Merge pull request #7879 from cPu1/move-bare-cluster-validation

Refactor: move bare cluster validation to NewCreateClusterLoader

Author: cPu1

pkg/apis/eksctl.io/v1alpha5/bare_cluster.go

@@ -84,9 +84,6 @@ func setNonEmpty(field string) error {
 
 // ValidateClusterConfig checks compatible fields of a given ClusterConfig
 func ValidateClusterConfig(cfg *ClusterConfig) error {
-	if err := validateBareCluster(cfg); err != nil {
-		return err
-	}
 	if IsDisabled(cfg.IAM.WithOIDC) && len(cfg.IAM.ServiceAccounts) > 0 {
 		return fmt.Errorf("iam.withOIDC must be enabled explicitly for iam.serviceAccounts to be created")
 	}

pkg/apis/eksctl.io/v1alpha5/bare_cluster_validation_test.go

@@ -3,6 +3,7 @@ package cmdutils
 import (
 	"encoding/csv"
 	"fmt"
+	"io"
 	"reflect"
 	"strconv"
 	"strings"
@@ -35,6 +36,7 @@ type ClusterConfigLoader interface {
 
 type commonClusterConfigLoader struct {
 	*Cmd
+	configReader io.Reader
 
 	flagsIncompatibleWithConfigFile    sets.Set[string]
 	flagsIncompatibleWithoutConfigFile sets.Set[string]
@@ -125,7 +127,7 @@ func (l *commonClusterConfigLoader) Load() error {
 	// The reference to ClusterConfig should only be reassigned if ClusterConfigFile is specified
 	// because other parts of the code store the pointer locally and access it directly instead of via
 	// the Cmd reference
-	if l.ClusterConfig, err = eks.LoadConfigFromFile(l.ClusterConfigFile); err != nil {
+	if l.ClusterConfig, err = eks.LoadConfigWithReader(l.ClusterConfigFile, l.configReader); err != nil {
 		return err
 	}
 	meta := l.ClusterConfig.Metadata
@@ -199,6 +201,7 @@ func NewMetadataLoader(cmd *Cmd) ClusterConfigLoader {
 // NewCreateClusterLoader will load config or use flags for 'eksctl create cluster'
 func NewCreateClusterLoader(cmd *Cmd, ngFilter *filter.NodeGroupFilter, ng *api.NodeGroup, params *CreateClusterCmdParams) ClusterConfigLoader {
 	l := newCommonClusterConfigLoader(cmd)
+	l.configReader = params.ConfigReader
 
 	ngFilter.SetExcludeAll(params.WithoutNodeGroup)
 
@@ -309,6 +312,10 @@ func NewCreateClusterLoader(cmd *Cmd, ngFilter *filter.NodeGroupFilter, ng *api.
 			}
 		}
 
+		if err := validateBareCluster(clusterConfig); err != nil {
+			return err
+		}
+
 		shallCreatePodIdentityAssociations := func(cfg *api.ClusterConfig) bool {
 			if cfg.IAM != nil && len(cfg.IAM.PodIdentityAssociations) > 0 {
 				return true
@@ -448,6 +455,22 @@ func validateDryRunOptions(cmd *cobra.Command, incompatibleFlags []string) error
 	return nil
 }
 
+// validateBareCluster validates a cluster for unsupported fields if VPC CNI is disabled.
+func validateBareCluster(clusterConfig *api.ClusterConfig) error {
+	if !clusterConfig.AddonsConfig.DisableDefaultAddons || slices.ContainsFunc(clusterConfig.Addons, func(addon *api.Addon) bool {
+		return addon.Name == api.VPCCNIAddon
+	}) {
+		return nil
+	}
+	if clusterConfig.HasNodes() || clusterConfig.IsFargateEnabled() || clusterConfig.Karpenter != nil || clusterConfig.HasGitOpsFluxConfigured() ||
+		(clusterConfig.IAM != nil && (len(clusterConfig.IAM.ServiceAccounts) > 0) || len(clusterConfig.IAM.PodIdentityAssociations) > 0) {
+		return errors.New("fields nodeGroups, managedNodeGroups, fargateProfiles, karpenter, gitops, iam.serviceAccounts, " +
+			"and iam.podIdentityAssociations are not supported during cluster creation in a cluster without VPC CNI; please remove these fields " +
+			"and add them back after cluster creation is successful")
+	}
+	return nil
+}
+
 const updateAuthConfigMapFlagName = "update-auth-configmap"
 
 // NewCreateNodeGroupLoader will load config or use flags for 'eksctl create nodegroup'

pkg/apis/eksctl.io/v1alpha5/validation.go

@@ -3,11 +3,13 @@ package cmdutils
 import (
 	"path/filepath"
 
+	"github.com/aws/aws-sdk-go-v2/aws"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
 
+	clusterutils "github.com/weaveworks/eksctl/integration/utilities/cluster"
 	api "github.com/weaveworks/eksctl/pkg/apis/eksctl.io/v1alpha5"
 	"github.com/weaveworks/eksctl/pkg/ctl/cmdutils/filter"
 )
@@ -471,6 +473,123 @@ var _ = Describe("cmdutils configfile", func() {
 				testClusterEndpointAccessDefaults("test_data/cluster-with-vpc-private-access.yaml", true, true)
 			})
 		})
+
+		type bareClusterEntry struct {
+			updateClusterConfig func(*api.ClusterConfig)
+			expectErr           bool
+		}
+
+		DescribeTable("Bare Cluster validation", func(e bareClusterEntry) {
+			cmd := &Cmd{
+				CobraCommand:      newCmd(),
+				ClusterConfigFile: "-",
+				ClusterConfig:     api.NewClusterConfig(),
+				ProviderConfig:    api.ProviderConfig{},
+			}
+			clusterConfig := api.NewClusterConfig()
+			clusterConfig.Metadata.Name = "cluster"
+			clusterConfig.Metadata.Region = api.DefaultRegion
+			clusterConfig.AddonsConfig.DisableDefaultAddons = true
+			clusterConfig.Addons = []*api.Addon{
+				{
+					Name: api.CoreDNSAddon,
+				},
+			}
+			e.updateClusterConfig(clusterConfig)
+			err := NewCreateClusterLoader(cmd, filter.NewNodeGroupFilter(), nil, &CreateClusterCmdParams{
+				ConfigReader: clusterutils.Reader(clusterConfig),
+			}).Load()
+			if e.expectErr {
+				Expect(err).To(MatchError("fields nodeGroups, managedNodeGroups, fargateProfiles, karpenter, gitops, iam.serviceAccounts, " +
+					"and iam.podIdentityAssociations are not supported during cluster creation in a cluster without VPC CNI; please remove these fields " +
+					"and add them back after cluster creation is successful"))
+			} else {
+				Expect(err).NotTo(HaveOccurred())
+			}
+		},
+			Entry("nodeGroups", bareClusterEntry{
+				updateClusterConfig: func(c *api.ClusterConfig) {
+					ng := api.NewNodeGroup()
+					ng.Name = "ng"
+					ng.DesiredCapacity = aws.Int(1)
+					c.NodeGroups = []*api.NodeGroup{ng}
+				},
+				expectErr: true,
+			}),
+			Entry("managedNodeGroups", bareClusterEntry{
+				updateClusterConfig: func(c *api.ClusterConfig) {
+					ng := api.NewManagedNodeGroup()
+					ng.Name = "mng"
+					ng.DesiredCapacity = aws.Int(1)
+					c.ManagedNodeGroups = []*api.ManagedNodeGroup{ng}
+				},
+				expectErr: true,
+			}),
+			Entry("fargateProfiles", bareClusterEntry{
+				updateClusterConfig: func(c *api.ClusterConfig) {
+					c.FargateProfiles = []*api.FargateProfile{
+						{
+							Name: "test",
+							Selectors: []api.FargateProfileSelector{
+								{
+									Namespace: "default",
+								},
+							},
+						},
+					}
+				},
+				expectErr: true,
+			}),
+			Entry("gitops", bareClusterEntry{
+				updateClusterConfig: func(c *api.ClusterConfig) {
+					c.GitOps = &api.GitOps{
+						Flux: &api.Flux{
+							GitProvider: "github",
+							Flags: api.FluxFlags{
+								"owner": "aws",
+							},
+						},
+					}
+				},
+				expectErr: true,
+			}),
+			Entry("karpenter", bareClusterEntry{
+				updateClusterConfig: func(c *api.ClusterConfig) {
+					c.Karpenter = &api.Karpenter{}
+				},
+				expectErr: true,
+			}),
+			Entry("iam.serviceAccounts", bareClusterEntry{
+				updateClusterConfig: func(c *api.ClusterConfig) {
+					c.IAM.WithOIDC = api.Enabled()
+					c.IAM.ServiceAccounts = []*api.ClusterIAMServiceAccount{
+						{
+							ClusterIAMMeta: api.ClusterIAMMeta{
+								Name:      "test",
+								Namespace: "test",
+							},
+							AttachPolicyARNs: []string{"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"},
+						},
+					}
+				},
+				expectErr: true,
+			}),
+			Entry("iam.podIdentityAssociations", bareClusterEntry{
+				updateClusterConfig: func(c *api.ClusterConfig) {
+					c.Addons = append(c.Addons, &api.Addon{Name: api.PodIdentityAgentAddon})
+					c.IAM.PodIdentityAssociations = []api.PodIdentityAssociation{
+						{
+							Namespace:            "test",
+							PermissionPolicyARNs: []string{"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"},
+						},
+					}
+				},
+				expectErr: true,
+			}),
+			Entry("no unsupported field set", bareClusterEntry{
+				updateClusterConfig: func(c *api.ClusterConfig) {},
+			}),
+		)
 	})
 
 	Describe("SetLabelLoader", func() {

pkg/ctl/cmdutils/configfile.go

@@ -1,6 +1,8 @@
 package cmdutils
 
 import (
+	"io"
+
 	api "github.com/weaveworks/eksctl/pkg/apis/eksctl.io/v1alpha5"
 )
 
@@ -21,6 +23,8 @@ type CreateClusterCmdParams struct {
 	DryRun                bool
 	CreateNGOptions
 	CreateManagedNGOptions
+
+	ConfigReader io.Reader
 }
 
 // NodeGroupOptions holds options for creating nodegroups.