✨ Add support for Ignition-based bootstrap data and Flatcar Container Linux

[invidian]

What type of PR is this?

/kind feature

What this PR does / why we need it:

This PR adds support for handling bootstrap data in Ignition format, which will hopefully be produced by CABPK v1alpha4 implemented by PR kubernetes-sigs/cluster-api#4172 (not merged yet).

As Ignition does not plan to support multi part mime for user-data (coreos/ignition#1072), this PR implements support for putting bootstrap data in Ignition format in S3 bucket, to workaround the 64kb limitation on user-data for EC2 instances.

Similarly to SSM support, bootstrap data is removed after node has successfully bootstrapped.

Right now single S3 bucket is used for each cluster, as we need a single place to control bucket policies, which are used to restrict access for control-plane and worker nodes to only be able to access their own bootstrap data.

Finally, new template is added tailored for Flatcar Container Linux, which contains references to right now unofficial AMIs, though Flatcar support is fully added in image-builder already.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #1979
Refs #1875

Special notes for your reviewer:

This PR can't probably be merged at this point yet. We probably need to wait until CAPI PR is merged and released, but as this PR goes in pair with CAPI one, it would be awesome to be able to get some early feedback on the approach taken.

@dongsupark is also working on adding e2e tests for it.

Checklist:

• includes documentation
• adds unit tests
• adds or updates e2e tests

Release note:

Added support for bootstrap data in Ignition format and for Flatcar Container Linux

[k8s-ci-robot]

Welcome @invidian!

It looks like this is your first PR to kubernetes-sigs/cluster-api-provider-aws 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/cluster-api-provider-aws has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @invidian. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[MarcelMue]

I can't find the time to do a full review, have some comments for now :)

[richardcase]

/ok-to-test

[richardcase]

Really looking forward to this change!!

Some initial comments but will take a proper look

[richardcase]

@invidian - we should have some e2e tests around this. Perhaps to keep the change smaller we could do that in a follow-up PR?

[invidian]

@invidian - we should have some e2e tests around this. Perhaps to keep the change smaller we could do that in a follow-up PR?

From PR description:

This PR can't probably be merged at this point yet. We probably need to wait until CAPI PR is merged and released, but as this PR goes in pair with CAPI one, it would be awesome to be able to get some early feedback on the approach taken.

@dongsupark is also working on adding e2e tests for it.

However, if you think e2e tests could be added at later stage, that would be awesome :)

[randomvariable]

I'll take a look at this early next week. I would really like e2e tests for this as these pieces are non-trivial and have been a frequent source of bugs.

Will this work with vanilla Flatcar AMIs or do we need to build some?

[dongsupark]

@randomvariable
e2e tests are still in progress.

We need capa-ami-flatcar-* AMIs instead of vanilla Flatcar ones.
For example, ami-00c62700208b5b333 (capa-ami-flatcar-stable-1.19.7-00-1612279141) in eu-central-1.

[randomvariable]

This is all in Image Builder, isn't it? If so, we can start publishing them in the same account as the rest of the AMIs.

[invidian]

This is all in Image Builder, isn't it? If so, we can start publishing them in the same account as the rest of the AMIs.

Yes, it's all in upstream Image Builder.

[invidian]

@randomvariable I just pushed passing e2e tests. Right now they require custom CAPI images and manifests, as mentioned before. We run tests locally and they all pass.

[randomvariable]

@invidian Thanks. I'll take a look, we'll aim to get this into v0.6.5

[vincepri]

I'm a bit concerned about the amount of changes we need to make to an infrastructure provider to support a new bootstrapper. Have you all thought if this is the best way forward?

[k8s-ci-robot]

@invidian: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-cluster-api-provider-aws-apidiff-main	0db23d4	link	false	/test pull-cluster-api-provider-aws-apidiff-main

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[richardcase]

Thanks for the docs and subsequent small changes @invidian.

Based on the conversation ^^^^ and the agreement to follow up on certain items as PRs after this, from my side:

/lgtm

[sedefsavas]

Thanks all, this could be the largest PR that is going in for a while.

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: sedefsavas

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [sedefsavas]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[invidian]

Thanks a lot for approving @sedefsavas! I'm really happy this work didn't get stale and eventually got merged.

In case you want me to address unresolved conversations, they are linked in this comment: #2271 (comment). They got wrapped by GitHub, so they are not easy to reach anymore.