-
Notifications
You must be signed in to change notification settings - Fork 76
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
refactor(aws-auth): replace aws-iam-authenticator with aws eks get-token #362
Conversation
2f84e3f
to
7c4fb27
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this change makes sense, but updating the kubeconfig will show a replace
for the cluster and resources on the cluster during preview. It shouldn't actually cause a replacement, but we should make sure to check this behavior and maybe proactively notify users to expect that.
Not sure I'm following, could you elaborate? Here's the preview of an update on an existing cluster from |
For the pulumi-kubernetes provider, if the kubeconfig changes in a first-class Provider resource, the preview will show a This wouldn't be the case if the EKS cluster was managed in a separate stack, as this only happens when the kubeconfig is a computed value during preview. |
Ah, right. Got it now. Other than the CHANGELOG updates in the PR, and notifying the community in Slack, any other suggestions for how best to roll this out and inform users that are not watching either or both? |
I think that's sufficient. If users have questions about it, you can point them to the CHANGELOG as a canonical reference. |
7c4fb27
to
0144d58
Compare
@lukehoban Feedback? |
In practice cluster access is not affected, but because the kubeconfig changes, it's dependencies from the k8s provider on will be signaled to be replaced during previews. Thinking through this more, it seems best to signal this change along with the rest of the unreleased improvements and pending PRs by bumping and cutting a new minor release: 0.19.0. Do folks agree? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am very nervous about the fact this will look like all resources are being replaced. This will be nontrivially disruptive for every user of this package.
I do think we should prioritize figuring out how to improve the kubernetes
provider to allow these sorts of changes without previews thinking everything needs to replace.
But in the immediate term - can we include a clear message in README that indicates users may see kubernetes.Provider
replacements during preview when updating to this version, but that replacements will not be required in practice. (Are we sure that is true?)
As long as the actual cluster doesn't change, it will not replace the resources. The problem with preview is that the value of the kubeconfig isn't computed yet, so we can't tell for certain if the resources still exist, hence the replacement. |
Tests were conducted with two stacks using latest upstream p/eks v0.18.24
Neither preview nor updates for either stack with this PR showed a replacement of any k8s resources, only updates to the kubeconfig, and the provider. It does not appear that this PR change hits the conservative replacement for k8s resources when the kubeconfig changes. IIUC this may be because only the auth exec commands change from the 01-cluster preview & update: 02-apps preview & update: |
Yes, that's right. Thanks for verifying. |
84049ac
to
7783356
Compare
Given the above tests, do we feel confident merging this?
We could always cut a new release and highlight this change in the CHANGELOG more prominently if that would help signal users. |
I double-checked the logic in the k8s provider code, and it will preview a However, Mike's test scenarios seem to show that this the Here's the relevant logic in the k8s provider: |
I tested this locally as well, and wasn't able to cause a |
Note: for existing clusters, this change will recompute the kubeconfig used, as its arguments and settings get updated to work with `aws eks get-token`. It should not affect cluster access.
7783356
to
25d80de
Compare
This was left behind from #362.
This was left behind from #362.
This was left behind from #362.
Proposed changes
refactor(aws-auth): replace
aws-iam-authenticator
withaws eks get-token
.Note: for existing clusters, this change will recompute the kubeconfig used,
as its arguments and settings get updated to work with
aws eks get-token
.It should not affect cluster access.
Examples of kubeconfig changes:
Related issues (optional)
Closes #304