Merge pull request #3298 from Ankitasw/bastion-ami-lookup

Removed hardcoding for AMIs in bastion host and added latest AMI lookup

Author: k8s-ci-robot

docs/book/src/topics/accessing-ec2-instances.md

@@ -31,6 +31,7 @@ spec:
   bastion:
     enabled: true
 ```
+If this field is set and a specific AMI ID is not provided for the bastion (by setting spec.bastion.ami) then by default the latest AMI(Ubuntu 20.04 LTS OS) is looked up from [Ubuntu cloud images](https://ubuntu.com/server/docs/cloud-images/amazon-ec2) by CAPA controller and used in bastion host creation.
 
 #### Obtain public IP address of the bastion node
 

pkg/cloud/services/ec2/ami.go

@@ -40,6 +40,13 @@ const (
 	// https://github.com/kubernetes-sigs/cluster-api-provider-aws/issues/487
 	DefaultMachineAMIOwnerID = "258751437250"
 
+	// ubuntuOwnerID is Ubuntu owned account. Please see:
+	// https://ubuntu.com/server/docs/cloud-images/amazon-ec2
+	ubuntuOwnerID = "099720109477"
+
+	// Description regex for fetching Ubuntu AMIs for bastion host.
+	ubuntuImageDescription = "Canonical??Ubuntu??20.04?LTS??amd64?focal?image*"
+
 	// defaultMachineAMILookupBaseOS is the default base operating system to use
 	// when looking up machine AMIs.
 	defaultMachineAMILookupBaseOS = "ubuntu-18.04"
@@ -188,45 +195,43 @@ func GetLatestImage(imgs []*ec2.Image) (*ec2.Image, error) {
 	return imgs[len(imgs)-1], nil
 }
 
-func (s *Service) defaultBastionAMILookup(region string) string {
-	switch region {
-	case "ap-northeast-1":
-		return "ami-09b86f9709b3c33d4"
-	case "ap-northeast-2":
-		return "ami-044057cb1bc4ce527"
-	case "ap-south-1":
-		return "ami-0cda377a1b884a1bc"
-	case "ap-southeast-1":
-		return "ami-093da183b859d5a4b"
-	case "ap-southeast-2":
-		return "ami-0f158b0f26f18e619"
-	case "ca-central-1":
-		return "ami-0edab43b6fa892279"
-	case "eu-central-1":
-		return "ami-0c960b947cbb2dd16"
-	case "eu-west-1":
-		return "ami-06fd8a495a537da8b"
-	case "eu-west-2":
-		return "ami-05c424d59413a2876"
-	case "eu-west-3":
-		return "ami-078db6d55a16afc82"
-	case "sa-east-1":
-		return "ami-02dc8ad50da58fffd"
-	case "us-east-1":
-		return "ami-0dba2cb6798deb6d8"
-	case "us-east-2":
-		return "ami-07efac79022b86107"
-	case "us-west-1":
-		return "ami-021809d9177640a20"
-	case "us-west-2":
-		return "ami-06e54d05255faf8f6"
-	case "eu-north-1":
-		return "ami-008dea09a148cea39"
-	case "eu-south-1":
-		return "ami-01eec6bdfa20f008e"
-	default:
-		return "unknown region"
+func (s *Service) defaultBastionAMILookup() (string, error) {
+	describeImageInput := &ec2.DescribeImagesInput{
+		Filters: []*ec2.Filter{
+			{
+				Name:   aws.String("owner-id"),
+				Values: []*string{aws.String(ubuntuOwnerID)},
+			},
+			{
+				Name:   aws.String("architecture"),
+				Values: []*string{aws.String("x86_64")},
+			},
+			{
+				Name:   aws.String("state"),
+				Values: []*string{aws.String("available")},
+			},
+			{
+				Name:   aws.String("virtualization-type"),
+				Values: []*string{aws.String("hvm")},
+			},
+			{
+				Name:   aws.String("description"),
+				Values: aws.StringSlice([]string{ubuntuImageDescription}),
+			},
+		},
+	}
+	out, err := s.EC2Client.DescribeImages(describeImageInput)
+	if err != nil {
+		return "", errors.Wrapf(err, "failed to describe images within region: %q", s.scope.Region())
+	}
+	if len(out.Images) == 0 {
+		return "", errors.Errorf("found no AMIs within the region: %q", s.scope.Region())
+	}
+	latestImage, err := GetLatestImage(out.Images)
+	if err != nil {
+		return "", err
 	}
+	return *latestImage.ImageId, nil
 }
 
 func (s *Service) eksAMILookup(kubernetesVersion string, amiType *infrav1.EKSAMILookupType) (string, error) {

pkg/cloud/services/ec2/bastion.go

@@ -76,7 +76,12 @@ func (s *Service) ReconcileBastion() error {
 				return errors.Wrap(err, "failed to patch conditions")
 			}
 		}
-		instance, err = s.runInstance("bastion", s.getDefaultBastion(s.scope.Bastion().InstanceType, s.scope.Bastion().AMI))
+		defaultBastion, err := s.getDefaultBastion(s.scope.Bastion().InstanceType, s.scope.Bastion().AMI)
+		if err != nil {
+			record.Warnf(s.scope.InfraCluster(), "FailedFetchingBastion", "Failed to fetch default bastion instance: %v", err)
+			return err
+		}
+		instance, err = s.runInstance("bastion", defaultBastion)
 		if err != nil {
 			record.Warnf(s.scope.InfraCluster(), "FailedCreateBastion", "Failed to create bastion instance: %v", err)
 			return err
@@ -161,7 +166,7 @@ func (s *Service) describeBastionInstance() (*infrav1.Instance, error) {
 	return nil, awserrors.NewNotFound("bastion host not found")
 }
 
-func (s *Service) getDefaultBastion(instanceType, ami string) *infrav1.Instance {
+func (s *Service) getDefaultBastion(instanceType, ami string) (*infrav1.Instance, error) {
 	name := fmt.Sprintf("%s-bastion", s.scope.Name())
 	userData, _ := userdata.NewBastion(&userdata.BastionInput{})
 
@@ -182,7 +187,11 @@ func (s *Service) getDefaultBastion(instanceType, ami string) *infrav1.Instance
 	}
 
 	if ami == "" {
-		ami = s.defaultBastionAMILookup(s.scope.Region())
+		var err error
+		ami, err = s.defaultBastionAMILookup()
+		if err != nil {
+			return nil, err
+		}
 	}
 
 	i := &infrav1.Instance{
@@ -203,5 +212,5 @@ func (s *Service) getDefaultBastion(instanceType, ami string) *infrav1.Instance
 		}),
 	}
 
-	return i
+	return i, nil
 }

pkg/cloud/services/ec2/bastion_test.go

@@ -36,7 +36,7 @@ import (
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
 )
 
-func TestDeleteBastion(t *testing.T) {
+func TestService_DeleteBastion(t *testing.T) {
 	clusterName := "cluster"
 
 	describeInput := &ec2.DescribeInstancesInput{
@@ -225,3 +225,239 @@ func TestDeleteBastion(t *testing.T) {
 		}
 	}
 }
+
+func TestService_ReconcileBastion(t *testing.T) {
+	clusterName := "cluster"
+
+	describeInput := &ec2.DescribeInstancesInput{
+		Filters: []*ec2.Filter{
+			filter.EC2.ProviderRole(infrav1.BastionRoleTagValue),
+			filter.EC2.Cluster(clusterName),
+			filter.EC2.InstanceStates(
+				ec2.InstanceStateNamePending,
+				ec2.InstanceStateNameRunning,
+				ec2.InstanceStateNameStopping,
+				ec2.InstanceStateNameStopped,
+			),
+		},
+	}
+
+	foundOutput := &ec2.DescribeInstancesOutput{
+		Reservations: []*ec2.Reservation{
+			{
+				Instances: []*ec2.Instance{
+					{
+						InstanceId: aws.String("id123"),
+						State: &ec2.InstanceState{
+							Name: aws.String(ec2.InstanceStateNameRunning),
+						},
+						Placement: &ec2.Placement{
+							AvailabilityZone: aws.String("us-east-1"),
+						},
+					},
+				},
+			},
+		},
+	}
+
+	tests := []struct {
+		name           string
+		bastionEnabled bool
+		expect         func(m *mock_ec2iface.MockEC2APIMockRecorder)
+		expectError    bool
+		bastionStatus  *infrav1.Instance
+	}{
+		{
+			name: "Should ignore reconciliation if instance not found",
+			expect: func(m *mock_ec2iface.MockEC2APIMockRecorder) {
+				m.
+					DescribeInstances(gomock.Eq(describeInput)).
+					Return(&ec2.DescribeInstancesOutput{}, nil)
+			},
+			expectError: false,
+		},
+		{
+			name: "Should fail reconcile if describe instance fails",
+			expect: func(m *mock_ec2iface.MockEC2APIMockRecorder) {
+				m.
+					DescribeInstances(gomock.Eq(describeInput)).
+					Return(nil, errors.New("some error"))
+			},
+			expectError: true,
+		},
+		{
+			name: "Should fail reconcile if terminate instance fails",
+			expect: func(m *mock_ec2iface.MockEC2APIMockRecorder) {
+				m.
+					DescribeInstances(gomock.Eq(describeInput)).
+					Return(foundOutput, nil).MinTimes(1)
+				m.
+					TerminateInstances(
+						gomock.Eq(&ec2.TerminateInstancesInput{
+							InstanceIds: aws.StringSlice([]string{"id123"}),
+						}),
+					).
+					Return(nil, errors.New("some error"))
+			},
+			expectError: true,
+		},
+		{
+			name: "Should create bastion successfully",
+			expect: func(m *mock_ec2iface.MockEC2APIMockRecorder) {
+				m.DescribeInstances(gomock.Eq(describeInput)).
+					Return(&ec2.DescribeInstancesOutput{}, nil).MinTimes(1)
+				m.DescribeImages(gomock.Eq(&ec2.DescribeImagesInput{Filters: []*ec2.Filter{
+					{
+						Name:   aws.String("owner-id"),
+						Values: aws.StringSlice([]string{ubuntuOwnerID}),
+					},
+					{
+						Name:   aws.String("architecture"),
+						Values: aws.StringSlice([]string{"x86_64"}),
+					},
+					{
+						Name:   aws.String("state"),
+						Values: aws.StringSlice([]string{"available"}),
+					},
+					{
+						Name:   aws.String("virtualization-type"),
+						Values: aws.StringSlice([]string{"hvm"}),
+					},
+					{
+						Name:   aws.String("description"),
+						Values: aws.StringSlice([]string{ubuntuImageDescription}),
+					},
+				}})).Return(&ec2.DescribeImagesOutput{Images: images{
+					{
+						ImageId:      aws.String("ubuntu-ami-id-latest"),
+						CreationDate: aws.String("2019-02-08T17:02:31.000Z"),
+					},
+					{
+						ImageId:      aws.String("ubuntu-ami-id-old"),
+						CreationDate: aws.String("2014-02-08T17:02:31.000Z"),
+					},
+				}}, nil)
+				m.RunInstances(gomock.Any()).
+					Return(&ec2.Reservation{
+						Instances: []*ec2.Instance{
+							{
+								State: &ec2.InstanceState{
+									Name: aws.String(ec2.InstanceStateNameRunning),
+								},
+								IamInstanceProfile: &ec2.IamInstanceProfile{
+									Arn: aws.String("arn:aws:iam::123456789012:instance-profile/foo"),
+								},
+								InstanceId:     aws.String("id123"),
+								InstanceType:   aws.String("t3.micro"),
+								SubnetId:       aws.String("subnet-1"),
+								ImageId:        aws.String("ubuntu-ami-id-latest"),
+								RootDeviceName: aws.String("device-1"),
+								BlockDeviceMappings: []*ec2.InstanceBlockDeviceMapping{
+									{
+										DeviceName: aws.String("device-1"),
+										Ebs: &ec2.EbsInstanceBlockDevice{
+											VolumeId: aws.String("volume-1"),
+										},
+									},
+								},
+								Placement: &ec2.Placement{
+									AvailabilityZone: aws.String("us-east-1"),
+								},
+							},
+						},
+					}, nil)
+				m.WaitUntilInstanceRunningWithContext(gomock.Any(), gomock.Any(), gomock.Any()).
+					Return(nil)
+			},
+			bastionEnabled: true,
+			expectError:    false,
+			bastionStatus: &infrav1.Instance{
+				ID:               "id123",
+				State:            "running",
+				Type:             "t3.micro",
+				SubnetID:         "subnet-1",
+				ImageID:          "ubuntu-ami-id-latest",
+				IAMProfile:       "foo",
+				Addresses:        []clusterv1.MachineAddress{},
+				AvailabilityZone: "us-east-1",
+				VolumeIDs:        []string{"volume-1"},
+			},
+		},
+	}
+
+	for _, tc := range tests {
+		managedValues := []bool{false, true}
+		for i := range managedValues {
+			managed := managedValues[i]
+
+			t.Run(fmt.Sprintf("managed=%t %s", managed, tc.name), func(t *testing.T) {
+				g := NewWithT(t)
+
+				mockControl := gomock.NewController(t)
+				defer mockControl.Finish()
+
+				ec2Mock := mock_ec2iface.NewMockEC2API(mockControl)
+
+				scheme, err := setupScheme()
+				g.Expect(err).To(BeNil())
+
+				awsCluster := &infrav1.AWSCluster{
+					ObjectMeta: metav1.ObjectMeta{Name: "test"},
+					Spec: infrav1.AWSClusterSpec{
+						NetworkSpec: infrav1.NetworkSpec{
+							VPC: infrav1.VPCSpec{
+								ID: "vpcID",
+							},
+							Subnets: infrav1.Subnets{
+								{
+									ID: "subnet-1",
+								},
+								{
+									ID:       "subnet-2",
+									IsPublic: true,
+								},
+							},
+						},
+						Bastion: infrav1.Bastion{Enabled: tc.bastionEnabled},
+					},
+				}
+
+				client := fake.NewClientBuilder().WithScheme(scheme).Build()
+				ctx := context.TODO()
+				client.Create(ctx, awsCluster)
+
+				scope, err := scope.NewClusterScope(scope.ClusterScopeParams{
+					Cluster: &clusterv1.Cluster{
+						ObjectMeta: metav1.ObjectMeta{
+							Namespace: "ns",
+							Name:      clusterName,
+						},
+					},
+					AWSCluster: awsCluster,
+					Client:     client,
+				})
+				g.Expect(err).To(BeNil())
+
+				if managed {
+					scope.AWSCluster.Spec.NetworkSpec.VPC.Tags = infrav1.Tags{
+						infrav1.ClusterTagKey(clusterName): string(infrav1.ResourceLifecycleOwned),
+					}
+				}
+
+				tc.expect(ec2Mock.EXPECT())
+				s := NewService(scope)
+				s.EC2Client = ec2Mock
+
+				err = s.ReconcileBastion()
+				if tc.expectError {
+					g.Expect(err).NotTo(BeNil())
+					return
+				}
+
+				g.Expect(err).To(BeNil())
+
+				g.Expect(scope.AWSCluster.Status.Bastion).To(BeEquivalentTo(tc.bastionStatus))
+			})
+		}
+	}
+}