Add support for App Mesh Preview Environment

- add appMeshPreview addon policy - add appmesh-preview-access flag to node groups Signed-off-by: stefanprodan <stefan.prodan@gmail.com>
eksctl-io · Jun 10, 2020 · 23fe673 · 23fe673
1 parent 043fff5
commit 23fe673
Show file tree

Hide file tree

Showing 19 changed files with 171 additions and 148 deletions.
diff --git a/pkg/apis/eksctl.io/v1alpha5/assets/schema.json b/pkg/apis/eksctl.io/v1alpha5/assets/schema.json
@@ -915,6 +915,9 @@
         "appMesh": {
           "type": "boolean"
         },
+        "appMeshPreview": {
+          "type": "boolean"
+        },
         "autoScaler": {
           "type": "boolean"
         },
@@ -949,6 +952,7 @@
         "externalDNS",
         "certManager",
         "appMesh",
+        "appMeshPreview",
         "ebs",
         "fsx",
         "efs",

diff --git a/pkg/apis/eksctl.io/v1alpha5/schema.go b/pkg/apis/eksctl.io/v1alpha5/schema.go
diff --git a/pkg/apis/eksctl.io/v1alpha5/types.go b/pkg/apis/eksctl.io/v1alpha5/types.go
@@ -559,17 +559,18 @@ func NewNodeGroup() *NodeGroup {
 		VolumeType:      &DefaultNodeVolumeType,
 		IAM: &NodeGroupIAM{
 			WithAddonPolicies: NodeGroupIAMAddonPolicies{
-				ImageBuilder: Disabled(),
-				AutoScaler:   Disabled(),
-				ExternalDNS:  Disabled(),
-				CertManager:  Disabled(),
-				AppMesh:      Disabled(),
-				EBS:          Disabled(),
-				FSX:          Disabled(),
-				EFS:          Disabled(),
-				ALBIngress:   Disabled(),
-				XRay:         Disabled(),
-				CloudWatch:   Disabled(),
+				ImageBuilder:   Disabled(),
+				AutoScaler:     Disabled(),
+				ExternalDNS:    Disabled(),
+				CertManager:    Disabled(),
+				AppMesh:        Disabled(),
+				AppMeshPreview: Disabled(),
+				EBS:            Disabled(),
+				FSX:            Disabled(),
+				EFS:            Disabled(),
+				ALBIngress:     Disabled(),
+				XRay:           Disabled(),
+				CloudWatch:     Disabled(),
 			},
 		},
 		SSH: &NodeGroupSSH{
@@ -594,17 +595,18 @@ func NewManagedNodeGroup() *ManagedNodeGroup {
 		},
 		IAM: &NodeGroupIAM{
 			WithAddonPolicies: NodeGroupIAMAddonPolicies{
-				ImageBuilder: Disabled(),
-				AutoScaler:   Disabled(),
-				ExternalDNS:  Disabled(),
-				CertManager:  Disabled(),
-				AppMesh:      Disabled(),
-				EBS:          Disabled(),
-				FSX:          Disabled(),
-				EFS:          Disabled(),
-				ALBIngress:   Disabled(),
-				XRay:         Disabled(),
-				CloudWatch:   Disabled(),
+				ImageBuilder:   Disabled(),
+				AutoScaler:     Disabled(),
+				ExternalDNS:    Disabled(),
+				CertManager:    Disabled(),
+				AppMesh:        Disabled(),
+				AppMeshPreview: Disabled(),
+				EBS:            Disabled(),
+				FSX:            Disabled(),
+				EFS:            Disabled(),
+				ALBIngress:     Disabled(),
+				XRay:           Disabled(),
+				CloudWatch:     Disabled(),
 			},
 		},
 	}
@@ -840,6 +842,8 @@ type (
 		// +optional
 		AppMesh *bool `json:"appMesh"`
 		// +optional
+		AppMeshPreview *bool `json:"appMeshPreview"`
+		// +optional
 		EBS *bool `json:"ebs"`
 		// +optional
 		FSX *bool `json:"fsx"`

diff --git a/pkg/apis/eksctl.io/v1alpha5/validation.go b/pkg/apis/eksctl.io/v1alpha5/validation.go
@@ -318,6 +318,9 @@ func validateNodeGroupIAM(iam *NodeGroupIAM, value, fieldName, path string) erro
 		if IsEnabled(iam.WithAddonPolicies.AppMesh) {
 			return fmtFieldConflictErr(prefix + "appMesh")
 		}
+		if IsEnabled(iam.WithAddonPolicies.AppMeshPreview) {
+			return fmtFieldConflictErr(prefix + "appMeshPreview")
+		}
 		if IsEnabled(iam.WithAddonPolicies.EBS) {
 			return fmtFieldConflictErr(prefix + "ebs")
 		}

diff --git a/pkg/apis/eksctl.io/v1alpha5/zz_generated.deepcopy.go b/pkg/apis/eksctl.io/v1alpha5/zz_generated.deepcopy.go
diff --git a/pkg/cfn/builder/api_test.go b/pkg/cfn/builder/api_test.go
@@ -187,6 +187,26 @@ users:
      {{end}}
 `))
 
+var appMeshActions = []string{
+	"servicediscovery:CreateService",
+	"servicediscovery:DeleteService",
+	"servicediscovery:GetService",
+	"servicediscovery:GetInstance",
+	"servicediscovery:RegisterInstance",
+	"servicediscovery:DeregisterInstance",
+	"servicediscovery:ListInstances",
+	"servicediscovery:ListNamespaces",
+	"servicediscovery:ListServices",
+	"servicediscovery:GetInstancesHealthStatus",
+	"servicediscovery:UpdateInstanceCustomHealthStatus",
+	"servicediscovery:GetOperation",
+	"route53:GetHealthCheck",
+	"route53:CreateHealthCheck",
+	"route53:UpdateHealthCheck",
+	"route53:ChangeResourceRecordSets",
+	"route53:DeleteHealthCheck",
+}
+
 func kubeconfigBody(authenticator string) string {
 	var out bytes.Buffer
 	region := "us-west-2"
@@ -484,17 +504,18 @@ var _ = Describe("CloudFormation template builder API", func() {
 					VolumeKmsKeyID:  aws.String(""),
 					IAM: &api.NodeGroupIAM{
 						WithAddonPolicies: api.NodeGroupIAMAddonPolicies{
-							ImageBuilder: api.Disabled(),
-							AutoScaler:   api.Disabled(),
-							ExternalDNS:  api.Disabled(),
-							CertManager:  api.Disabled(),
-							AppMesh:      api.Disabled(),
-							EBS:          api.Disabled(),
-							FSX:          api.Disabled(),
-							EFS:          api.Disabled(),
-							ALBIngress:   api.Disabled(),
-							XRay:         api.Disabled(),
-							CloudWatch:   api.Disabled(),
+							ImageBuilder:   api.Disabled(),
+							AutoScaler:     api.Disabled(),
+							ExternalDNS:    api.Disabled(),
+							CertManager:    api.Disabled(),
+							AppMesh:        api.Disabled(),
+							AppMeshPreview: api.Disabled(),
+							EBS:            api.Disabled(),
+							FSX:            api.Disabled(),
+							EFS:            api.Disabled(),
+							ALBIngress:     api.Disabled(),
+							XRay:           api.Disabled(),
+							CloudWatch:     api.Disabled(),
 						},
 					},
 					SSH: &api.NodeGroupSSH{
@@ -1043,6 +1064,7 @@ var _ = Describe("CloudFormation template builder API", func() {
 			Expect(ngTemplate.Resources).ToNot(HaveKey("PolicyExternalDNSChangeSet"))
 			Expect(ngTemplate.Resources).ToNot(HaveKey("PolicyExternalDNSHostedZones"))
 			Expect(ngTemplate.Resources).ToNot(HaveKey("PolicyAppMesh"))
+			Expect(ngTemplate.Resources).ToNot(HaveKey("PolicyAppMeshPreview"))
 			Expect(ngTemplate.Resources).ToNot(HaveKey("PolicyEBS"))
 			Expect(ngTemplate.Resources).ToNot(HaveKey("PolicyFSX"))
 			Expect(ngTemplate.Resources).ToNot(HaveKey("PolicyServiceLinkRole"))
@@ -1109,33 +1131,38 @@ var _ = Describe("CloudFormation template builder API", func() {
 			Expect(policy3.PolicyDocument.Statement).To(HaveLen(1))
 			Expect(policy3.PolicyDocument.Statement[0].Effect).To(Equal("Allow"))
 			Expect(policy3.PolicyDocument.Statement[0].Resource).To(Equal("*"))
-			Expect(policy3.PolicyDocument.Statement[0].Action).To(Equal([]string{
-				"appmesh:*",
-				"servicediscovery:CreateService",
-				"servicediscovery:DeleteService",
-				"servicediscovery:GetService",
-				"servicediscovery:GetInstance",
-				"servicediscovery:RegisterInstance",
-				"servicediscovery:DeregisterInstance",
-				"servicediscovery:ListInstances",
-				"servicediscovery:ListNamespaces",
-				"servicediscovery:ListServices",
-				"servicediscovery:GetInstancesHealthStatus",
-				"servicediscovery:UpdateInstanceCustomHealthStatus",
-				"servicediscovery:GetOperation",
-				"route53:GetHealthCheck",
-				"route53:CreateHealthCheck",
-				"route53:UpdateHealthCheck",
-				"route53:ChangeResourceRecordSets",
-				"route53:DeleteHealthCheck",
-			}))
+			Expect(policy3.PolicyDocument.Statement[0].Action).To(Equal(append(appMeshActions, "appmesh:*")))
 
 			Expect(ngTemplate.Resources).ToNot(HaveKey("PolicyEBS"))
 			Expect(ngTemplate.Resources).ToNot(HaveKey("PolicyAutoScaling"))
 		})
 
 	})
 
+	Context("NodeGroupAppMeshPreview", func() {
+		cfg, ng := newClusterConfigAndNodegroup(true)
+
+		ng.IAM.WithAddonPolicies.AppMeshPreview = api.Enabled()
+
+		build(cfg, "eksctl-test-appmesh-preview", ng)
+
+		roundtrip()
+
+		It("should have correct policies", func() {
+			Expect(ngTemplate.Resources).To(HaveKey("PolicyAppMeshPreview"))
+
+			policy3 := ngTemplate.Resources["PolicyAppMeshPreview"].Properties
+
+			Expect(policy3.Roles).To(HaveLen(1))
+			isRefTo(policy3.Roles[0], "NodeInstanceRole")
+
+			Expect(policy3.PolicyDocument.Statement).To(HaveLen(1))
+			Expect(policy3.PolicyDocument.Statement[0].Effect).To(Equal("Allow"))
+			Expect(policy3.PolicyDocument.Statement[0].Resource).To(Equal("*"))
+			Expect(policy3.PolicyDocument.Statement[0].Action).To(Equal(append(appMeshActions, "appmesh-preview:*")))
+		})
+	})
+
 	Context("NodeGroupAppCertManager", func() {
 		cfg, ng := newClusterConfigAndNodegroup(true)
 

diff --git a/pkg/cfn/builder/iam_helper.go b/pkg/cfn/builder/iam_helper.go
@@ -90,28 +90,35 @@ func createRole(cfnTemplate cfnTemplate, iamConfig *api.NodeGroupIAM, managed bo
 		)
 	}
 
+	appMeshActions := []string{
+		"servicediscovery:CreateService",
+		"servicediscovery:DeleteService",
+		"servicediscovery:GetService",
+		"servicediscovery:GetInstance",
+		"servicediscovery:RegisterInstance",
+		"servicediscovery:DeregisterInstance",
+		"servicediscovery:ListInstances",
+		"servicediscovery:ListNamespaces",
+		"servicediscovery:ListServices",
+		"servicediscovery:GetInstancesHealthStatus",
+		"servicediscovery:UpdateInstanceCustomHealthStatus",
+		"servicediscovery:GetOperation",
+		"route53:GetHealthCheck",
+		"route53:CreateHealthCheck",
+		"route53:UpdateHealthCheck",
+		"route53:ChangeResourceRecordSets",
+		"route53:DeleteHealthCheck",
+	}
+
 	if api.IsEnabled(iamConfig.WithAddonPolicies.AppMesh) {
 		cfnTemplate.attachAllowPolicy("PolicyAppMesh", refIR, "*",
-			[]string{
-				"appmesh:*",
-				"servicediscovery:CreateService",
-				"servicediscovery:DeleteService",
-				"servicediscovery:GetService",
-				"servicediscovery:GetInstance",
-				"servicediscovery:RegisterInstance",
-				"servicediscovery:DeregisterInstance",
-				"servicediscovery:ListInstances",
-				"servicediscovery:ListNamespaces",
-				"servicediscovery:ListServices",
-				"servicediscovery:GetInstancesHealthStatus",
-				"servicediscovery:UpdateInstanceCustomHealthStatus",
-				"servicediscovery:GetOperation",
-				"route53:GetHealthCheck",
-				"route53:CreateHealthCheck",
-				"route53:UpdateHealthCheck",
-				"route53:ChangeResourceRecordSets",
-				"route53:DeleteHealthCheck",
-			},
+			append(appMeshActions, "appmesh:*"),
+		)
+	}
+
+	if api.IsEnabled(iamConfig.WithAddonPolicies.AppMeshPreview) {
+		cfnTemplate.attachAllowPolicy("PolicyAppMeshPreview", refIR, "*",
+			append(appMeshActions, "appmesh-preview:*"),
 		)
 	}
 

diff --git a/pkg/ctl/cmdutils/nodegroup_filter_test.go b/pkg/ctl/cmdutils/nodegroup_filter_test.go
@@ -389,6 +389,7 @@ const expected = `
 				  "externalDNS": false,
 				  "certManager": false,
 				  "appMesh": false,
+				  "appMeshPreview": false,
 				  "ebs": false,
 				  "fsx": false,
 				  "efs": false,
@@ -428,6 +429,7 @@ const expected = `
 				  "externalDNS": false,
 				  "certManager": false,
 				  "appMesh": false,
+				  "appMeshPreview": false,
 				  "ebs": false,
 				  "fsx": false,
 				  "efs": false,
@@ -465,6 +467,7 @@ const expected = `
 				  "externalDNS": false,
 				  "certManager": false,
 				  "appMesh": false,
+				  "appMeshPreview": false,
 				  "ebs": false,
 				  "fsx": false,
 				  "efs": false,
@@ -503,6 +506,7 @@ const expected = `
 			  	  "externalDNS": false,
 			  	  "certManager": false,
 			  	  "appMesh": false,
+				  "appMeshPreview": false,
 			  	  "ebs": false,
 			  	  "fsx": false,
 			  	  "efs": false,
@@ -543,6 +547,7 @@ const expected = `
 			  	  "externalDNS": false,
 			  	  "certManager": false,
 			  	  "appMesh": false,
+				  "appMeshPreview": false,
 			  	  "ebs": false,
 			  	  "fsx": false,
 			  	  "efs": false,
@@ -584,6 +589,7 @@ const expected = `
 			  	  "externalDNS": false,
 			  	  "certManager": false,
 			  	  "appMesh": false,
+				  "appMeshPreview": false,
 			  	  "ebs": false,
 			  	  "fsx": false,
 			  	  "efs": false,

diff --git a/pkg/ctl/cmdutils/nodegroup_flags.go b/pkg/ctl/cmdutils/nodegroup_flags.go
@@ -67,13 +67,15 @@ func AddCommonCreateNodeGroupIAMAddonsFlags(fs *pflag.FlagSet, ng *api.NodeGroup
 	ng.IAM.WithAddonPolicies.ExternalDNS = new(bool)
 	ng.IAM.WithAddonPolicies.ImageBuilder = new(bool)
 	ng.IAM.WithAddonPolicies.AppMesh = new(bool)
+	ng.IAM.WithAddonPolicies.AppMeshPreview = new(bool)
 	ng.IAM.WithAddonPolicies.ALBIngress = new(bool)
 	ng.IAM.WithAddonPolicies.XRay = new(bool)
 	ng.IAM.WithAddonPolicies.CloudWatch = new(bool)
 	fs.BoolVar(ng.IAM.WithAddonPolicies.AutoScaler, "asg-access", false, "enable IAM policy for cluster-autoscaler")
 	fs.BoolVar(ng.IAM.WithAddonPolicies.ExternalDNS, "external-dns-access", false, "enable IAM policy for external-dns")
 	fs.BoolVar(ng.IAM.WithAddonPolicies.ImageBuilder, "full-ecr-access", false, "enable full access to ECR")
 	fs.BoolVar(ng.IAM.WithAddonPolicies.AppMesh, "appmesh-access", false, "enable full access to AppMesh")
+	fs.BoolVar(ng.IAM.WithAddonPolicies.AppMeshPreview, "appmesh-preview-access", false, "enable full access to AppMesh Preview")
 	fs.BoolVar(ng.IAM.WithAddonPolicies.ALBIngress, "alb-ingress-access", false, "enable full access for alb-ingress-controller")
 }
 

diff --git a/pkg/eks/mocks/CloudFormationAPI.go b/pkg/eks/mocks/CloudFormationAPI.go
diff --git a/pkg/eks/mocks/CloudTrailAPI.go b/pkg/eks/mocks/CloudTrailAPI.go