Handle unordered public endpoint CIDRs from EKS in endpoint updates

For some clusters, EKS can return the list of public endpoint CIDRs out of order, and won't allow updates where the incoming and current sets have set equality (i.e. regardless of order of CIDR entries). This change restores the set equality check that was removed in commit 72605fb and adds an additional test case to cover this case.
eksctl-io · Jan 16, 2024 · d09d501 · d09d501
1 parent b9e936c
commit d09d501
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 1 deletion.
diff --git a/pkg/ctl/utils/vpc_helper.go b/pkg/ctl/utils/vpc_helper.go
@@ -6,6 +6,7 @@ import (
 
 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/kris-nova/logger"
+	"k8s.io/apimachinery/pkg/util/sets"
 
 	"golang.org/x/exp/slices"
 
@@ -176,5 +177,6 @@ func cidrsEqual(currentValues, newValues []string) bool {
 	if len(newValues) == 0 && len(currentValues) == 1 && currentValues[0] == "0.0.0.0/0" {
 		return true
 	}
-	return slices.Equal(currentValues, newValues)
+
+	return sets.NewString(currentValues...).Equal(sets.NewString(newValues...))
 }
diff --git a/pkg/ctl/utils/vpc_helper_test.go b/pkg/ctl/utils/vpc_helper_test.go
@@ -133,6 +133,21 @@ var _ = DescribeTable("VPCHelper", func(e vpcHelperEntry) {
 		},
 	}),
 
+	Entry("cluster public access CIDRs match desired config but out of order", vpcHelperEntry{
+		clusterVPC: &ekstypes.VpcConfigResponse{
+			EndpointPublicAccess:  true,
+			EndpointPrivateAccess: false,
+			PublicAccessCidrs:     []string{"2.2.2.2/32", "1.1.1.1/32"},
+		},
+		vpc: &api.ClusterVPC{
+			ClusterEndpoints: &api.ClusterEndpoints{
+				PublicAccess:  api.Enabled(),
+				PrivateAccess: api.Disabled(),
+			},
+			PublicAccessCIDRs: []string{"1.1.1.1/32", "2.2.2.2/32"},
+		},
+	}),
+
 	Entry("both cluster endpoint access and public access CIDRs do not match desired config", vpcHelperEntry{
 		clusterVPC: &ekstypes.VpcConfigResponse{
 			EndpointPublicAccess:  true,