SDE-2953: Allow setting AWS EC2Metadata in machine config pool

Nikokolas3270 · Apr 28, 2023 · 9a9e7a2 · 9a9e7a2
1 parent 7cbb912
commit 9a9e7a2
Show file tree

Hide file tree

Showing 8 changed files with 145 additions and 2 deletions.
diff --git a/apis/hive/v1/aws/machinepool.go b/apis/hive/v1/aws/machinepool.go
@@ -21,6 +21,10 @@ type MachinePoolPlatform struct {
 	// SpotMarketOptions allows users to configure instances to be run using AWS Spot instances.
 	// +optional
 	SpotMarketOptions *SpotMarketOptions `json:"spotMarketOptions,omitempty"`
+
+	// EC2MetadataOptions defines metadata service interaction options for EC2 instances in the machine pool.
+	// +optional
+	EC2Metadata *EC2Metadata `json:"metadataService,omitempty"`
 }
 
 // SpotMarketOptions defines the options available to a user when configuring
@@ -48,3 +52,16 @@ type EC2RootVolume struct {
 	// +optional
 	KMSKeyARN string `json:"kmsKeyARN,omitempty"`
 }
+
+// EC2Metadata defines the metadata service interaction options for an ec2 instance.
+// https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html
+type EC2Metadata struct {
+	// Authentication determines whether or not the host requires the use of authentication when interacting with the metadata service.
+	// When using authentication, this enforces v2 interaction method (IMDSv2) with the metadata service.
+	// When omitted, this means the user has no opinion and the value is left to the platform to choose a good
+	// default, which is subject to change over time. The current default is optional.
+	// At this point this field represents `HttpTokens` parameter from `InstanceMetadataOptionsRequest` structure in AWS EC2 API
+	// https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_InstanceMetadataOptionsRequest.html
+	// +optional
+	Authentication string `json:"authentication,omitempty"`
+}
diff --git a/apis/hive/v1/aws/zz_generated.deepcopy.go b/apis/hive/v1/aws/zz_generated.deepcopy.go
diff --git a/config/crds/hive.openshift.io_machinepools.yaml b/config/crds/hive.openshift.io_machinepools.yaml
@@ -123,6 +123,24 @@ spec:
                     description: AWS is the configuration used when installing on
                       AWS.
                     properties:
+                      metadataService:
+                        description: EC2MetadataOptions defines metadata service interaction
+                          options for EC2 instances in the machine pool.
+                        properties:
+                          authentication:
+                            description: Authentication determines whether or not
+                              the host requires the use of authentication when interacting
+                              with the metadata service. When using authentication,
+                              this enforces v2 interaction method (IMDSv2) with the
+                              metadata service. When omitted, this means the user
+                              has no opinion and the value is left to the platform
+                              to choose a good default, which is subject to change
+                              over time. The current default is optional. At this
+                              point this field represents `HttpTokens` parameter from
+                              `InstanceMetadataOptionsRequest` structure in AWS EC2
+                              API https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_InstanceMetadataOptionsRequest.html
+                            type: string
+                        type: object
                       rootVolume:
                         description: EC2RootVolume defines the storage for ec2 instance.
                         properties:

diff --git a/hack/app-sre/saas-template.yaml b/hack/app-sre/saas-template.yaml
@@ -4851,6 +4851,24 @@ objects:
                       description: AWS is the configuration used when installing on
                         AWS.
                       properties:
+                        metadataService:
+                          description: EC2MetadataOptions defines metadata service
+                            interaction options for EC2 instances in the machine pool.
+                          properties:
+                            authentication:
+                              description: Authentication determines whether or not
+                                the host requires the use of authentication when interacting
+                                with the metadata service. When using authentication,
+                                this enforces v2 interaction method (IMDSv2) with
+                                the metadata service. When omitted, this means the
+                                user has no opinion and the value is left to the platform
+                                to choose a good default, which is subject to change
+                                over time. The current default is optional. At this
+                                point this field represents `HttpTokens` parameter
+                                from `InstanceMetadataOptionsRequest` structure in
+                                AWS EC2 API https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_InstanceMetadataOptionsRequest.html
+                              type: string
+                          type: object
                         rootVolume:
                           description: EC2RootVolume defines the storage for ec2 instance.
                           properties:

diff --git a/pkg/controller/machinepool/awsactuator.go b/pkg/controller/machinepool/awsactuator.go
@@ -151,6 +151,10 @@ func (a *AWSActuator) GenerateMachineSets(cd *hivev1.ClusterDeployment, pool *hi
 		Zones: pool.Spec.Platform.AWS.Zones,
 	}
 
+	if pool.Spec.Platform.AWS.EC2Metadata != nil {
+		computePool.Platform.AWS.EC2Metadata.Authentication = pool.Spec.Platform.AWS.EC2Metadata.Authentication
+	}
+
 	if len(computePool.Platform.AWS.Zones) == 0 {
 		zones, err := a.fetchAvailabilityZones()
 		if err != nil {

diff --git a/pkg/controller/machinepool/awsactuator_test.go b/pkg/controller/machinepool/awsactuator_test.go
@@ -49,6 +49,7 @@ func TestAWSActuator(t *testing.T) {
 		expectedErr                  bool
 		expectedCondition            *hivev1.MachinePoolCondition
 		expectedKMSKey               string
+		expectedEC2MetadataAuth      string
 		expectedAMI                  *machineapi.AWSResourceReference
 		expectedSGFilters            []machineapi.Filter
 	}{
@@ -355,6 +356,22 @@ func TestAWSActuator(t *testing.T) {
 				ID: pointer.String(testAMI),
 			},
 		},
+		{
+			name:              "ec2 metadata",
+			clusterDeployment: withClusterVersion(testClusterDeployment(), "4.5.0"),
+			machinePool:       withEC2Metadata(testMachinePool(), "Optional"),
+			masterMachine:     testMachine("master0", "master"),
+			mockAWSClient: func(client *mockaws.MockClient) {
+				mockDescribeAvailabilityZones(client, []string{"zone1"})
+			},
+			expectedMachineSetReplicas: map[string]int64{
+				generateAWSMachineSetName("zone1"): 3,
+			},
+			expectedEC2MetadataAuth: "Optional",
+			expectedAMI: &machineapi.AWSResourceReference{
+				ID: pointer.String(testAMI),
+			},
+		},
 		{
 			name:              "kms key disk encryption",
 			clusterDeployment: withClusterVersion(testClusterDeployment(), "4.5.0"),
@@ -568,7 +585,7 @@ func TestAWSActuator(t *testing.T) {
 			if test.expectedErr {
 				assert.Error(t, err, "expected error for test case")
 			} else {
-				validateAWSMachineSets(t, generatedMachineSets, test.expectedMachineSetReplicas, test.expectedSubnetIDInMachineSet, test.expectedKMSKey, test.expectedAMI, test.expectedSGFilters)
+				validateAWSMachineSets(t, generatedMachineSets, test.expectedMachineSetReplicas, test.expectedSubnetIDInMachineSet, test.expectedKMSKey, test.expectedAMI, test.expectedSGFilters, test.expectedEC2MetadataAuth)
 			}
 			if test.expectedCondition != nil {
 				cond := controllerutils.FindCondition(pool.Status.Conditions, test.expectedCondition.Type)
@@ -617,7 +634,7 @@ func TestGetAWSAMIID(t *testing.T) {
 	}
 }
 
-func validateAWSMachineSets(t *testing.T, mSets []*machineapi.MachineSet, expectedMSReplicas map[string]int64, expectedSubnetID bool, expectedKMSKey string, expectedAMI *machineapi.AWSResourceReference, expectedSGFilters []machineapi.Filter) {
+func validateAWSMachineSets(t *testing.T, mSets []*machineapi.MachineSet, expectedMSReplicas map[string]int64, expectedSubnetID bool, expectedKMSKey string, expectedAMI *machineapi.AWSResourceReference, expectedSGFilters []machineapi.Filter, expectedEC2MetadataAuth string) {
 	assert.Equal(t, len(expectedMSReplicas), len(mSets), "different number of machine sets generated than expected")
 
 	for _, ms := range mSets {
@@ -650,6 +667,11 @@ func validateAWSMachineSets(t *testing.T, mSets []*machineapi.MachineSet, expect
 		if expectedSGFilters != nil {
 			assert.Equal(t, awsProvider.SecurityGroups[0].Filters, expectedSGFilters, "unexpected security group filters")
 		}
+
+		if expectedEC2MetadataAuth != "" {
+			assert.NotNil(t, awsProvider.MetadataServiceOptions, "Missing ec2metadata")
+			assert.Equal(t, expectedEC2MetadataAuth, string(awsProvider.MetadataServiceOptions.Authentication))
+		}
 	}
 }
 
@@ -794,6 +816,11 @@ func withSpotMarketOptions(pool *hivev1.MachinePool) *hivev1.MachinePool {
 	return pool
 }
 
+func withEC2Metadata(pool *hivev1.MachinePool, metadataAuth string) *hivev1.MachinePool {
+	pool.Spec.Platform.AWS.EC2Metadata = &awshivev1.EC2Metadata{Authentication: "Optional"}
+	return pool
+}
+
 func withKMSKey(pool *hivev1.MachinePool) *hivev1.MachinePool {
 	pool.Spec.Platform.AWS.EC2RootVolume.KMSKeyARN = fakeKMSKeyARN
 	return pool

diff --git a/vendor/github.com/openshift/hive/apis/hive/v1/aws/machinepool.go b/vendor/github.com/openshift/hive/apis/hive/v1/aws/machinepool.go
diff --git a/vendor/github.com/openshift/hive/apis/hive/v1/aws/zz_generated.deepcopy.go b/vendor/github.com/openshift/hive/apis/hive/v1/aws/zz_generated.deepcopy.go