Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix reusing instanceRoleARN for nodegroups authorized with access entry #7707

Merged
merged 4 commits into from
Apr 24, 2024
Merged

Fix reusing instanceRoleARN for nodegroups authorized with access entry #7707

merged 4 commits into from
Apr 24, 2024

Conversation

cPu1
Copy link
Contributor

@cPu1 cPu1 commented Apr 9, 2024
edited
Loading

Description

This changelist changes the design of creating access entries for self-managed nodegroups that use a pre-existing instanceRoleARN by creating the access entry resource outside of the CloudFormation stack by making a separate call to the AWS API. When deleting such a nodegroup, it's the user's responsibility to also delete the corresponding access entry when no more nodegroups are associated with it. This is because eksctl cannot tell if an access entry resource is still in use by non-eksctl created self-managed nodegroups.

Self-managed nodegroups not using a pre-existing instanceRoleARN will continue to have the access entry resource in the CloudFormation stack, making delete nodegroup an atomic operation for most use cases.

Fixes #7502

Checklist

  • Added tests that cover your change (if possible)
  • Added/modified documentation as required (such as the README.md, or the userdocs directory)
  • Manually tested
  • Made sure the title of the PR is a good description that can go into the release notes
  • (Core team) Added labels for change area (e.g. area/nodegroup) and kind (e.g. kind/improvement)

BONUS POINTS checklist: complete for good vibes and maybe prizes?! 🤯

  • Backfilled missing tests for code in same general area 🎉
  • Refactored something and made the world a better place 🌟

@cPu1 cPu1 force-pushed the accessentry-instance-role-arn branch 2 times, most recently from 0046e64 to f4890b9 Compare April 9, 2024 16:21
@cPu1 cPu1 changed the title Allow reusing instanceRoleARN for nodegroups authorized with access entry FIx reusing instanceRoleARN for nodegroups authorized with access entry Apr 9, 2024
@cPu1 cPu1 changed the title FIx reusing instanceRoleARN for nodegroups authorized with access entry Fix reusing instanceRoleARN for nodegroups authorized with access entry Apr 9, 2024
@cPu1 cPu1 force-pushed the accessentry-instance-role-arn branch 19 times, most recently from 3664bb5 to dfc653e Compare April 15, 2024 13:33
@cPu1 cPu1 marked this pull request as ready for review April 15, 2024 13:44
@cPu1 cPu1 force-pushed the accessentry-instance-role-arn branch 2 times, most recently from 0f92718 to d50d034 Compare April 15, 2024 13:49
TiberiuGC
TiberiuGC reviewed Apr 15, 2024
View reviewed changes
Copy link
Collaborator

@TiberiuGC TiberiuGC left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shall we also update the integration tests to cover the scenario described in the bug?

Otherwise, LGTM! 🚀

@cPu1 cPu1 force-pushed the accessentry-instance-role-arn branch from 837c8c1 to 096183f Compare April 16, 2024 12:32
@cPu1
Copy link
Contributor Author

cPu1 commented Apr 16, 2024

Shall we also update the integration tests to cover the scenario described in the bug?

Otherwise, LGTM! 🚀

Yup, I have been working on it (I should have added it as a TODO item).

@cPu1 cPu1 force-pushed the accessentry-instance-role-arn branch 7 times, most recently from 3752883 to bd3a822 Compare April 17, 2024 08:20
@cPu1
Copy link
Contributor Author

cPu1 commented Apr 17, 2024

The integration test is currently blocked on testing as the integration test account lacks certain permissions.

@cPu1 cPu1 force-pushed the accessentry-instance-role-arn branch 3 times, most recently from 3e67461 to 7a088a9 Compare April 22, 2024 14:16
@cPu1
Copy link
Contributor Author

cPu1 commented Apr 22, 2024

The integration test is currently blocked on testing as the integration test account lacks certain permissions.

Integration tests are passing now.

cPu1 and others added 4 commits April 23, 2024 15:09
@cPu1
Fix reusing instanceRoleARN for nodegroups authorized with access ent…
523605f 
…ries

This changelist changes the design of creating access entries for self-managed nodegroups that use a pre-existing instanceRoleARN by creating the access entry resource outside of the CloudFormation stack by making a separate call to the AWS API. When deleting such a nodegroup, it's the user's responsibility to also delete the corresponding access entry when no more nodegroups are associated with it. This is because eksctl cannot tell if an access entry resource is still in use by non-eksctl created self-managed nodegroups.

Self-managed nodegroups not using a pre-existing instanceRoleARN will continue to have the access entry resource in the CloudFormation stack, making delete nodegroup an atomic operation for most use cases.

Fixes eksctl-io#7502
@cPu1
Add note about deleting nodegroups
e578254
@cPu1
Add integration tests
c8be7d7
@cPu1
Fix cluster deletion in tests
c2d8c80
@cPu1 cPu1 force-pushed the accessentry-instance-role-arn branch from 7a088a9 to c2d8c80 Compare April 23, 2024 09:39
@cPu1 cPu1 merged commit 752fded into eksctl-io:main Apr 24, 2024
10 checks passed
@eksctl-bot eksctl-bot mentioned this pull request Apr 23, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@TiberiuGC TiberiuGC TiberiuGC approved these changes

Assignees
No one assigned
Labels
area/nodegroup kind/bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Bug] Can't reuse instanceRoleARN in multiple nodegroups with AccessEntry
2 participants
@cPu1 @TiberiuGC