Loading

0 comments on commit b6200bb

Please sign in to comment.