pulumi-eks icon indicating copy to clipboard operation
pulumi-eks copied to clipboard

Published 20 hours ago verified publisher icon pulumi

Defaulted aws-auth ConfigMap creation to upsert, added optional ConfigMap update in place property to cluster

Open JaseKirby opened this issue 1 year ago • 4 comments

Proposed changes

This PR does two things:

Defaults aws-auth ConfigMap management to an upsert operation. This ensures pulumi takes full control of the ConfigMap regardless of whether it exists already or not eliminating any possible race conditions that could occur and error popping up stating the aws-auth ConfigMap already exists.

Adds an optional enableConfigMapMutable property to pass to the cluster's pulumi k8s provider that will allow for updating the aws-auth ConfigMap in place over the default replace operation. A replace operation for this particular ConfigMap can be especially dangerous if some failure blocks recreation after a delete as default M2M auth entries would get wiped as we have seen already intermittently in cluster provisioning workflows: error: resource kube-system/aws-auth was not successfully created by the Kubernetes API server : configmaps "aws-auth" already exists

The enableConfigMapMutable property is optional because docs denote it is still in preview and if consumers of this library re-use the exposed cluster k8s provider downstream it could have unintended effects on their k8s deployment workflows. AWS documentation like https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html always advises updating/applying/patching this ConfigMap in place.

Related issues (optional)

https://github.com/pulumi/pulumi-eks/issues/918 https://github.com/pulumi/pulumi-eks/issues/883

JaseKirby avatar Dec 05 '23 23:12 JaseKirby

PR is now waiting for a maintainer to run the acceptance tests. This PR will only perform build and linting. Note for the maintainer: To run the acceptance tests, please comment /run-acceptance-tests on the PR

github-actions[bot] avatar Dec 05 '23 23:12 github-actions[bot]

PR is now waiting for a maintainer to run the acceptance tests. This PR will only perform build and linting. Note for the maintainer: To run the acceptance tests, please comment /run-acceptance-tests on the PR

github-actions[bot] avatar Dec 06 '23 15:12 github-actions[bot]

/run-acceptance-tests

rquitales avatar Dec 12 '23 03:12 rquitales

Thanks for the PR @JaseKirby. It looks like this is the correct direction to solve the linked issues. It looks like only the nodejs SDK was updated though, so we'll need to replicate this in the other supported languages as well.

rquitales avatar Dec 12 '23 03:12 rquitales

PR is now waiting for a maintainer to run the acceptance tests. This PR will only perform build and linting. Note for the maintainer: To run the acceptance tests, please comment /run-acceptance-tests on the PR

github-actions[bot] avatar Mar 27 '24 00:03 github-actions[bot]

/run-acceptance-tests

rquitales avatar Mar 27 '24 00:03 rquitales

Please view the PR build - https://github.com/pulumi/pulumi-eks/actions/runs/8445018952

pulumi-bot avatar Mar 27 '24 00:03 pulumi-bot

Thanks for the initial submission. I've updated the PR to also expose the new argument to the other supported SDK languages.

rquitales avatar Mar 27 '24 01:03 rquitales