Merge pull request #805 from PaulMaddox/xray-access

Added AWS X-Ray Support

humans.txt

@@ -39,6 +39,7 @@ Roli Schilter           @rndstr
 Mitchel Humpherys       @mgalgs
 Fred Cox                @mcfedr
 Adam Johnson            @adamjohnson01
+Paul Maddox             @paulmaddox
 Patrick Spek            @tyil
 
 /* Thanks */

pkg/apis/eksctl.io/v1alpha5/defaults.go

@@ -64,6 +64,9 @@ func SetNodeGroupDefaults(_ int, ng *NodeGroup) error {
 	if ng.IAM.WithAddonPolicies.ALBIngress == nil {
 		ng.IAM.WithAddonPolicies.ALBIngress = Disabled()
 	}
+	if ng.IAM.WithAddonPolicies.XRay == nil {
+		ng.IAM.WithAddonPolicies.XRay = Disabled()
+	}
 	if ng.IAM.WithAddonPolicies.EBS == nil {
 		ng.IAM.WithAddonPolicies.EBS = Disabled()
 	}

pkg/apis/eksctl.io/v1alpha5/types.go

@@ -355,6 +355,7 @@ func (c *ClusterConfig) NewNodeGroup() *NodeGroup {
 				FSX:          Disabled(),
 				EFS:          Disabled(),
 				ALBIngress:   Disabled(),
+				XRay: 		  Disabled(),
 			},
 		},
 		SSH: &NodeGroupSSH{
@@ -476,6 +477,8 @@ type (
 		EFS *bool `json:"efs"`
 		// +optional
 		ALBIngress *bool `json:"albIngress"`
+		// +optional
+		XRay *bool `json:"xRay"`
 	}
 
 	// NodeGroupSSH holds all the ssh access configuration to a NodeGroup

pkg/apis/eksctl.io/v1alpha5/validation.go

@@ -40,6 +40,9 @@ func validateNodeGroupIAM(i int, ng *NodeGroup, value, fieldName, path string) e
 		if IsEnabled(ng.IAM.WithAddonPolicies.ALBIngress) {
 			return fmt.Errorf("%s.albIngress cannot be set at the same time", p)
 		}
+		if IsEnabled(ng.IAM.WithAddonPolicies.XRay) {
+			return fmt.Errorf("%s.xRay cannot be set at the same time", p)
+		}
 	}
 	return nil
 }

pkg/cfn/builder/api_test.go

@@ -389,6 +389,7 @@ var _ = Describe("CloudFormation template builder API", func() {
 							FSX:          api.Disabled(),
 							EFS:          api.Disabled(),
 							ALBIngress:   api.Disabled(),
+							XRay:         api.Disabled(),
 						},
 					},
 					SSH: &api.NodeGroupSSH{
@@ -962,6 +963,39 @@ var _ = Describe("CloudFormation template builder API", func() {
 
 	})
 
+	Context("NodeGroupXRay", func() {
+		cfg, ng := newClusterConfigAndNodegroup(true)
+
+		ng.IAM.WithAddonPolicies.XRay = api.Enabled()
+
+		build(cfg, "eksctl-test-megaapps-cluster", ng)
+
+		roundtrip()
+
+		It("should have correct policies", func() {
+			Expect(ngTemplate.Resources).ToNot(BeEmpty())
+
+			Expect(ngTemplate.Resources).To(HaveKey("PolicyXRay"))
+
+			policy := ngTemplate.Resources["PolicyXRay"].Properties
+
+			Expect(policy.Roles).To(HaveLen(1))
+			isRefTo(policy.Roles[0], "NodeInstanceRole")
+
+			Expect(policy.PolicyDocument.Statement).To(HaveLen(1))
+			Expect(policy.PolicyDocument.Statement[0].Effect).To(Equal("Allow"))
+			Expect(policy.PolicyDocument.Statement[0].Resource).To(Equal("*"))
+			Expect(policy.PolicyDocument.Statement[0].Action).To(Equal([]string{
+				"xray:PutTraceSegments",
+				"xray:PutTelemetryRecords",
+				"xray:GetSamplingRules",
+				"xray:GetSamplingTargets",
+				"xray:GetSamplingStatisticSummaries",
+			}))
+		})
+
+	})
+
 	Context("NodeGroupEBS", func() {
 		cfg, ng := newClusterConfigAndNodegroup(true)
 

pkg/cfn/builder/iam.go

@@ -343,6 +343,18 @@ func (n *NodeGroupResourceSet) addResourcesForIAM() {
 		)
 	}
 
+	if api.IsEnabled(n.spec.IAM.WithAddonPolicies.XRay) {
+		n.rs.attachAllowPolicy("PolicyXRay", refIR, "*", 
+			[]string{
+				"xray:PutTraceSegments",
+				"xray:PutTelemetryRecords",
+				"xray:GetSamplingRules",
+				"xray:GetSamplingTargets",
+				"xray:GetSamplingStatisticSummaries",
+			},
+		)
+	}
+
 	n.rs.defineOutputFromAtt(outputs.NodeGroupInstanceProfileARN, "NodeInstanceProfile.Arn", true, func(v string) error {
 		n.spec.IAM.InstanceProfileARN = v
 		return nil

pkg/ctl/cmdutils/nodegroup_filter_test.go

@@ -344,7 +344,8 @@ const expected = `
 			  		"ebs": false,
 			  		"fsx": false,
 			  		"efs": false,
-			  		"albIngress": false
+					"albIngress": false,
+					"xRay": false  
 			    }
 			  }
 		  },
@@ -379,7 +380,8 @@ const expected = `
 			  		"ebs": false,
 			  		"fsx": false,
 			  		"efs": false,
-			  		"albIngress": false
+					"albIngress": false,
+					"xRay": false  
 			    }
 			  }
 		  },
@@ -412,7 +414,8 @@ const expected = `
 			  	"ebs": false,
 			  	"fsx": false,
 			  	"efs": false,
-			  	"albIngress": false
+				"albIngress": false,
+				"xRay": false  
 			  }
 			  },
 			  "clusterDNS": "1.2.3.4"
@@ -446,7 +449,8 @@ const expected = `
 			  	  "ebs": false,
 			  	  "fsx": false,
 			  	  "efs": false,
-			  	  "albIngress": false
+				  "albIngress": false,
+				  "xRay": false	
 			    }
 			  }
 		  },
@@ -482,7 +486,8 @@ const expected = `
 			  	  "ebs": false,
 			  	  "fsx": false,
 			  	  "efs": false,
-			  	  "albIngress": false
+				  "albIngress": false,
+				  "xRay": false	
 			    }
 			  },
 			  "clusterDNS": "4.2.8.14"
@@ -519,7 +524,8 @@ const expected = `
 			  	  "ebs": false,
 			  	  "fsx": false,
 			  	  "efs": false,
-			  	  "albIngress": false
+				  "albIngress": false,
+				  "xRay": false	
 			    }
 			  }
 		  }

pkg/ctl/cmdutils/nodegroup_flags.go

@@ -57,6 +57,7 @@ func AddCommonCreateNodeGroupIAMAddonsFlags(fs *pflag.FlagSet, ng *api.NodeGroup
 	ng.IAM.WithAddonPolicies.ImageBuilder = new(bool)
 	ng.IAM.WithAddonPolicies.AppMesh = new(bool)
 	ng.IAM.WithAddonPolicies.ALBIngress = new(bool)
+	ng.IAM.WithAddonPolicies.XRay = new(bool)
 	fs.BoolVar(ng.IAM.WithAddonPolicies.AutoScaler, "asg-access", false, "enable IAM policy for cluster-autoscaler")
 	fs.BoolVar(ng.IAM.WithAddonPolicies.ExternalDNS, "external-dns-access", false, "enable IAM policy for external-dns")
 	fs.BoolVar(ng.IAM.WithAddonPolicies.ImageBuilder, "full-ecr-access", false, "enable full access to ECR")