From c95cf4402c8d3c1f71440c566a0b3d8caa2090b2 Mon Sep 17 00:00:00 2001 From: Florian Stadler Date: Thu, 13 Jun 2024 23:12:05 +0200 Subject: [PATCH] Fix ManagedNodeGroup for cluster with API authentication mode (#1199) Adding a ManagedNodeGroup to a cluster with API authentication mode fails because there's verification logic that expects the role for the EC2 instances to be present in the instanceRoles list of the cluster. If the necessary authentication configuration for the EC2 instances was added as access entries, this verification will fail. This change fixes that by excluding this check in case the cluster supports access entries. fixes #1197 --- examples/custom-managed-nodegroup/index.ts | 8 +++++++- nodejs/eks/nodegroup.ts | 18 +++++++++++------- 2 files changed, 18 insertions(+), 8 deletions(-) diff --git a/examples/custom-managed-nodegroup/index.ts b/examples/custom-managed-nodegroup/index.ts index 17212260c..76a82f675 100644 --- a/examples/custom-managed-nodegroup/index.ts +++ b/examples/custom-managed-nodegroup/index.ts @@ -23,7 +23,13 @@ const cluster = new eks.Cluster("example-managed-nodegroup", { publicSubnetIds: eksVpc.publicSubnetIds, // Private subnets will be used for cluster nodes privateSubnetIds: eksVpc.privateSubnetIds, - instanceRoles: [instanceRole], + authenticationMode: eks.AuthenticationMode.API, + accessEntries: { + instanceRole: { + principalArn: instanceRole.arn, + type: eks.AccessEntryType.EC2_LINUX, + } + } }); // Export the cluster's kubeconfig. diff --git a/nodejs/eks/nodegroup.ts b/nodejs/eks/nodegroup.ts index 720bea963..cfc65ab88 100644 --- a/nodejs/eks/nodegroup.ts +++ b/nodejs/eks/nodegroup.ts @@ -19,6 +19,7 @@ import * as pulumi from "@pulumi/pulumi"; import * as crypto from "crypto"; import * as netmask from "netmask"; +import { supportsAccessEntries } from "./authenticationMode"; import { Cluster, ClusterInternal, CoreData } from "./cluster"; import randomSuffix from "./randomSuffix"; import { createNodeGroupSecurityGroup } from "./securitygroup"; @@ -1667,13 +1668,16 @@ function createManagedNodeGroupInternal( }); }); - nodegroupRole.apply((role) => { - if (!role) { - throw new Error( - `A managed node group cannot be created without first setting its role in the cluster's instanceRoles`, - ); - } - }); + pulumi + .all([core.cluster.accessConfig.authenticationMode, nodegroupRole]) + .apply(([authMode, role]) => { + // access entries can be added out of band, so we don't require them to be set in the cluster. + if (!supportsAccessEntries(authMode) && !role) { + throw new Error( + `A managed node group cannot be created without first setting its role in the cluster's instanceRoles`, + ); + } + }); // Compute the node group subnets to use. let subnetIds: pulumi.Output;