Add handling for upgrade of serviceaccounts

aws · Oct 11, 2023 · 6c67ecc · 6c67ecc
1 parent 76bcd79
commit 6c67ecc
Show file tree

Hide file tree

Showing 2 changed files with 67 additions and 1 deletion.
diff --git a/.github/actions/e2e/create-cluster/action.yaml b/.github/actions/e2e/create-cluster/action.yaml
@@ -85,7 +85,7 @@ runs:
       cmd="create"
       eksctl get cluster --name ${{ inputs.cluster_name }} && cmd="upgrade"
 
-      eksctl ${cmd} cluster -f - <<EOF
+      cat << EOF >> clusterconfig.yaml
       ---
       apiVersion: eksctl.io/v1alpha5
       kind: ClusterConfig
@@ -146,6 +146,14 @@ runs:
         wellKnownPolicies:
           ebsCSIController: true
       EOF
+      
+      eksctl ${cmd} cluster -f clusterconfig.yaml
+      
+      # We need to call these update iamserviceaccount commands again since the "eksctl upgrade cluster" action
+      # doesn't handle updates to IAM serviceaccounts correctly when the roles assigned to them change
+      eksctl update iamserviceaccount -f clusterconfig.yaml --approve
+      
+
   - name: tag oidc provider of the cluster
     if: always()
     shell: bash

diff --git a/test.yaml b/test.yaml
@@ -0,0 +1,58 @@
+---
+apiVersion: eksctl.io/v1alpha5
+kind: ClusterConfig
+metadata:
+  name: scale-test
+  region: us-west-2
+  version: “1.28"
+  tags:
+    karpenter.sh/discovery: scale-test
+    testing/type: "e2e"
+kubernetesNetworkConfig:
+  ipFamily: ipv4
+managedNodeGroups:
+  - instanceType: c5.4xlarge
+    amiFamily: AmazonLinux2
+    name: scale-test-system-pool
+    desiredCapacity: 2
+    disableIMDSv1: true
+    minSize: 2
+    maxSize: 2
+    iam:
+      instanceRolePermissionsBoundary: "arn:aws:iam::330700974597:policy/GithubActionsPermissionsBoundary"
+    taints:
+      - key: CriticalAddonsOnly
+        value: "true"
+        effect: NoSchedule
+iam:
+  serviceRolePermissionsBoundary: "arn:aws:iam::330700974597:policy/GithubActionsPermissionsBoundary"
+  serviceAccounts:
+    - metadata:
+        name: karpenter
+        namespace: karpenter
+      attachPolicyARNs:
+        - "arn:aws:iam::330700974597:policy/KarpenterControllerPolicy-scale-test"
+        - "arn:aws:iam::330700974597:policy/KarpenterControllerPolicy-Alpha-scale-test"
+      permissionsBoundary: "arn:aws:iam::330700974597:policy/GithubActionsPermissionsBoundary"
+      roleName: karpenter-irsa-scale-test
+      roleOnly: true
+    - metadata:
+        name: prometheus-kube-prometheus-prometheus
+        namespace: prometheus
+      attachPolicyARNs:
+        - "arn:aws:iam::330700974597:policy/PrometheusWorkspaceIngestionPolicy"
+      permissionsBoundary: "arn:aws:iam::330700974597:policy/GithubActionsPermissionsBoundary"
+      roleName: prometheus-irsa-scale-test
+      roleOnly: true
+  withOIDC: true
+addons:
+  - name: vpc-cni
+    permissionsBoundary: "arn:aws:iam::330700974597:policy/GithubActionsPermissionsBoundary"
+  - name: coredns
+    permissionsBoundary: "arn:aws:iam::330700974597:policy/GithubActionsPermissionsBoundary"
+  - name: kube-proxy
+    permissionsBoundary: "arn:aws:iam::330700974597:policy/GithubActionsPermissionsBoundary"
+  - name: aws-ebs-csi-driver
+    permissionsBoundary: "arn:aws:iam::330700974597:policy/GithubActionsPermissionsBoundary"
+    wellKnownPolicies:
+      ebsCSIController: true