diff --git a/infra/aws/terraform/kops-infra-ci/eks.tf b/infra/aws/terraform/kops-infra-ci/eks.tf index 02c6315a254..b86f251d0f4 100644 --- a/infra/aws/terraform/kops-infra-ci/eks.tf +++ b/infra/aws/terraform/kops-infra-ci/eks.tf @@ -73,7 +73,7 @@ module "eks" { eks_managed_node_group_defaults = { ami_type = "AL2_x86_64" - instance_types = ["m6i.large", "m5.large", "m5n.large", "m5zn.large"] + instance_types = ["m7i.large", "m5.large", "m5n.large", "m5zn.large"] iam_role_attach_cni_policy = true } @@ -99,7 +99,7 @@ module "eks" { } capacity_type = "ON_DEMAND" - instance_types = ["r6i.2xlarge"] + instance_types = ["r7i.2xlarge"] ami_type = "BOTTLEROCKET_x86_64" platform = "bottlerocket" @@ -142,6 +142,24 @@ module "eks" { }) } +resource "aws_eks_addon" "eks_pod_identity" { + provider = aws.kops-local-ci + + cluster_name = module.eks.cluster_name + addon_name = "eks-pod-identity-agent" + addon_version = "v1.0.0-eksbuild.1" + resolve_conflicts_on_update = "OVERWRITE" +} + +resource "aws_eks_pod_identity_association" "kops_prow_build" { + provider = aws.kops-local-ci + + cluster_name = module.eks.cluster_name + namespace = "test-pods" + service_account = "prowjob-default-sa" + role_arn = aws_iam_role.eks_pod_identity_role.arn +} + module "vpc_cni_irsa" { providers = { aws = aws.kops-infra-ci } diff --git a/infra/aws/terraform/kops-infra-ci/iam.tf b/infra/aws/terraform/kops-infra-ci/iam.tf index e0cd9a4d2c2..4ea468df51d 100644 --- a/infra/aws/terraform/kops-infra-ci/iam.tf +++ b/infra/aws/terraform/kops-infra-ci/iam.tf @@ -53,3 +53,37 @@ resource "aws_iam_role" "google_prow_trust_role" { max_session_duration = 43200 assume_role_policy = data.aws_iam_policy_document.google_prow_trust_policy.json } + + +// Leveraging EKS Pod Identity feature allow kOps prowjobs to run E2E tests +data "aws_iam_policy_document" "eks_pod_identity_policy" { + provider = aws.kops-infra-ci + + statement { + effect = "Allow" + + principals { + type = "Service" + identifiers = ["pods.eks.amazonaws.com"] + } + + actions = [ + "sts:AssumeRole", + "sts:TagSession" + ] + } +} + +resource "aws_iam_role" "eks_pod_identity_role" { + provider = aws.kops-infra-ci + + name = "EKSPodIdentityRole" + assume_role_policy = data.aws_iam_policy_document.eks_pod_identity_policy.json +} + +resource "aws_iam_role_policy_attachment" "eks_pod_identity_policy" { + provider = aws.kops-infra-ci + + policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess" + role = aws_iam_role.eks_pod_identity_role.name +} diff --git a/infra/aws/terraform/kops-infra-ci/providers.tf b/infra/aws/terraform/kops-infra-ci/providers.tf index cd4405d7bc7..160a0191920 100644 --- a/infra/aws/terraform/kops-infra-ci/providers.tf +++ b/infra/aws/terraform/kops-infra-ci/providers.tf @@ -23,6 +23,12 @@ provider "aws" { } } +provider "aws" { + region = "us-east-2" + alias = "kops-local-ci" + profile = "kops-ci" +} + provider "kubernetes" { host = module.eks.cluster_endpoint cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data) diff --git a/infra/aws/terraform/kops-infra-ci/resources/00-namespaces.yaml b/infra/aws/terraform/kops-infra-ci/resources/00-namespaces.yaml new file mode 100644 index 00000000000..eff8a8612f0 --- /dev/null +++ b/infra/aws/terraform/kops-infra-ci/resources/00-namespaces.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test-pods diff --git a/infra/aws/terraform/kops-infra-ci/resources/sa.yaml b/infra/aws/terraform/kops-infra-ci/resources/sa.yaml new file mode 100644 index 00000000000..91305ddc628 --- /dev/null +++ b/infra/aws/terraform/kops-infra-ci/resources/sa.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: "prowjob-default-sa" + namespace: "test-pods" diff --git a/infra/aws/terraform/kops-infra-ci/terraform.tf b/infra/aws/terraform/kops-infra-ci/terraform.tf index 4b8c71c1120..eb0f2dd184d 100644 --- a/infra/aws/terraform/kops-infra-ci/terraform.tf +++ b/infra/aws/terraform/kops-infra-ci/terraform.tf @@ -27,7 +27,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 5.11.0" + version = "~> 5.29.0" } } }