Fix tests

Author: cPu1

integration/data/crud-podinfo.yaml

@@ -0,0 +1,53 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: podinfo
+  labels:
+    app: podinfo
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: podinfo
+  template:
+    metadata:
+      labels:
+        app: podinfo
+      annotations:
+        prometheus.io/scrape: 'true'
+    spec:
+      nodeSelector:
+        used-for: test-pods
+      containers:
+      - name: podinfod
+        image: stefanprodan/podinfo:1.5.1@sha256:702633d438950f3675d0763a4ca6cfcf21a4d065cd7f470446c67607b1a26750
+        securityContext:
+          runAsNonRoot: true
+          allowPrivilegeEscalation: false
+          runAsUser: 1000
+        command:
+        - ./podinfo
+        - --port=8080
+        ports:
+        - name: http
+          containerPort: 8080
+          protocol: TCP
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: 8080
+          initialDelaySeconds: 1
+          periodSeconds: 5
+          failureThreshold: 1
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 8080
+          initialDelaySeconds: 1
+          periodSeconds: 10
+          failureThreshold: 2
+        resources:
+          requests:
+            memory: "32Mi"
+            cpu: "10m"

integration/data/podinfo.yaml

@@ -17,8 +17,6 @@ spec:
       annotations:
         prometheus.io/scrape: 'true'
     spec:
-      nodeSelector:
-        used-for: test-pods
       containers:
       - name: podinfod
         image: stefanprodan/podinfo:1.5.1@sha256:702633d438950f3675d0763a4ca6cfcf21a4d065cd7f470446c67607b1a26750

integration/tests/addons/addons_test.go

@@ -107,31 +107,8 @@ var _ = Describe("(Integration) [EKS Addons test]", func() {
 				return cmd
 			}, "5m", "30s").Should(RunSuccessfullyWithOutputStringLines(ContainElement(ContainSubstring("ACTIVE"))))
 
-			By("successfully creating the kube-proxy addon")
-			cmd := params.EksctlCreateCmd.
-				WithArgs(
-					"addon",
-					"--name", "kube-proxy",
-					"--cluster", clusterName,
-					"--force",
-					"--wait",
-					"--verbose", "2",
-				)
-			Expect(cmd).To(RunSuccessfully())
-
-			Eventually(func() runner.Cmd {
-				cmd := params.EksctlGetCmd.
-					WithArgs(
-						"addon",
-						"--name", "kube-proxy",
-						"--cluster", clusterName,
-						"--verbose", "2",
-					)
-				return cmd
-			}, "5m", "30s").Should(RunSuccessfullyWithOutputStringLines(ContainElement(ContainSubstring("ACTIVE"))))
-
 			By("Deleting the kube-proxy addon")
-			cmd = params.EksctlDeleteCmd.
+			cmd := params.EksctlDeleteCmd.
 				WithArgs(
 					"addon",
 					"--name", "kube-proxy",
@@ -171,17 +148,28 @@ var _ = Describe("(Integration) [EKS Addons test]", func() {
 				WithStdin(clusterutils.Reader(clusterConfig))
 			Expect(cmd).To(RunSuccessfully())
 
+			By("deleting coredns but preserving its resources")
 			cmd = params.EksctlDeleteCmd.
 				WithArgs(
 					"addon",
+					"--cluster", clusterConfig.Metadata.Name,
 					"--name", "coredns",
-					"--cluster", clusterName,
-					"--verbose", "2",
-					"--region", params.Region,
+					"--verbose", "4",
 					"--preserve",
+					"--region", params.Region,
 				)
 			Expect(cmd).To(RunSuccessfully())
 
+			Eventually(func() runner.Cmd {
+				return params.EksctlGetCmd.
+					WithArgs(
+						"addon",
+						"--name", "coredns",
+						"--cluster", clusterName,
+						"--verbose", "4",
+					)
+			}, "5m", "30s").ShouldNot(RunSuccessfully())
+
 			configMap := getConfigMap(rawClient.ClientSet(), "coredns")
 			oldCacheValue := getCacheValue(configMap)
 			newCacheValue := addToString(oldCacheValue, 5)
@@ -207,7 +195,7 @@ var _ = Describe("(Integration) [EKS Addons test]", func() {
 				).
 				WithoutArg("--region", params.Region).
 				WithStdin(bytes.NewReader(data))
-			Expect(cmd).ShouldNot(RunSuccessfully())
+			Expect(cmd).NotTo(RunSuccessfully())
 
 			Eventually(func() runner.Cmd {
 				cmd := params.EksctlGetCmd.
@@ -888,6 +876,9 @@ func getInitialClusterConfig() *api.ClusterConfig {
 			Name:             "vpc-cni",
 			AttachPolicyARNs: []string{"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"},
 		},
+		{
+			Name: "kube-proxy",
+		},
 	}
 	clusterConfig.AddonsConfig.DisableDefaultAddons = true
 

integration/tests/crud/creategetdelete_test.go

@@ -274,7 +274,7 @@ var _ = Describe("(Integration) Create, Get, Scale & Delete", func() {
 		})
 
 		It("should deploy podinfo service to the cluster and access it via proxy", func() {
-			d := test.CreateDeploymentFromFile(test.Namespace, "../../data/podinfo.yaml")
+			d := test.CreateDeploymentFromFile(test.Namespace, "../../data/crud-podinfo.yaml")
 			test.WaitForDeploymentReady(d, commonTimeout)
 
 			pods := test.ListPodsFromDeployment(d)

integration/tests/update/update_cluster_test.go

@@ -12,7 +12,6 @@ import (
 
 	"github.com/hashicorp/go-version"
 
-	awseks "github.com/aws/aws-sdk-go-v2/service/eks"
 	"github.com/aws/aws-sdk-go-v2/service/eks/types"
 	"github.com/aws/aws-sdk-go/aws"
 
@@ -208,17 +207,6 @@ var _ = Describe("(Integration) Upgrading cluster", func() {
 				assertAddonError(updateAddonName, addonName)
 			}
 		})
-
-		It("should migrate to self-managed addons for testing `utils update`", func() {
-			for _, addonName := range defaultNetworkingAddons {
-				_, err := clusterProvider.AWSProvider.EKS().DeleteAddon(context.Background(), &awseks.DeleteAddonInput{
-					ClusterName: aws.String(defaultCluster),
-					AddonName:   aws.String(addonName),
-					Preserve:    true,
-				})
-				Expect(err).NotTo(HaveOccurred())
-			}
-		})
 	})
 
 	Context("addons", func() {
@@ -234,7 +222,7 @@ var _ = Describe("(Integration) Upgrading cluster", func() {
 				)
 			Expect(cmd).To(RunSuccessfully())
 
-			rawClient := getRawClient(clusterProvider)
+			rawClient := getRawClient(context.Background(), clusterProvider)
 			Eventually(func() string {
 				daemonSet, err := rawClient.ClientSet().AppsV1().DaemonSets(metav1.NamespaceSystem).Get(context.TODO(), "kube-proxy", metav1.GetOptions{})
 				Expect(err).NotTo(HaveOccurred())
@@ -249,7 +237,7 @@ var _ = Describe("(Integration) Upgrading cluster", func() {
 		})
 
 		It("should upgrade aws-node", func() {
-			rawClient := getRawClient(clusterProvider)
+			rawClient := getRawClient(context.Background(), clusterProvider)
 			getAWSNodeVersion := func() string {
 				awsNode, err := rawClient.ClientSet().AppsV1().DaemonSets(metav1.NamespaceSystem).Get(context.TODO(), "aws-node", metav1.GetOptions{})
 				Expect(err).NotTo(HaveOccurred())
@@ -365,8 +353,10 @@ func defaultClusterConfig() *api.ClusterConfig {
 	}
 }
 
-func getRawClient(ctl *eks.ClusterProvider) *kubewrapper.RawClient {
-	rawClient, err := ctl.NewRawClient(defaultClusterConfig())
+func getRawClient(ctx context.Context, ctl *eks.ClusterProvider) *kubewrapper.RawClient {
+	clusterConfig := defaultClusterConfig()
+	Expect(ctl.RefreshClusterStatus(ctx, clusterConfig)).To(Succeed())
+	rawClient, err := ctl.NewRawClient(clusterConfig)
 	Expect(err).NotTo(HaveOccurred())
 	return rawClient
 }

pkg/actions/addon/addon.go

@@ -37,12 +37,13 @@ type StackManager interface {
 type CreateClientSet func() (kubeclient.Interface, error)
 
 type Manager struct {
-	clusterConfig   *api.ClusterConfig
-	eksAPI          awsapi.EKS
-	withOIDC        bool
-	oidcManager     *iamoidc.OpenIDConnectManager
-	stackManager    StackManager
-	createClientSet CreateClientSet
+	clusterConfig       *api.ClusterConfig
+	eksAPI              awsapi.EKS
+	withOIDC            bool
+	oidcManager         *iamoidc.OpenIDConnectManager
+	stackManager        StackManager
+	createClientSet     CreateClientSet
+	DisableAWSNodePatch bool
 }
 
 func New(clusterConfig *api.ClusterConfig, eksAPI awsapi.EKS, stackManager StackManager, withOIDC bool, oidcManager *iamoidc.OpenIDConnectManager, createClientSet CreateClientSet) (*Manager, error) {

pkg/actions/addon/create.go

@@ -242,7 +242,7 @@ func (a *Manager) Create(ctx context.Context, addon *api.Addon, iamRoleCreator I
 		logger.Warning(IAMPermissionsNotRequiredWarning(addon.Name))
 	}
 
-	if addon.CanonicalName() == api.VPCCNIAddon {
+	if !a.DisableAWSNodePatch && addon.CanonicalName() == api.VPCCNIAddon {
 		logger.Debug("patching AWS node")
 		err := a.patchAWSNodeSA(ctx)
 		if err != nil {

pkg/actions/addon/tasks.go

@@ -98,20 +98,20 @@ func CreateAddonTasks(ctx context.Context, cfg *api.ClusterConfig, clusterProvid
 	if len(postAddons) > 0 {
 		postTasks.Append(makeAddonTask(postAddons, cfg.HasNodes()))
 	}
-	var updateVPCCNI tasks.GenericTask
+	var updateVPCCNI *tasks.GenericTask
 	if vpcCNIAddon != nil && api.IsEnabled(cfg.IAM.WithOIDC) {
-		updateVPCCNI = tasks.GenericTask{
+		updateVPCCNI = &tasks.GenericTask{
+			Description: "update VPC CNI to use IRSA if required",
 			Doer: func() error {
 				addonManager, err := createAddonManager(ctx, clusterProvider, cfg)
 				if err != nil {
 					return err
 				}
-				addonManager.setRecommendedPoliciesForIRSA(vpcCNIAddon)
 				return addonManager.Update(ctx, vpcCNIAddon, nil, clusterProvider.AWSProvider.WaitTimeout())
 			},
 		}
 	}
-	return preTasks, postTasks, &updateVPCCNI, autoDefaultAddonNames
+	return preTasks, postTasks, updateVPCCNI, autoDefaultAddonNames
 }
 
 type createAddonTask struct {
@@ -135,6 +135,7 @@ func (t *createAddonTask) Do(errorCh chan error) error {
 		return err
 	}
 
+	addonManager.DisableAWSNodePatch = true
 	// always install EKS Pod Identity Agent Addon first, if present,
 	// as other addons might require IAM permissions
 	for _, a := range t.addons {

pkg/eks/tasks.go

@@ -183,6 +183,7 @@ func (c *ClusterProvider) CreateExtraClusterConfigTasks(ctx context.Context, cfg
 	newTasks := &tasks.TaskTree{
 		Parallel:  false,
 		IsSubTask: true,
+		Tasks:     []tasks.Task{preNodeGroupAddons},
 	}
 
 	newTasks.Append(&tasks.GenericTask{
@@ -208,9 +209,6 @@ func (c *ClusterProvider) CreateExtraClusterConfigTasks(ctx context.Context, cfg
 			newTasks.Append(updateVPCCNITask)
 		}
 	}
-	if preNodeGroupAddons.Len() > 0 {
-		newTasks.Append(preNodeGroupAddons)
-	}
 
 	if cfg.HasClusterCloudWatchLogging() {
 		if logRetentionDays := cfg.CloudWatch.ClusterLogging.LogRetentionInDays; logRetentionDays != 0 {

pkg/nodebootstrap/al2023_test.go

@@ -48,13 +48,13 @@ var _ = DescribeTable("Unmanaged AL2023", func(e al2023Entry) {
 	Expect(actual).To(Equal(e.expectedUserData))
 },
 	Entry("default", al2023Entry{
-		expectedUserData: wrapMIMEParts(nodeConfig),
+		expectedUserData: wrapMIMEParts(xTablesLock + nodeConfig),
 	}),
 	Entry("efa enabled", al2023Entry{
 		overrideNodegroupSettings: func(np api.NodePool) {
 			np.BaseNodeGroup().EFAEnabled = aws.Bool(true)
 		},
-		expectedUserData: wrapMIMEParts(efaScript + nodeConfig),
+		expectedUserData: wrapMIMEParts(xTablesLock + efaScript + nodeConfig),
 	}),
 )
 
@@ -83,26 +83,26 @@ var _ = DescribeTable("Managed AL2023", func(e al2023Entry) {
 	Expect(actual).To(Equal(e.expectedUserData))
 },
 	Entry("native AMI", al2023Entry{
-		expectedUserData: "",
+		expectedUserData: wrapMIMEParts(xTablesLock),
 	}),
 	Entry("native AMI && EFA enabled", al2023Entry{
 		overrideNodegroupSettings: func(np api.NodePool) {
 			np.BaseNodeGroup().EFAEnabled = aws.Bool(true)
 		},
-		expectedUserData: wrapMIMEParts(efaCloudhook),
+		expectedUserData: wrapMIMEParts(xTablesLock + efaCloudhook),
 	}),
 	Entry("custom AMI", al2023Entry{
 		overrideNodegroupSettings: func(np api.NodePool) {
 			np.BaseNodeGroup().AMI = "ami-xxxx"
 		},
-		expectedUserData: wrapMIMEParts(managedNodeConfig),
+		expectedUserData: wrapMIMEParts(xTablesLock + managedNodeConfig),
 	}),
 	Entry("custom AMI && EFA enabled", al2023Entry{
 		overrideNodegroupSettings: func(np api.NodePool) {
 			np.BaseNodeGroup().AMI = "ami-xxxx"
 			np.BaseNodeGroup().EFAEnabled = aws.Bool(true)
 		},
-		expectedUserData: wrapMIMEParts(efaCloudhook + managedNodeConfig),
+		expectedUserData: wrapMIMEParts(xTablesLock + efaCloudhook + managedNodeConfig),
 	}),
 )
 
@@ -274,6 +274,13 @@ Content-Type: multipart/mixed; boundary=//
 `
 	}
 
+	xTablesLock = fmt.Sprintf(`--//
+Content-Type: text/x-shellscript
+Content-Type: charset="us-ascii"
+
+%s
+`, assets.AL2023XTablesLock)
+
 	efaCloudhook = fmt.Sprintf(`--//
 Content-Type: text/cloud-boothook
 Content-Type: charset="us-ascii"