Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: support cluster_security_group_tags and node_security_group_tags #557

Merged
merged 6 commits into from
May 26, 2022
Merged

feat: support cluster_security_group_tags and node_security_group_tags #557

merged 6 commits into from
May 26, 2022

Conversation

armujahid
Copy link
Contributor

@armujahid armujahid commented May 17, 2022
edited
Loading

What does this PR do?

This PR adds cluster_security_group_tags and node_security_group_tags support.
I just propagated both variables to https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/latest

Motivation

Nginx (and AWS load balancer) controller expects one security group in Node otherwise this error is thrown

Error updating load balancer with new hosts map[1, 2, ....]: Multiple tagged security groups found for instance <instance id>; ensure only the k8s security group is tagged; the tagged groups were ....

Currently If we run karpenter example with nginx then we get this error because kubernetes.io/cluster/${eks-cluster-id}: owned returns two security groups:
image

References:

More

  • Yes, I have tested the PR using my local account setup (Provide any test evidence report under Additional Notes)
  • Yes, I have added a new example under examples to support my PR
  • Yes, I have created another PR for add-ons under add-ons repo (if applicable)
  • Yes, I have updated the docs for this feature
  • Yes, I ran pre-commit run -a with this PR

Note: Not all the PRs required examples and docs except a new pattern or add-on added.

For Moderators

  • E2E Test successfully complete before merge?

Additional Notes

I will also update karpenter example in next PR to use "karpenter.sh/discovery" = local.cluster_name security group selector in provisioner below node_security_group_tags will also be added in "eks_blueprints" module block to avoid any issue with Nginx.

  node_security_group_tags = {
    "karpenter.sh/discovery" = local.cluster_name
  }

@bryantbiggs bryantbiggs temporarily deployed to EKS Blueprints Test May 22, 2022 16:20 Inactive
@armujahid
Copy link
Contributor Author

All checks are now Green :)

@bryantbiggs
Copy link
Contributor

Thanks @armujahid - are there additional changes to be made in this PR? Looking at the information provided above, specifically:

I will also update karpenter example in next PR to use "karpenter.sh/discovery" = local.cluster_name security group selector in provisioner below node_security_group_tags will also be added in "eks_blueprints" module block to avoid any issue with Nginx.

@armujahid
Copy link
Contributor Author

@bryantbiggs This PR is complete from my side. I will do karpenter example changes in a separate PR.

@bryantbiggs
Copy link
Contributor

Can we include those changes here so we show the motivation behind adding the additional tags?

@armujahid
Copy link
Contributor Author

Sure. I will push changes here.

@armujahid
examples/karpenter: use only node_security_group in default_provsioner
f1399ba 
Currenly default provsioner uses both node_security_group and cluster_security_group which causes issues with ingress controllers
@armujahid armujahid had a problem deploying to EKS Blueprints Test May 22, 2022 19:13 Failure
@armujahid
Copy link
Contributor Author

pushed :)

@armujahid armujahid had a problem deploying to EKS Blueprints Test May 23, 2022 05:25 Failure
@armujahid armujahid had a problem deploying to EKS Blueprints Test May 23, 2022 16:08 Failure
@bryantbiggs bryantbiggs had a problem deploying to EKS Blueprints Test May 23, 2022 16:16 Failure
@armujahid armujahid temporarily deployed to EKS Blueprints Test May 26, 2022 07:57 Inactive
@armujahid
Copy link
Contributor Author

Checks are now green after merging main.

bryantbiggs
bryantbiggs approved these changes May 26, 2022
View reviewed changes
Copy link
Contributor

@bryantbiggs bryantbiggs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @armujahid !

@bryantbiggs bryantbiggs merged commit 576258e into aws-ia:main May 26, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bryantbiggs bryantbiggs bryantbiggs approved these changes

@askulkarni2 askulkarni2 Awaiting requested review from askulkarni2

@kcoleman731 kcoleman731 Awaiting requested review from kcoleman731

@vara-bonthu vara-bonthu Awaiting requested review from vara-bonthu

@Zvikan Zvikan Awaiting requested review from Zvikan

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@armujahid @bryantbiggs