Propagate EKS connection secret updates #36
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
|
@soorena776 is this a thing I need to do? My goal is to ensure this stack is built using the latest crossplane-runtime. |
negz
force-pushed
the
evasivekubernetessecrets
branch
from
c1ca800
to
4ef2626
Compare
|
|
suskin
approved these changes
Oct 16, 2019
negz
force-pushed
the
evasivekubernetessecrets
branch
2 times, most recently
from
2d8f439
to
da9a6bb
Compare
|
|
|
Turns out this needed some updates to the EKS controller to prevent it from overwriting its secret annotations each time it updated them. I've pushed those changes in a separate commit. Everything appears to be in sync at T ~30 minutes from creation: |
negz
force-pushed
the
evasivekubernetessecrets
branch
from
dd6e8ec
to
4ff39b3
Compare
|
|
|
|
|
|
Claim connection secret is working ~20 minutes after the cluster became available. Will try again once an hour has passed. In the meantime @suskin @soorena776 PTAL - I pushed three more commits since you approved this PR. |
|
The claim secret is still working fine ~90 minutes after creation: $ kubectl -s $(kubectl -n app-project1-dev get -o json secret k8scluster|jq -r '.data.endpoint|@base64d') --certificate-authority ca.crt --token $(kubectl -n app-project1-dev get -o json secret k8scluster|jq -r '.data.token|@base64d') get nodes
NAME STATUS ROLES AGE VERSION
ip-172-31-41-28.ec2.internal Ready <none> 92m v1.14.7-eks-1861c5
ip-172-31-43-80.ec2.internal Ready <none> 93m v1.14.7-eks-1861c5
ip-172-31-82-51.ec2.internal Ready <none> 93m v1.14.7-eks-1861c5Sadly I accidentally hashed the endpoint, not the token, earlier so I'm not actually sure whether it has rotated yet or not. Here's the current working token: $ kubectl -n app-project1-dev get -o json secret k8scluster|jq -r '.data.token|@base64d'|md5
d3732ed33884c9a83848619dcb64d006... Okay I guess the token just rotated while I was writing this comment. I can confirm it still works, having rotated less than 5 minutes ago. $ kubectl -n app-project1-dev get -o json secret k8scluster|jq -r '.data.token|@base64d'|md5
923c044e0b66fc22332c2b31e1d89f7c
$ kubectl -n app-project1-dev get -o json secret k8scluster|jq -r '.data.token|@base64d'|cut -d. -f2|base64 -d
https://sts.amazonaws.com/?Action=GetCallerIdentity&Version=2011-06-15&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=REDACTED%2F20191017%2Fus-east-1%2Fsts%2Faws4_request&X-Amz-Date=20191017T034332Z&X-Amz-Expires=60&X-Amz-SignedHeaders=host%3Bx-k8s-aws-id&X-Amz-Signature=REDACTED
$ kubectl -s $(kubectl -n app-project1-dev get -o json secret k8scluster|jq -r '.data.endpoint|@base64d') --certificate-authority ca.crt --token $(kubectl -n app-project1-dev get -o json secret k8scluster|jq -r '.data.token|@base64d') get nodes
NAME STATUS ROLES AGE VERSION
ip-172-31-41-28.ec2.internal Ready <none> 102m v1.14.7-eks-1861c5
ip-172-31-43-80.ec2.internal Ready <none> 104m v1.14.7-eks-1861c5
ip-172-31-82-51.ec2.internal Ready <none> 104m v1.14.7-eks-1861c5 |
soorena776
reviewed
Oct 17, 2019
| kubeclient: kubernetes.NewForConfigOrDie(mgr.GetConfig()), | ||
| recorder: mgr.GetEventRecorderFor(controllerName), | ||
| Client: mgr.GetClient(), | ||
| publisher: resource.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme()), |
There was a problem hiding this comment.
nit: it seems odd that we are passing mgr.GetClient() twice to build a single object
soorena776
reviewed
Oct 17, 2019
| config.Region = string(instance.Spec.Region) | ||
| // NOTE(negz): EKS clusters must specify a region for creation. They never | ||
| // use the provider's region. This should be addressed per the below issue. | ||
| // https://github.com/crossplaneio/stack-aws/issues/38 |
soorena776
reviewed
Oct 17, 2019
| // NOTE(negz): EKS clusters must specify a region for creation. They never | ||
| // use the provider's region. This should be addressed per the below issue. | ||
| // https://github.com/crossplaneio/stack-aws/issues/38 | ||
| config, err := aws.LoadConfig(s.Data[p.Spec.Secret.Key], aws.DefaultSection, string(instance.Spec.Region)) |
There was a problem hiding this comment.
FYI, there is also this method which does exactly that.
https://github.com/crossplaneio/stack-aws/blob/master/pkg/controller/utils/utils.go#L19
There was a problem hiding this comment.
There's a slight difference in this one, in that we pass in the instance's region, not the provider's.
soorena776
reviewed
Oct 17, 2019
| // Amounts of time we wait before requeuing a reconcile. | ||
| const ( | ||
| aShortWait = 30 * time.Second | ||
| aLongWait = 60 * time.Second |
There was a problem hiding this comment.
not a blocker for this pr, but I think these consts should be in the runtime library.
There was a problem hiding this comment.
I see these as short term solutions, with the long term solution being using the managed resource reconciler to implement this controller.
https://godoc.org/github.com/crossplaneio/crossplane-runtime/pkg/resource#WithShortWait
I believe these were global constants for a while, until someone correctly pointed out that 30 and 60 seconds aren't necessarily the best requeue durations for all managed resource controllers. Instead now we make them the default, but allow controllers to override them if appropriate.
soorena776
approved these changes
Oct 17, 2019
GO111MODULE=on go get github.com/crossplaneio/crossplane-runtime Generated by running the above command Signed-off-by: Nic Cope <negz@rk0n.org>
EKS connection secrets change frequently. We must propagate them from the managed resource connection secret to the resource claim connection secret. Signed-off-by: Nic Cope <negz@rk0n.org>
The previous implementation overwrote the connection secret (including its propagation annotations) every time it was updated. Signed-off-by: Nic Cope <negz@rk0n.org>
crossplane/crossplane#241 crossplane/crossplane-runtime#40 This is discussed in the above two issues. It's of particular concern for EKS because EKS clusters rotate their token frequently, and we want to notice fast when the token has changed. Right now it could take minutes to notice or worse - the controller never requeues once the cluster becomes available, so we would not notice the token changing until the global resync (i.e. one hour). Signed-off-by: Nic Cope <negz@rk0n.org>
negz
force-pushed
the
evasivekubernetessecrets
branch
from
9f5d8ce
to
56dfcb7
Compare
|
|
wolffbe
pushed a commit
to wolffbe/provider-aws
that referenced
this pull request
Feb 12, 2021
…ecrets Propagate EKS connection secret updates
namku
pushed a commit
to namku/provider-aws
that referenced
this pull request
Mar 9, 2021
…ecrets Propagate EKS connection secret updates
hanlins
pushed a commit
to hanlins/provider-aws
that referenced
this pull request
Mar 24, 2022
…rib#36) * add failed and rejected status to vpc peering filter * add unittest * Aviod call modify vpc peering option
hanlins
pushed a commit
to hanlins/provider-aws
that referenced
this pull request
Mar 24, 2022
…rib#36) * add failed and rejected status to vpc peering filter * add unittest * Aviod call modify vpc peering option
hanlins
added a commit
to hanlins/provider-aws
that referenced
this pull request
Jun 7, 2022
…ontrib#37) * fix(eks-kubeconfig): eks-presignGetCallerIdentity Signed-off-by: haarchri <chhaar30@googlemail.com> * Add haarchri as a maintainer See crossplane/org#20 Signed-off-by: Nic Cope <nicc@rk0n.org> * Add support for associating an IdentityProviderConfig to an EKS cluster Signed-off-by: Mathias Åhsberg <mathias.ahsberg@resurs.se> * update signing region based on partition Signed-off-by: smcavallo <smcavallo@hotmail.com> * fix(injected-identity): fix multioregion with injected identity since 0.20.0 Signed-off-by: haarchri <chhaar30@googlemail.com> * feat(secretsmanager): Add support for resource policies Signed-off-by: Maximilian Blatt <maximilian.blatt-extern@deutschebahn.com> (external expert on behalf of DB Netz AG) * Add EKS Addon resource (crossplane-contrib#872) * Add EKS Addon resource Signed-off-by: Maximilian Blatt <maximilian.blatt-extern@deutschebahn.com> (externel expert on behalf of DB Netz AG) * Add custom origin example for distribution Signed-off-by: gstramandinoli <giuseppe.stramandinoli@vonage.com> * map originSSLProtocols Signed-off-by: Steven Borrelli <steve@borrelli.org> * Implement Amazon MQ service (crossplane-contrib#734) * feat(aws): add support for amazon mq Signed-off-by: Praveen Ghuge <praveen.ghuge@outlook.com> Co-authored-by: haarchri <chhaar30@googlemail.com> * Tweak DynamoDb table update logic crossplane-contrib#839 The above PR recently fixed this controller such that it was possible to configure PAY_PER_REQUEST and SSE, but part of doing this involved potentially making a no-op update and ignoring the resulting error. This commit avoids the no-op update by (hopefully) improving the logic that determines which update(s) are needed. Signed-off-by: Nic Cope <negz@rk0n.org> * Use camelCase connection detail keys for DynamoDB tables There's no documented standard here, but the convention is camelCase. Signed-off-by: Nic Cope <negz@rk0n.org> * Added tags for iam policy Signed-off-by: Raghav Grover <ragrover@expediagroup.com> * readme: add release policy Signed-off-by: Muvaffak Onus <me@muvaf.com> * Implement GlobalSecondaryIndexes Signed-off-by: sergenyalcin <yalcinsergen97@gmail.com> (cherry picked from commit 4cad963) * dynamodb.table: add support for updating globalsecondaryindexes Signed-off-by: Muvaffak Onus <me@muvaf.com> * dynamodb.table: add unit tests for global secondary index diff Signed-off-by: Muvaffak Onus <me@muvaf.com> * fix s3 notificationConfiguration Signed-off-by: smcavallo <smcavallo@hotmail.com> * fix s3 paymentConfiguration preventing bucket from being ready Signed-off-by: smcavallo <smcavallo@hotmail.com> * observe iampolicy which already exists Signed-off-by: smcavallo <smcavallo@hotmail.com> * upgrade to aws-sdk-go-v2 - 2021-11-06 Signed-off-by: smcavallo <smcavallo@hotmail.com> * feat(cw): added loggroup Signed-off-by: haarchri <chhaar30@googlemail.com> * use getCallerIdentity to determine policy arn Signed-off-by: smcavallo <smcavallo@hotmail.com> * consider policy with path Signed-off-by: smcavallo <smcavallo@hotmail.com> * add path to examples Signed-off-by: smcavallo <smcavallo@hotmail.com> * policy ext-name should return better exception Signed-off-by: smcavallo <smcavallo@hotmail.com> * kms.alias: make it manually-written because removing parameters cause empty spec which makes the for loops in conversion functions throw compile errors since there is nothing to process and variables end up unused Signed-off-by: Muvaffak Onus <me@muvaf.com> * kms.key: assume the key is removed once it is in pendingdeletion state otherwise it will not go away for days. Signed-off-by: Muvaffak Onus <me@muvaf.com> * kms.alias: filter the alias list with alias name Signed-off-by: Muvaffak Onus <me@muvaf.com> * github: add release issue Signed-off-by: Muvaffak Onus <me@muvaf.com> * Manually late-init CloudFront Distributions CloudFront Distributions and CachePolicies were built to use a generic reflect based late initialization library that can match two similar structs. While this approach is probably good for simpler APIs and is much more scalable than hand writing code as I've done here, we found that it was tricky to debug and customise the late-init logic and the IsUpToDate functions that use it. Notably, the Distribution API seems to: * Always return CloudFrontDefaultCertificate: nil, which causes false positives in IsUpToDate. * Not return slices in the order they were supplied, making it impossible to late init slices of structs based on index alone. * Require some slices of structs (e.g. Origins) to be late initialized. I believe the reflect based late-init library attempts to late init slices under the assumption that the actual and desired elements will be in the same order. It also appears to append actual elements to the desired slice when the actual slice is longer than the desired slice, which would prevent us from removing elements from the desired slice (since they'd be late-init-ed right back in during Observe, resetting the desired state). This manual implementation follows our typical pattern of only late-initing nil slices which avoids the above problem. However in some cases we _must_ late init elements of slices (e.g. late init the Origin structs) in order to be able to perform an update. The Distribution API requires a create, read, then update flow where many of the fields that are optional at create time are defaulted and subsequently required at update time. In order to handle this we special case Origins, matching them on their (unique) ID fields. We may need to do this for other slices of structs such as OriginGroups. At a glance the CachePolicy API appears simpler and thus hopefully doesn't suffer from many of these issues, but it probably warrants a closer look in future to be sure. Signed-off-by: Nic Cope <negz@rk0n.org> * Move reflect based late init implementation to CachePolicy This is now the only controller that consumes it. Signed-off-by: Nic Cope <negz@rk0n.org> * iam.rolepolicyattachment: clean up old code that relies on functionality that already exists in runtime Signed-off-by: Muvaffak Onus <me@muvaf.com> * iam: clean up old code that duplicates functionality from runtime Signed-off-by: Muvaffak Onus <me@muvaf.com> * Review comments Signed-off-by: Raghav Grover <ragrover@expediagroup.com> * Fix some Distribution late-init logic, test some of the nil checks We had a few places where we tested whether a parent struct was nil, but then tried to set fields of that parent struct outside the if-not-nil clause. I've added partial tests for these cases too. Signed-off-by: Nic Cope <negz@rk0n.org> * Remove gomega from S3 tests We're attempting to remove all usage of gomega, in favor of using just cmp. https://github.com/golang/go/wiki/TestComments#assert-libraries Signed-off-by: Nic Cope <negz@rk0n.org> * :s/s3Testing/s3testing/g in package imports We typically aim for import aliases that would also be valid package names. Signed-off-by: Nic Cope <negz@rk0n.org> * s3 replicationConfiguration with delete marker enabled and fixes Signed-off-by: smcavallo <smcavallo@hotmail.com> * feat(route53resolver): added postObserve status Signed-off-by: haarchri <chhaar30@googlemail.com> * ec2.securitygroup: add security group resolver (crossplane-contrib#592) Signed-off-by: Carl Henrik Lunde <chlunde@ifi.uio.no> * ec2.securitygroup: fix add, implement revoke/update ingress and egress rules When adding a rule, we should not send the complete rule set, only the new rule. When updating a rule, we must first delete it. And with that done, we also support deleting rules. Fixes crossplane-contrib#503 Fixes crossplane-contrib#300 Signed-off-by: Carl Henrik Lunde <chlunde@ifi.uio.no> * ec2.securitygroup: remove late init of rules Rules are keyless arrays. The code to late-init them often corrupted data by copying data between rules. Signed-off-by: Carl Henrik Lunde <chlunde@ifi.uio.no> * ec2.securitygroup: GroupID/GroupName is a valid key Signed-off-by: Carl Henrik Lunde <chlunde@ifi.uio.no> * ec2.securitygroup: Ignore slice order in tests Signed-off-by: Carl Henrik Lunde <chlunde@ifi.uio.no> * Adding back the auto generated iampolicy crd Signed-off-by: Raghav Grover <ragrover@expediagroup.com> * Allow explicitly specifying DynamoDB table billingMode: PROVISIONED Previously specifying billingMode: PROVISIONED would result in a constant update loop, because the DynamoDB DescribeTable API omits the billing mode from its response when it's set to PROVISIONED. Signed-off-by: Nic Cope <negz@rk0n.org> * Allow explicitly specifying DynamoDB Table streamEnabled: false This is another case where DescribeTableOutput has an 'implied' default value of false. That value differing from our explicit value of false was causing Crossplane to think it needed to make an update when it did not. Signed-off-by: Nic Cope <negz@rk0n.org> * identity.iampolicy: Disable gocyclo after two merges broke CI CI tests for two individual PRs were OK, but after the merge, CI fails due to the combined cyclomatic complexity of the function. Since every PR from master at this point will fail until it is fixed, I think the lowest risk now is to disable this lint check. Signed-off-by: Carl Henrik Lunde <chlunde@ifi.uio.no> * rdsinstance: Use ResourceLateInitialized from crossplane-runtime When creating a new database, late init would trigger a kubernetes update in the Observe method, which in turn would trigger an error in crossplane-runtime: 2021-09-12T15:29:23.921+0200 ERROR controller-runtime.manager.controller.managed/rdsinstance.database.aws.crossplane.io Reconciler error {"reconciler group": "database.aws.crossplane.io", "reconciler kind": "RDSInstance", "name": "example-rds", "namespace": "", "error": "cannot update managed resource status: Operation cannot be fulfilled on rdsinstances.database.aws.crossplane.io \"example-rds\": the object has been modified; please apply your changes to the latest version and try again", "errorVerbose": "Operation cannot be fulfilled on rdsinstances.database.aws.crossplane.io \"example-rds\": the object has been modified; please apply your changes to the latest version and try again\ncannot update managed resource status\n...."} Prevent this error by instead setting ResourceLateInitialized for crossplane, which will make crossplane-runtime do the update call instead, and avoid the error message. Signed-off-by: Carl Henrik Lunde <chlunde@ifi.uio.no> * fix(nat): tags and tagspecification Signed-off-by: haarchri <chhaar30@googlemail.com> * feat(bottlerocket): added informations for eks-bottlerocket-nodegroup Signed-off-by: haarchri <chhaar30@googlemail.com> * add basic install command Signed-off-by: Nic Grayson <nicgrayson@gmail.com> * Add make target to identify the go build cache directory The build submodule currently overrides XDG_CACHE_HOME in order to force the Helm 3 to use the .work/helm directory. This causes Go on Linux machines to use that directory as the build cache as well. We should adjust this behavior in the build submodule because it is also causing Linux users to duplicate their build cache, but for now we just make it easier to identify its location in CI so that we cache between builds. Signed-off-by: hasheddan <georgedanielmangum@gmail.com> * Consume go.cachedir in CI workflow Updates CI workflow to cache based on go.cachedir to work around the fact that we override the GOCACHE in our make context due to the inclusion of helm.mk. Signed-off-by: hasheddan <georgedanielmangum@gmail.com> * feat(rds): crossplane-contrib#984 added ref and selector for *parameterGroup Signed-off-by: haarchri <chhaar30@googlemail.com> * move storage of operationid into annotations Signed-off-by: Steven Borrelli <steve@borrelli.org> * Update apis/servicediscovery/v1alpha1/custom_types.go group import statements Co-authored-by: muvaffak onuş <me@muvaf.com> Signed-off-by: Steven Borrelli <steve@borrelli.org> * fix(fmt): crossplane-contrib#988 fix gofmt-servicediscovery Signed-off-by: haarchri <chhaar30@googlemail.com> * Fixing constantly update requests problem of replicationgroup Signed-off-by: Sergen Yalçın <yalcinsergen97@gmail.com> * glue.crawler: ignore problematic field in and set its value in handwritten code Signed-off-by: Muvaffak Onus <me@muvaf.com> * lambda.function: ignore problematic field in and set its value in handwritten code Signed-off-by: Muvaffak Onus <me@muvaf.com> * ack regenerate Signed-off-by: Muvaffak Onus <me@muvaf.com> * Bumping CODE_GENERATOR_COMMIT to capture fix for Issue 876 Signed-off-by: Aaron Eaton <aaron@upbound.io> * code-generator: bump code-generator to the latest commit that has fixes to make it work with Crossplane again Signed-off-by: Muvaffak Onus <me@muvaf.com> (cherry picked from commit 0d2ea7e) * ec2.vpccidrblock: upgrade to v1beta1 Signed-off-by: Muvaffak Onus <me@muvaf.com> * ecr.repository: upgrade to v1beta1 Signed-off-by: Muvaffak Onus <me@muvaf.com> * ecr.repositorypolicy: upgrade to v1beta1 Signed-off-by: Muvaffak Onus <me@muvaf.com> * eks.fargateprofile: upgrade to v1beta1 Signed-off-by: Muvaffak Onus <me@muvaf.com> * examples: update for new v1beta1 CRDs Signed-off-by: Muvaffak Onus <me@muvaf.com> * ec2.vpccidrblock: use angryjet reference resolver generator Signed-off-by: Muvaffak Onus <me@muvaf.com> * Generating code with latest code-generator Signed-off-by: Aaron Eaton <aaron@upbound.io> * acm.certificate: upgrade to v1beta1 Signed-off-by: Muvaffak Onus <me@muvaf.com> * acm.certificate: remove renew certificate action since it is imperative and hard to get right in declarative fashion and add tagger Signed-off-by: Muvaffak Onus <me@muvaf.com> * acmcpa.certificateauthority: upgrade to v1beta1 Signed-off-by: Muvaffak Onus <me@muvaf.com> * acm.certificate: change the schema in v1beta1 to conform to the shape of the corresponding type in SDK Signed-off-by: Muvaffak Onus <me@muvaf.com> * acmpca.certificatepermission: upgrade to v1beta1 Signed-off-by: Muvaffak Onus <me@muvaf.com> * fix(cleanup): rerun generator after crossplane-contrib#920 merge Signed-off-by: haarchri <chhaar30@googlemail.com> * feat(rds): added rds-apply-immediately field Signed-off-by: haarchri <chhaar30@googlemail.com> * feat(addedStsAssumeRole) added assumeRoleArn Signed-off-by: haarchri <chhaar30@googlemail.com> * iam: rename identity group to iam but keep v1beta1 ones intact to give users time to migrate Signed-off-by: Muvaffak Onus <me@muvaf.com> * iam: move all kinds in identity.v1alpha1 to iam.v1beta1 Signed-off-by: Muvaffak Onus <me@muvaf.com> * iam: update examples Signed-off-by: Muvaffak Onus <me@muvaf.com> * iam.accesskey: rename IAMAccessKey to AccessKey Signed-off-by: Muvaffak Onus <me@muvaf.com> * iam.role: rename IAMRole to Role Signed-off-by: Muvaffak Onus <me@muvaf.com> * iam.grouppolicyattachment: rename IAMGroupPolicyAttachment to GroupPolicyAttachment Signed-off-by: Muvaffak Onus <me@muvaf.com> * iam.groupusermembership: rename IAMGroupUserMembership to GroupUserMembership Signed-off-by: Muvaffak Onus <me@muvaf.com> * iam.userpolicyattachment: rename IAMUserPolicyAttachment to UserPolicyAttachment Signed-off-by: Muvaffak Onus <me@muvaf.com> * iam.user: rename IAMUser to User Signed-off-by: Muvaffak Onus <me@muvaf.com> * iam.group: rename IAMGroup to Group Signed-off-by: Muvaffak Onus <me@muvaf.com> * iam.policy: rename IAMPolicy to Policy Signed-off-by: Muvaffak Onus <me@muvaf.com> * iam.rolepolicyattachment: rename IAMRolePolicyAttachment to RolePolicyAttachment Signed-off-by: Muvaffak Onus <me@muvaf.com> * identity.iamrole and identity.iamrolepolicyattachment: remove CRDs and their controllers similar to v1alpha1 ones to reduce the risk of something going wrong during migration Signed-off-by: Muvaffak Onus <me@muvaf.com> * upgrade: add upgrade guide for IAM resources Signed-off-by: Muvaffak Onus <me@muvaf.com> * upgrade guide: add composition instructions Signed-off-by: Muvaffak Onus <me@muvaf.com> * Implement Cloudfront Origin Access Identity (crossplane-contrib#929) * Implement Cloudfront Origin Access Identity (crossplane-contrib#929) Signed-off-by: Steven Borrelli <steve@borrelli.org> * feat(volume): ec2 volume Signed-off-by: haarchri <chhaar30@googlemail.com> * feat(tgw): added ec2 transitgateway & transitgateway vpc attachment Signed-off-by: haarchri <chhaar30@googlemail.com> * update doc links Signed-off-by: Steven Borrelli <steve@borrelli.org> * Add IOT/Thing Managed Resource Signed-off-by: sergenyalcin <yalcinsergen97@gmail.com> * added external crossplane tags by default on iam.Role Signed-off-by: Cecilia Bernardi <cbernardi@expediagroup.com> * Add instructions to use kube2iam authentication This PR aims to clarify the configuration needed to use kube2iam to authenticate to AWS in a non-EKS cluster (cf. Slack discussion [here](https://crossplane.slack.com/archives/CEG3T90A1/p1639651106294400?thread_ts=1639591534.284400&cid=CEG3T90A1) Signed-off-by: yogeek <gdupin@gmail.com> * feat(glue): followup cleanup cr.name to external.name Signed-off-by: haarchri <chhaar30@googlemail.com> * feat(resolvers) added more s3 resolvers and changed to generated.resolvers Signed-off-by: haarchri <chhaar30@googlemail.com> * add iamrole shortname Signed-off-by: smcavallo <smcavallo@hotmail.com> * add ec2 route api & controller Signed-off-by: Dkaykay <denis.holschuh@gmail.com> * fix sync and ready states not being shown by kubectl Signed-off-by: Dkaykay <denis.holschuh@gmail.com> * reset ec2 route crd Signed-off-by: Dkaykay <denis.holschuh@gmail.com> * feat(ec2-route): rebase master & added create,observe,delete & resolvers Signed-off-by: haarchri <chhaar30@googlemail.com> * feat(athena-workgroup): added athena workgroup object Signed-off-by: haarchri <chhaar30@googlemail.com> * fix(docs): fix docs to current aws-go-sdk 1.37.10 for code-gen Signed-off-by: haarchri <chhaar30@googlemail.com> * feat(ram): added ram Signed-off-by: haarchri <chhaar30@googlemail.com> * fix(tagger): tagger fixed for tgw/tgwvpcattachment Signed-off-by: haarchri <chhaar30@googlemail.com> * Remove inaccurate deprecation warning from v1beta1 type Removes the deprecation warning from certificate authority permission v1beta1 as it should only exist on v1alpha1. Signed-off-by: hasheddan <georgedanielmangum@gmail.com> * Add Ipv6CIDRBlock support in VPC Signed-off-by: vaspahomov <vas2142553@gmail.com> * Add Ipv6Pool support in VPC Signed-off-by: vaspahomov <vas2142553@gmail.com> * feat(printcolumn) added ipv6CIDRBlock as printcolumn Signed-off-by: haarchri <chhaar30@googlemail.com> * feat(kafka): added kafka configurations & kafka server refs,selectors Signed-off-by: haarchri <chhaar30@googlemail.com> * feat: implement VPC Endpoint for AWS Provider Signed-off-by: Darryl Sw <darryl_sw@hive.gov.sg> * feat(ec2): rebased, set generated resolvers, cleanup Signed-off-by: haarchri <chhaar30@googlemail.com> * Restoring build submodule Signed-off-by: Aaron Eaton <aaron@upbound.io> * Add elbv2 resources Adds the Loadbalancer, Listener, and TargetGroup resources from the elbv2 api. Signed-off-by: EdgeJ <5093048+EdgeJ@users.noreply.github.com> * feat(elbv2): changed examples to fits after last cleanup Signed-off-by: haarchri <chhaar30@googlemail.com> * Launch Template and Luanch Template Version resources added Signed-off-by: Tanuj Dwivedi <tanuj.dwivedi@D11-tanuj.dwivedi> * feat(ec2-launchtemplate): set referencers, skip dryRun & clientToken, set correct examples Signed-off-by: haarchri <chhaar30@googlemail.com> * feat(transitgatewayroutes): added transitgatewayroutes and transitgatewayroutetable Signed-off-by: haarchri <chhaar30@googlemail.com> * feat(vpcendpointserviceconfiguration) added ec2 vpcendpointserviceconfiguration Signed-off-by: haarchri <chhaar30@googlemail.com> * fix(e2e-test) changed pkg.crossplane.io to v1 Signed-off-by: haarchri <chhaar30@googlemail.com> * fix(init): crossplane-contrib#1049 fix problem that kms-key external-name Signed-off-by: haarchri <chhaar30@googlemail.com> * fix(name): fix &cr.name Signed-off-by: haarchri <chhaar30@googlemail.com> * fix(glue) fix securityconfig &cr.name Signed-off-by: haarchri <chhaar30@googlemail.com> * feat(stream): added kinesis stream Signed-off-by: haarchri <chhaar30@googlemail.com> * Remove unuse controller * Support vpcpeering * Rewrite peering logic * Rewrite peering logic * add docker file * fix-lint * fix lint * fix lint * avoid legacy ec2 dependencies Signed-off-by: Aylei <rayingecho@gmail.com> * fix aws peering post-processing Signed-off-by: Aylei <rayingecho@gmail.com> * fix ut Signed-off-by: Aylei <rayingecho@gmail.com> * fix vpc peering deletion Signed-off-by: Aylei <rayingecho@gmail.com> * fix peering check Signed-off-by: Aylei <rayingecho@gmail.com> * format Signed-off-by: Aylei <rayingecho@gmail.com> * add building image to ci (crossplane-contrib#18) * debug gha * delete debug code * Fix AWS VPC Peering Pending to Delete Issue (crossplane-contrib#20) Co-authored-by: Yan Ou <yanou@Yans-MacBook-Pro-2.local> * bump alpine (base image) for security (crossplane-contrib#22) * disable CGO_ENABLED (crossplane-contrib#23) * Update ci.yml * DM-2654 Clean RouteTables (crossplane-contrib#21) * check routes * fix errors * check routes by peeringID * change func name from checkRoutes to countRoutes * do delete() again if vpcconnections are 0 by Observer() Co-authored-by: Yan Ou <yanou@Yans-MacBook-Pro-2.local> * Fix delete unready vpc peering will panic (crossplane-contrib#24) * Reconcile EKS clusters and node groups. (crossplane-contrib#26) The commit is slightly modified from commit d912a8b. Changes: - AWS controller now reconciles EKS clusters and node groups. - AWS controller now recognizes assume-role and external-id from provider configs. * Fix vpc connetion can not got ready (crossplane-contrib#25) * Fix vpc connetion can not got ready * remove debug log * deprecated aws error * fix ut * address comments * remove debug log * fix bug * rollback code * fix ci (crossplane-contrib#27) * fix ci * Update .github/workflows/ci.yml * Update max reconciles worker to 1 (crossplane-contrib#28) * fix s3 paymentConfiguration preventing bucket from being ready (crossplane-contrib#29) Signed-off-by: smcavallo <smcavallo@hotmail.com> Co-authored-by: smcavallo <smcavallo@hotmail.com> * Reduce unnecessary AWS API requests (crossplane-contrib#30) * Reduce unnecessary AWS API requests * add unittest * Fix can not delete pending accept vpc peering (crossplane-contrib#33) * Improve the duration of backoff and requeue internal (crossplane-contrib#35) * Support internal vpc peering connection (crossplane-contrib#32) * fix s3 paymentConfiguration preventing bucket from being ready Signed-off-by: smcavallo <smcavallo@hotmail.com> * Reduce unnecessary AWS API requests * add unittest * Support internal vpc peering connection * Fix unittest failed * Add unittest * rebase * add unittest when delete vpc peering * Refactor code to support cross region * remove unused client * address comments * fix unittest Co-authored-by: smcavallo <smcavallo@hotmail.com> * add failed and rejected status to vpc peering filter (crossplane-contrib#36) * add failed and rejected status to vpc peering filter * add unittest * Aviod call modify vpc peering option * Update kernel security base image (crossplane-contrib#34) * Update kernel security base image * Update Dockerfile * Update Dockerfile * Make it buildable * rebase * register eksmanualv1alpha1 api * rebase * Add support for external ID when assume role Signed-off-by: Hanlin Shi <shihanlin9@gmail.com> * fix(lables): eks-nodegroup Signed-off-by: haarchri <chhaar30@googlemail.com> Co-authored-by: haarchri <chhaar30@googlemail.com> Co-authored-by: muvaffak onuş <me@muvaf.com> Co-authored-by: Nic Cope <nicc@rk0n.org> Co-authored-by: Mathias Åhsberg <mathias.ahsberg@resurs.se> Co-authored-by: smcavallo <smcavallo@hotmail.com> Co-authored-by: Maximilian Blatt <maximilian.blatt-extern@deutschebahn.com> Co-authored-by: MisterMX <mbxd12@web.de> Co-authored-by: gstramandinoli <giuseppe.stramandinoli@vonage.com> Co-authored-by: Steven Borrelli <steve@borrelli.org> Co-authored-by: Praveen Ghuge <praveen.ghuge@outlook.com> Co-authored-by: Nic Cope <negz@rk0n.org> Co-authored-by: Raghav Grover <ragrover@expediagroup.com> Co-authored-by: sergenyalcin <yalcinsergen97@gmail.com> Co-authored-by: Carl Henrik Lunde <chlunde@ifi.uio.no> Co-authored-by: Nic Grayson <nicgrayson@gmail.com> Co-authored-by: hasheddan <georgedanielmangum@gmail.com> Co-authored-by: Daniel Mangum <31777345+hasheddan@users.noreply.github.com> Co-authored-by: Steven Borrelli <steve@aster.is> Co-authored-by: Alper Rifat Ulucinar <ulucinar@users.noreply.github.com> Co-authored-by: Aaron Eaton <aaron@upbound.io> Co-authored-by: Cecilia Bernardi <cbernardi@expediagroup.com> Co-authored-by: Guillaume Dupin <gdupin@gmail.com> Co-authored-by: Dkaykay <denis.holschuh@gmail.com> Co-authored-by: vaspahomov <vas2142553@gmail.com> Co-authored-by: Darryl Sw <darryl_sw@hive.gov.sg> Co-authored-by: EdgeJ <5093048+EdgeJ@users.noreply.github.com> Co-authored-by: Tanuj Dwivedi <tanuj.dwivedi@D11-tanuj.dwivedi> Co-authored-by: qiffang <947321353@qq.com> Co-authored-by: Aylei <rayingecho@gmail.com> Co-authored-by: Hoshea Jiang <fgksgf@gmail.com> Co-authored-by: Yan-Ou <yan.ou@pingcap.com> Co-authored-by: Yan Ou <yanou@Yans-MacBook-Pro-2.local> Co-authored-by: Xuecheng Zhang <csuzhangxc@gmail.com> Co-authored-by: Jiajin Zheng <zhengjiajin@pingcap.com> Co-authored-by: rajeshwerrao madoori <rajeshwer.madoori@gmail.com> Co-authored-by: Jiajin Zheng <zhengjiajin2016@gmail.com> Co-authored-by: Hanlin Shi <shihanlin9@gmail.com>
teeverr
pushed a commit
to swisscom/provider-aws
that referenced
this pull request
Jun 6, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description of your changes
Fixes #35
EKS connection secrets change frequently. We must propagate them from the managed resource connection secret to the resource claim connection secret.
Checklist
I have:
make reviewableto ensure this PR is ready for review.app.yamlto include any new role permissions.