Support for setting init container options and per-pod security groups #617
Conversation
Supports setting the init container image and DISABLE_TCP_EARLY_DEMUX env var. This allows users to upgrade their version of the CNI, and to support per-pod security groups.
|
EDIT: I got this working with the python module by a hacky/half-implementation of #595 and copying the binary and some remaining files into my PATH. This PR works in our environment.
I have no idea why local tests should write their output to S3. That seems like an unrelated bug, which I've filed at #621 |
provider/cmd/pulumi-gen-eks/main.go
Outdated
| }, | ||
| "disableTcpEarlyDemux": { | ||
| TypeSpec: schema.TypeSpec{Type: "boolean"}, | ||
| Description: "Allows the kubelet's liveness and readiness probes to connect via TCP when pod ENI is enabled. This will slightly increase local TCP connection latency.", |
There was a problem hiding this comment.
It's a little unfortunate, but for consistency, lets line wrap this similar to other descriptions in this file. (A little surprised we aren't getting a int failure on this).
provider/cmd/pulumi-gen-eks/main.go
Outdated
| "of secondary ENI IP addresses. If set to true, the SNAT iptables rule and off-VPC " + | ||
| "IP rule are not applied, and these rules are removed if they have already been " + | ||
| "applied.\n\nDefaults to false.", | ||
| }, |
There was a problem hiding this comment.
Should we deprecate this instead of removing it in case users are depending on it?
Probably not related to this PR - but the inconsistency that some of these are cni... and others aren't is a little odd. It actually feels like we most likely want to standardize on not including the cni prefix (since these are all properties of the VpcCni anyway. In which case, it might make sense to deprecate the other one instead? (And file an issue to track aligning the remaining too cni... property names with the naming scheme?
There was a problem hiding this comment.
+1 on deprecating instead. If you want to back this change out and open an issue about the duplication instead, we can address that separately and in the process standardize the properties as Luke suggested.
There was a problem hiding this comment.
I've backed it out, and am filing a new issue for this.
provider/cmd/pulumi-gen-eks/main.go
Outdated
| "of secondary ENI IP addresses. If set to true, the SNAT iptables rule and off-VPC " + | ||
| "IP rule are not applied, and these rules are removed if they have already been " + | ||
| "applied.\n\nDefaults to false.", | ||
| }, |
There was a problem hiding this comment.
+1 on deprecating instead. If you want to back this change out and open an issue about the duplication instead, we can address that separately and in the process standardize the properties as Luke suggested.
add custom images to cluster example, and reduce line length in disableTcpEarlyDemux description.
|
I've backed out the |
| vpcCniOptions: { | ||
| image: "602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni:v1.9.0", | ||
| initImage: "602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni-init:v1.9.0", | ||
| }, |
There was a problem hiding this comment.
Would be nice to ensure the VPC CNI options were actually honored as well. The validation could be added here.
There was a problem hiding this comment.
Would be nice to ensure the VPC CNI options were actually honored as well. The validation could be added here.
You might have to export some additional information, e.g. the spec from index.ts.
There was a problem hiding this comment.
My typescript/javascript skills are pretty much non-existent. I'm unsure how to export these.
I've tried:
export const image2 = cluster2.core.vpcCni.image;
export const initImage2 = cluster2.core.vpcCni.initImage;
but I get:
index.ts(36,45): error TS2339: Property 'image' does not exist on type 'VpcCni'.
index.ts(37,49): error TS2339: Property 'initImage' does not exist on type 'VpcCni'.
Could you remove this from the PR body since it was backed out? |
Done |
|
So, @viveklak, I'm afraid we don't have the expertise in house at @MaterializeInc to get the test suite properly amended for this change. This package in particular is really tricky to develop on locally! The good news is that I managed to ship a forked of |
No worries and glad this worked for you. I will verify this on my end tomorrow and merge, then follow up with any test related updates. Thanks for taking the time to make the change! |
|
Hi all, looks like there are some merge conflicts that need to be resolved before this can be merged. Does anyone with write access have some time to resolve the conflict? |
|
PR is now waiting for a maintainer to run the acceptance tests. This PR will only perform build and linting. |
|
@viveklak Any update on this? It's been working great for us on our fork for close to two months now. We'd love to point back at the upstream soon, but we can't until this is merged. |
|
/run-acceptance-tests |
|
Please view the PR build - https://github.com/pulumi/pulumi-eks/actions/runs/1437579302 |
|
I have confirmed the changes work. However, the command dispatch workflow used to validate external PRs seems to be currently broken due to schema change detection not being able to get access to the originating workflow. We are looking to fix this but I would like to get this change in, so I opened #631 which pulls in these changes and adds a test to validate. I'd like to close this in favor of #631. Huge thanks for the contribution @alex-hunt-materialize and team! |
|
Thanks @alex-hunt-materialize! 🚀 |
|
Thank you all for merging it :) |
|
🙌🏾 - I will cut a release shortly. |
Proposed changes
Supports setting the init container image and DISABLE_TCP_EARLY_DEMUX
env var.
This allows users to upgrade their version of the CNI, and to support
per-pod security groups.
Related issues
Fixes #619
Fixes #620
Relates to, but doesn't solve: #622