Fix reusing instanceRoleARN for nodegroups authorized with access entry#7707
Merged
cPu1 merged 4 commits intoeksctl-io:mainfrom Apr 24, 2024
Merged
Fix reusing instanceRoleARN for nodegroups authorized with access entry#7707cPu1 merged 4 commits intoeksctl-io:mainfrom
cPu1 merged 4 commits intoeksctl-io:mainfrom
Conversation
0046e64 to
f4890b9
Compare
3664bb5 to
dfc653e
Compare
0f92718 to
d50d034
Compare
TiberiuGC
reviewed
Apr 15, 2024
TiberiuGC
reviewed
Apr 15, 2024
Contributor
TiberiuGC
left a comment
There was a problem hiding this comment.
Shall we also update the integration tests to cover the scenario described in the bug?
Otherwise, LGTM! 🚀
837c8c1 to
096183f
Compare
Contributor
Author
Yup, I have been working on it (I should have added it as a TODO item). |
3752883 to
bd3a822
Compare
Contributor
Author
|
The integration test is currently blocked on testing as the integration test account lacks certain permissions. |
3e67461 to
7a088a9
Compare
Contributor
Author
Integration tests are passing now. |
…ries This changelist changes the design of creating access entries for self-managed nodegroups that use a pre-existing instanceRoleARN by creating the access entry resource outside of the CloudFormation stack by making a separate call to the AWS API. When deleting such a nodegroup, it's the user's responsibility to also delete the corresponding access entry when no more nodegroups are associated with it. This is because eksctl cannot tell if an access entry resource is still in use by non-eksctl created self-managed nodegroups. Self-managed nodegroups not using a pre-existing instanceRoleARN will continue to have the access entry resource in the CloudFormation stack, making delete nodegroup an atomic operation for most use cases. Fixes eksctl-io#7502
7a088a9 to
c2d8c80
Compare
TiberiuGC
approved these changes
Apr 23, 2024
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This changelist changes the design of creating access entries for self-managed nodegroups that use a pre-existing
instanceRoleARNby creating the access entry resource outside of the CloudFormation stack by making a separate call to the AWS API. When deleting such a nodegroup, it's the user's responsibility to also delete the corresponding access entry when no more nodegroups are associated with it. This is because eksctl cannot tell if an access entry resource is still in use by non-eksctl created self-managed nodegroups.Self-managed nodegroups not using a pre-existing
instanceRoleARNwill continue to have the access entry resource in the CloudFormation stack, makingdelete nodegroupan atomic operation for most use cases.Fixes #7502
Checklist
README.md, or theuserdocsdirectory)area/nodegroup) and kind (e.g.kind/improvement)BONUS POINTS checklist: complete for good vibes and maybe prizes?! 🤯