Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Onboard EKS to ci-mgmt #1142

Open
blampe opened this issue Nov 12, 2024 · 0 comments
Open

Onboard EKS to ci-mgmt #1142

blampe opened this issue Nov 12, 2024 · 0 comments
Assignees
Labels
kind/engineering Work that is not visible to an external user
Milestone

Comments

@blampe
Copy link
Contributor

blampe commented Nov 12, 2024

Use the generic ci-mgmt template to manage EKS. Will require support for sharding.

@blampe blampe self-assigned this Nov 12, 2024
@pulumi-bot pulumi-bot added the needs-triage Needs attention from the triage team label Nov 12, 2024
blampe added a commit to pulumi/pulumi-eks that referenced this issue Nov 13, 2024
Preparation for pulumi/ci-mgmt#1142.

This renames custom workflows to have an "eks-" prefix to prevent
ci-mgmt from deleting them (similar to
pulumi/pulumi-aws#4418).

This also adds a missing `.actionlint.yml` config file, copied from
[azure-native](https://github.com/pulumi/pulumi-azure-native/blob/master/.actionlint.yml).
The `lint_workflows` action currently has no effect without this file
([example](https://github.com/pulumi/pulumi-eks/actions/runs/11468567327/job/31913961281)):

> could not read config file ".actionlint.yml": open .actionlint.yml: no
such file or directory
@VenelinMartinov VenelinMartinov added kind/engineering Work that is not visible to an external user and removed needs-triage Needs attention from the triage team labels Nov 13, 2024
@mjeffryes mjeffryes added this to the 0.113 milestone Nov 13, 2024
blampe added a commit to pulumi/pulumi-eks that referenced this issue Nov 14, 2024
This PR changes our kubeconfig logic to use a `--profile` arg instead of
an `AWS_PROFILE` environment variable so it will always use the expected
profile. It also parallelizes the relevant tests and simplifies
workflows slightly.

As a user, if I generate a kubeconfig for a particular profile I would
expect that configuration to _always_ use the profile I specified.
However, because we rely on `AWS_PROFILE` it is possible for our
generated kubeconfig to be inadvertently overridden by the presence of
`AWS_ACCESS_KEY_ID`.

> Credentials from environment variables have precedence over
credentials from the shared credentials and AWS CLI config file.
Credentials specified in the shared credentials file have precedence
over credentials in the AWS CLI config file. If AWS_PROFILE environment
variable is set and the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
environment variables are set, then the credentials provided by
AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY will override the
credentials located in the profile provided by AWS_PROFILE.

https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#id1

I'll note that I discovered this as part of the prep work for
pulumi/ci-mgmt#1142. In particular, our tests
currently do a few things to exercise profile switching behavior:
1. During CI setup, we set some fixed access keys for the `default`
profile. (This is unnecessary.)
2. During CI setup, we set some fixed access keys for an `alt` profile.
This is the profile we expect to use in `TestAccAwsProfile*` tests.
3. During `TestAccAwsProfile*` tests we unset `AWS_SECRET_ACCESS_KEY`,
`AWS_ACCESS_KEY_ID`, and `AWS_SESSION_TOKEN` for our process.

Importantly, (3) is currently implemented such that (a) it prevents
parallelization, and (b) subsequent queries to the k8s API server also
lack ambient credentials.

After I refactored (3) to allow parallelization the tests started
failing. Eventually I realized this was because I was unsetting
credentials for the `pulumi` subprocess and our test's k8s client now
had ambient credentials taking priority over the expected profile.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/engineering Work that is not visible to an external user
Projects
None yet
Development

No branches or pull requests

4 participants