Moving to shared provisioner and splitting pause container image logic

nodeadm/cmd/nodeadm/main.go

@@ -6,6 +6,7 @@ import (
 
 	"github.com/awslabs/amazon-eks-ami/nodeadm/cmd/nodeadm/config"
 	initcmd "github.com/awslabs/amazon-eks-ami/nodeadm/cmd/nodeadm/init"
+	"github.com/awslabs/amazon-eks-ami/nodeadm/cmd/nodeadm/runtime"
 	"github.com/awslabs/amazon-eks-ami/nodeadm/internal/cli"
 )
 
@@ -20,6 +21,7 @@ func main() {
 	cmds := []cli.Command{
 		config.NewConfigCommand(),
 		initcmd.NewInitCommand(),
+		runtime.NewRuntimeCommand(),
 	}
 
 	for _, cmd := range cmds {

nodeadm/cmd/nodeadm/runtime/ecr-uri.go

@@ -0,0 +1,49 @@
+package runtime
+
+import (
+	"context"
+	"fmt"
+	"os"
+
+	awsimds "github.com/aws/aws-sdk-go-v2/feature/ec2/imds"
+	"github.com/awslabs/amazon-eks-ami/nodeadm/internal/aws/ecr"
+	"github.com/awslabs/amazon-eks-ami/nodeadm/internal/aws/imds"
+	"github.com/awslabs/amazon-eks-ami/nodeadm/internal/cli"
+	"github.com/integrii/flaggy"
+	"go.uber.org/zap"
+)
+
+type ecrUriCmd struct {
+	cmd    *flaggy.Subcommand
+	region string
+}
+
+func NewEcrUriCommand() cli.Command {
+	c := ecrUriCmd{
+		cmd: flaggy.NewSubcommand("ecr-uri"),
+	}
+	c.cmd.Description = "Verify configuration"
+	c.cmd.String(&c.region, "r", "region", "the region to check the ECR URI for")
+	return &c
+}
+
+func (c *ecrUriCmd) Flaggy() *flaggy.Subcommand {
+	return c.cmd
+}
+
+func (c *ecrUriCmd) Run(log *zap.Logger, opts *cli.GlobalOptions) error {
+	if c.region == "" {
+		regionResponse, err := imds.Client.GetRegion(context.Background(), &awsimds.GetRegionInput{})
+		if err != nil {
+			return err
+		}
+		c.region = regionResponse.Region
+		fmt.Fprintf(os.Stderr, "detected region using IMDS: %s", c.region)
+	}
+	registry, err := ecr.GetEKSRegistry(c.region)
+	if err != nil {
+		return err
+	}
+	fmt.Println(registry)
+	return nil
+}

nodeadm/cmd/nodeadm/runtime/root.go

@@ -0,0 +1,11 @@
+package runtime
+
+import (
+	"github.com/awslabs/amazon-eks-ami/nodeadm/internal/cli"
+)
+
+func NewRuntimeCommand() cli.Command {
+	container := cli.NewCommandContainer("runtime", "Runtime configuration utilities")
+	container.AddCommand(NewEcrUriCommand())
+	return container.AsCommand()
+}

nodeadm/internal/aws/ecr/ecr.go

@@ -116,8 +116,7 @@ var accountsByRegion = map[string]string{
 
 // getEKSRegistryCoordinates returns an AWS region and account ID for the default EKS ECR container image registry
 func getEKSRegistryCoordinates(region string) (string, string) {
-	inRegionRegistry, ok := accountsByRegion[region]
-	if ok {
+	if inRegionRegistry, ok := accountsByRegion[region]; ok {
 		return inRegionRegistry, region
 	}
 	if strings.HasPrefix(region, "us-gov-") {

templates/al2/provisioners/install-worker.sh

@@ -367,21 +367,6 @@ sudo chmod +x /etc/eks/bootstrap.sh
 sudo mv $WORKING_DIR/max-pods-calculator.sh /etc/eks/max-pods-calculator.sh
 sudo chmod +x /etc/eks/max-pods-calculator.sh
 
-################################################################################
-### Pause Container ############################################################
-################################################################################
-
-# pull the pause container and cache it under localhost so that the regional
-# images do not matter from now on.
-
-sudo systemctl enable containerd --now
-PAUSE_CONTAINER="${ECR_URI}/eks/pause:${PAUSE_CONTAINER_VERSION}"
-sudo ctr --namespace k8s.io content fetch ${PAUSE_CONTAINER} --user AWS:$(aws ecr get-login-password --region $BINARY_BUCKET_REGION)
-sudo ctr --namespace k8s.io image tag ${PAUSE_CONTAINER} "localhost/kubernetes/pause:0.1.0"
-sudo ctr --namespace k8s.io image rm ${PAUSE_CONTAINER}
-# might not be necessary
-sudo ctr --namespace=k8s.io image label "localhost/kubernetes/pause:0.1.0" io.cri-containerd.pinned=pinned
-
 ################################################################################
 ### ECR CREDENTIAL PROVIDER ####################################################
 ################################################################################

templates/al2/template.json

@@ -208,6 +208,18 @@
         "WORKING_DIR={{user `working_dir`}}"
       ]
     },
+    {
+      "type": "shell",
+      "remote_folder": "{{ user `remote_folder`}}",
+      "script": "{{template_dir}}/../shared/provisioners/cache-pause-container.sh",
+      "environment_vars": [
+        "AWS_ACCESS_KEY_ID={{user `aws_access_key_id`}}",
+        "AWS_SECRET_ACCESS_KEY={{user `aws_secret_access_key`}}",
+        "AWS_SESSION_TOKEN={{user `aws_session_token`}}",
+        "AWS_REGION={{user `aws_region`}}",
+        "PAUSE_CONTAINER_CMD=echo $(/etc/eks/get-ecr-uri.sh \"{{user `aws_region`}}\" \"$(imds 'latest/meta-data/services/domain')\")/eks/pause:3.5"
+      ]
+    },
     {
       "type": "shell",
       "remote_folder": "{{ user `remote_folder`}}",

templates/al2023/provisioners/install-worker.sh

@@ -187,21 +187,6 @@ done
 
 sudo rm ./*.sha256
 
-################################################################################
-### Pause Container ############################################################
-################################################################################
-
-# pull the pause container and cache it under localhost so that the regional
-# images do not matter from now on.
-
-sudo systemctl enable containerd --now
-PAUSE_CONTAINER="${ECR_URI}/eks/pause:${PAUSE_CONTAINER_VERSION}"
-sudo ctr --namespace k8s.io content fetch ${PAUSE_CONTAINER} --user AWS:$(aws ecr get-login-password --region $BINARY_BUCKET_REGION)
-sudo ctr --namespace k8s.io image tag ${PAUSE_CONTAINER} "localhost/kubernetes/pause:0.1.0"
-sudo ctr --namespace k8s.io image rm ${PAUSE_CONTAINER}
-# might not be necessary
-sudo ctr --namespace=k8s.io image label "localhost/kubernetes/pause:0.1.0" io.cri-containerd.pinned=pinned
-
 ################################################################################
 ### ECR Credential Provider Binary #############################################
 ################################################################################

templates/al2023/template.json

@@ -217,6 +217,18 @@
         "PROJECT_DIR={{user `working_dir`}}/nodeadm"
       ]
     },
+    {
+      "type": "shell",
+      "remote_folder": "{{ user `remote_folder`}}",
+      "script": "{{template_dir}}/../shared/provisioners/cache-pause-container.sh",
+      "environment_vars": [
+        "AWS_ACCESS_KEY_ID={{user `aws_access_key_id`}}",
+        "AWS_SECRET_ACCESS_KEY={{user `aws_secret_access_key`}}",
+        "AWS_SESSION_TOKEN={{user `aws_session_token`}}",
+        "AWS_REGION={{user `aws_region`}}",
+        "PAUSE_CONTAINER_CMD=echo $(nodeadm runtime ecr-uri)/eks/pause:3.5"
+      ]
+    },
     {
       "type": "shell",
       "remote_folder": "{{ user `remote_folder`}}",

templates/shared/provisioners/cache-pause-container.sh

@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+
+set -o nounset
+set -o errexit
+set -o pipefail
+
+LOCAL_REF=${LOCAL_REF:-"localhost/kubernetes/pause:0.1.0"}
+PAUSE_CONTAINER=${PAUSE_CONTAINER:-$(eval "${PAUSE_CONTAINER_CMD}")}
+
+sudo systemctl start containerd
+
+sudo ctr --namespace k8s.io content fetch ${PAUSE_CONTAINER} --user AWS:$(aws ecr get-login-password)
+sudo ctr --namespace k8s.io image tag ${PAUSE_CONTAINER} ${LOCAL_REF}
+# store the archive locally just in case so that it can be imported in the future.
+sudo ctr --namespace k8s.io image export /etc/eks/pause.tar ${LOCAL_REF}
+# labels the image using a CRI aware key. might not be necessary
+sudo ctr --namespace=k8s.io image label ${LOCAL_REF} io.cri-containerd.pinned=pinned