fix logic for updating aws-auth configmap

TiberiuGC · TiberiuGC · commit 9fc4aec9f573 · 2024-04-04T19:58:04.000+03:00
diff --git a/integration/tests/accessentries/accessentries_test.go b/integration/tests/accessentries/accessentries_test.go
@@ -50,8 +50,8 @@ var (
 	namespaceRoleARN string
 	err              error
 
-	apiEnabledCluster  = "accessentries-api-enabled-2"
-	apiDisabledCluster = "accessentries-api-disabled-2"
+	apiEnabledCluster  = "accessentries-api-enabled"
+	apiDisabledCluster = "accessentries-api-disabled"
 )
 
 func init() {
@@ -123,24 +123,39 @@ var _ = Describe("(Integration) [AccessEntries Test]", func() {
 			cfg = makeClusterConfig(apiDisabledCluster)
 		})
 
-		It("should create a cluster with authenticationMode set to CONFIG_MAP", func() {
+		It("should create a cluster with authenticationMode set to CONFIG_MAP and allow self-managed nodes to join via aws-auth", func() {
 			cfg.AccessConfig.AuthenticationMode = ekstypes.AuthenticationModeConfigMap
-
+			cfg.NodeGroups = append(cfg.NodeGroups, &api.NodeGroup{
+				NodeGroupBase: &api.NodeGroupBase{
+					Name: "aws-auth-ng",
+					ScalingConfig: &api.ScalingConfig{
+						DesiredCapacity: aws.Int(1),
+					},
+				},
+			})
 			data, err := json.Marshal(cfg)
 			Expect(err).NotTo(HaveOccurred())
 
 			Expect(params.EksctlCreateCmd.
 				WithArgs(
 					"cluster",
 					"--config-file", "-",
-					"--without-nodegroup",
 					"--verbose", "4",
 				).
 				WithoutArg("--region", params.Region).
 				WithStdin(bytes.NewReader(data))).To(RunSuccessfully())
 
 			Expect(ctl.RefreshClusterStatus(context.Background(), cfg)).NotTo(HaveOccurred())
 			Expect(ctl.IsAccessEntryEnabled()).To(BeFalse())
+
+			Expect(params.EksctlGetCmd.WithArgs(
+				"nodegroup",
+				"--cluster", apiDisabledCluster,
+				"--name", "aws-auth-ng",
+				"-o", "yaml",
+			)).To(runner.RunSuccessfullyWithOutputStringLines(
+				ContainElement(ContainSubstring("Status: CREATE_COMPLETE")),
+			))
 		})
 
 		It("should fail early when trying to create access entries", func() {
@@ -400,6 +415,7 @@ var _ = SynchronizedAfterSuite(func() {}, func() {
 		WithArgs(
 			"cluster",
 			"--name", apiDisabledCluster,
+			"--disable-nodegroup-eviction",
 			"--wait",
 		)).To(RunSuccessfully())
 
diff --git a/pkg/actions/nodegroup/create.go b/pkg/actions/nodegroup/create.go
@@ -285,11 +285,17 @@ func (m *Manager) postNodeCreationTasks(ctx context.Context, clientSet kubernete
 	timeoutCtx, cancel := context.WithTimeout(ctx, m.ctl.AWSProvider.WaitTimeout())
 	defer cancel()
 
-	if (!m.accessEntry.IsEnabled() && !api.IsDisabled(options.UpdateAuthConfigMap)) || api.IsEnabled(options.UpdateAuthConfigMap) {
+	// authorize self-managed nodes to join the cluster via aws-auth configmap
+	// if EKS access entries are disabled OR
+	if (!m.accessEntry.IsEnabled() && !api.IsDisabled(options.UpdateAuthConfigMap)) ||
+		// if explicitly requested by the user
+		api.IsEnabled(options.UpdateAuthConfigMap) {
 		if err := eks.UpdateAuthConfigMap(m.cfg.NodeGroups, clientSet); err != nil {
 			return err
 		}
 	}
+
+	// only wait for self-managed nodes to join if either authorization method is being used
 	if !api.IsDisabled(options.UpdateAuthConfigMap) {
 		for _, ng := range m.cfg.NodeGroups {
 			if err := eks.WaitForNodes(timeoutCtx, clientSet, ng); err != nil {
@@ -298,6 +304,7 @@ func (m *Manager) postNodeCreationTasks(ctx context.Context, clientSet kubernete
 		}
 	}
 	logger.Success("created %d nodegroup(s) in cluster %q", len(m.cfg.NodeGroups), m.cfg.Metadata.Name)
+
 	for _, ng := range m.cfg.ManagedNodeGroups {
 		if err := eks.WaitForNodes(timeoutCtx, clientSet, ng); err != nil {
 			if m.cfg.PrivateCluster.Enabled {
@@ -308,8 +315,8 @@ func (m *Manager) postNodeCreationTasks(ctx context.Context, clientSet kubernete
 			}
 		}
 	}
-
 	logger.Success("created %d managed nodegroup(s) in cluster %q", len(m.cfg.ManagedNodeGroups), m.cfg.Metadata.Name)
+
 	return nil
 }
 
diff --git a/pkg/ctl/create/cluster.go b/pkg/ctl/create/cluster.go
@@ -8,6 +8,7 @@ import (
 	"sync"
 
 	"github.com/aws/aws-sdk-go-v2/aws"
+	ekstypes "github.com/aws/aws-sdk-go-v2/service/eks/types"
 
 	"github.com/aws/amazon-ec2-instance-selector/v2/pkg/selector"
 	"github.com/kris-nova/logger"
@@ -426,18 +427,28 @@ func doCreateCluster(cmd *cmdutils.Cmd, ngFilter *filter.NodeGroupFilter, params
 			} else {
 				ngCtx, cancel := context.WithTimeout(ctx, cmd.ProviderConfig.WaitTimeout)
 				defer cancel()
+
+				// authorize self-managed nodes to join the cluster via aws-auth configmap
+				// only if EKS access entries are disabled
+				if cfg.AccessConfig.AuthenticationMode == ekstypes.AuthenticationModeConfigMap {
+					if err := eks.UpdateAuthConfigMap(cfg.NodeGroups, clientSet); err != nil {
+						return err
+					}
+				}
+
 				for _, ng := range cfg.NodeGroups {
-					// wait for nodes to join
 					if err := eks.WaitForNodes(ngCtx, clientSet, ng); err != nil {
 						return err
 					}
 				}
+				logger.Success("created %d nodegroup(s) in cluster %q", len(cfg.NodeGroups), cfg.Metadata.Name)
 
 				for _, ng := range cfg.ManagedNodeGroups {
 					if err := eks.WaitForNodes(ngCtx, clientSet, ng); err != nil {
 						return err
 					}
 				}
+				logger.Success("created %d managed nodegroup(s) in cluster %q", len(cfg.ManagedNodeGroups), cfg.Metadata.Name)
 			}
 		}
 		if postNodegroupAddons != nil && postNodegroupAddons.Len() > 0 {

Original file line number	Diff line number	Diff line change
`@@ -285,11 +285,17 @@ func (m *Manager) postNodeCreationTasks(ctx context.Context, clientSet kubernete`
`285`	`285`	`timeoutCtx, cancel := context.WithTimeout(ctx, m.ctl.AWSProvider.WaitTimeout())`
`286`	`286`	`defer cancel()`
`287`	`287`
`288`		`- if (!m.accessEntry.IsEnabled() && !api.IsDisabled(options.UpdateAuthConfigMap)) \|\| api.IsEnabled(options.UpdateAuthConfigMap) {`
	`288`	`+ // authorize self-managed nodes to join the cluster via aws-auth configmap`
	`289`	`+ // if EKS access entries are disabled OR`
	`290`	`+ if (!m.accessEntry.IsEnabled() && !api.IsDisabled(options.UpdateAuthConfigMap)) \|\|`
	`291`	`+ // if explicitly requested by the user`
	`292`	`+ api.IsEnabled(options.UpdateAuthConfigMap) {`
`289`	`293`	`if err := eks.UpdateAuthConfigMap(m.cfg.NodeGroups, clientSet); err != nil {`
`290`	`294`	`return err`
`291`	`295`	`}`
`292`	`296`	`}`
	`297`	`+`
	`298`	`+ // only wait for self-managed nodes to join if either authorization method is being used`
`293`	`299`	`if !api.IsDisabled(options.UpdateAuthConfigMap) {`
`294`	`300`	`for _, ng := range m.cfg.NodeGroups {`
`295`	`301`	`if err := eks.WaitForNodes(timeoutCtx, clientSet, ng); err != nil {`
`@@ -298,6 +304,7 @@ func (m *Manager) postNodeCreationTasks(ctx context.Context, clientSet kubernete`
`298`	`304`	`}`
`299`	`305`	`}`
`300`	`306`	`logger.Success("created %d nodegroup(s) in cluster %q", len(m.cfg.NodeGroups), m.cfg.Metadata.Name)`
	`307`	`+`
`301`	`308`	`for _, ng := range m.cfg.ManagedNodeGroups {`
`302`	`309`	`if err := eks.WaitForNodes(timeoutCtx, clientSet, ng); err != nil {`
`303`	`310`	`if m.cfg.PrivateCluster.Enabled {`
`@@ -308,8 +315,8 @@ func (m *Manager) postNodeCreationTasks(ctx context.Context, clientSet kubernete`
`308`	`315`	`}`
`309`	`316`	`}`
`310`	`317`	`}`
`311`		`-`
`312`	`318`	`logger.Success("created %d managed nodegroup(s) in cluster %q", len(m.cfg.ManagedNodeGroups), m.cfg.Metadata.Name)`
	`319`	`+`
`313`	`320`	`return nil`
`314`	`321`	`}`
`315`	`322`
Original file line number	Diff line number	Diff line change
`@@ -8,6 +8,7 @@ import (`
`8`	`8`	`"sync"`
`9`	`9`
`10`	`10`	`"github.com/aws/aws-sdk-go-v2/aws"`
	`11`	`+ ekstypes "github.com/aws/aws-sdk-go-v2/service/eks/types"`
`11`	`12`
`12`	`13`	`"github.com/aws/amazon-ec2-instance-selector/v2/pkg/selector"`
`13`	`14`	`"github.com/kris-nova/logger"`
`@@ -426,18 +427,28 @@ func doCreateCluster(cmd cmdutils.Cmd, ngFilter filter.NodeGroupFilter, params`
`426`	`427`	`} else {`
`427`	`428`	`ngCtx, cancel := context.WithTimeout(ctx, cmd.ProviderConfig.WaitTimeout)`
`428`	`429`	`defer cancel()`
	`430`	`+`
	`431`	`+ // authorize self-managed nodes to join the cluster via aws-auth configmap`
	`432`	`+ // only if EKS access entries are disabled`
	`433`	`+ if cfg.AccessConfig.AuthenticationMode == ekstypes.AuthenticationModeConfigMap {`
	`434`	`+ if err := eks.UpdateAuthConfigMap(cfg.NodeGroups, clientSet); err != nil {`
	`435`	`+ return err`
	`436`	`+ }`
	`437`	`+ }`
	`438`	`+`
`429`	`439`	`for _, ng := range cfg.NodeGroups {`
`430`		`- // wait for nodes to join`
`431`	`440`	`if err := eks.WaitForNodes(ngCtx, clientSet, ng); err != nil {`
`432`	`441`	`return err`
`433`	`442`	`}`
`434`	`443`	`}`
	`444`	`+ logger.Success("created %d nodegroup(s) in cluster %q", len(cfg.NodeGroups), cfg.Metadata.Name)`
`435`	`445`
`436`	`446`	`for _, ng := range cfg.ManagedNodeGroups {`
`437`	`447`	`if err := eks.WaitForNodes(ngCtx, clientSet, ng); err != nil {`
`438`	`448`	`return err`
`439`	`449`	`}`
`440`	`450`	`}`
	`451`	`+ logger.Success("created %d managed nodegroup(s) in cluster %q", len(cfg.ManagedNodeGroups), cfg.Metadata.Name)`
`441`	`452`	`}`
`442`	`453`	`}`
`443`	`454`	`if postNodegroupAddons != nil && postNodegroupAddons.Len() > 0 {`