Add tagging support for AWS Keypairs #9533
Conversation
k8s-ci-robot
added
do-not-merge/work-in-progress
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: rifelpet The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
area/provider/aws
|
/test pull-kops-e2e-kubernetes-aws |
cloudmock/aws/mockec2/keypairs.go
Outdated
| @@ -50,18 +50,25 @@ func (m *MockEC2) ImportKeyPair(request *ec2.ImportKeyPairInput) (*ec2.ImportKey | |||
| return nil, err | |||
| } | |||
|
|
|||
| n := len(m.DhcpOptions) + 1 | |||
cloudmock/aws/mockec2/keypairs.go
Outdated
| o := m.KeyPairs[id] | ||
| if o == nil { | ||
| return nil, fmt.Errorf("KeyPairs %q not found", id) | ||
| name := aws.StringValue(request.KeyName) |
There was a problem hiding this comment.
Can we / should we now delete by id?
| tags = { | ||
| "KubernetesCluster" = "existing-iam.example.com" | ||
| "Name" = "existing-iam.example.com" | ||
| "kubernetes.io/cluster/existing-iam.example.com" = "owned" |
There was a problem hiding this comment.
Yes, I think this should be shared, because we don't delete it (we couldn't safely delete it before); so it does behave more like "shared"
There was a problem hiding this comment.
Actually, scratch that - I'm wrong! We do delete the keypairs, which is why we have the cluster name in the prefix, so owned is correct.
|
Generally LGTM. I was a little confused as to whether we delete keys or not; because/if we do, it should be 'owned', which is what you've done 👍
Can we have duplicate SSH key names now? I assume we can't, so I would imagine if we dropped the prefix that we might get collisions if someone used the same SSH key for two clusters in the same region? |
|
This is ready for review. I had to make the SSHKey task aware of whether it is Shared or not. The intent is to not add any tags to keys that are specified in the ClusterSpec.sshKeyName. These tags aren't consumed by anything else (unlike shared VPC and Subnet tags) and may collide with tags from other clusters that also use the same sshKeyName, so I thought it was better to just not add the tags at all. In order to do that, we have to specify whether the key is shared or not. Previously we had the same task behavior regardless of whether a key was defined via sshKeyName or via a SSHPublicKey secret. I tested the following scenarios:
|
rifelpet
changed the title
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
k8s-ci-robot
added
size/XL
k8s-ci-robot
added
size/L
|
/lgtm |
k8s-ci-robot
added
the
lgtm
AWS recently added tagging support for keypairs as well as autogenerated IDs. This adds the usual cloud tags to keypairs as seen in the integration test outputs.
WIP while I figure out how to handle keys that are shared with the cluster rather than created by kops- would we tag it with "shared" like with do VPCs and Subnets or do we not tag it at all?
Also need to double check how kops deletes keypairs during a
delete clusterand make sure these tags don't affect that process.ref: #9640
At this point we could probably drop the cluster name prefix from key names but that's probably not necessary.