Fix ManagedNodeGroup for cluster with API authentication mode (#1199)

Adding a ManagedNodeGroup to a cluster with API authentication mode fails because there's verification logic that expects the role for the EC2 instances to be present in the instanceRoles list of the cluster. If the necessary authentication configuration for the EC2 instances was added as access entries, this verification will fail. This change fixes that by excluding this check in case the cluster supports access entries. fixes #1197
pulumi · Jun 13, 2024 · c95cf44 · c95cf44
1 parent e7b0ed0
commit c95cf44
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 8 deletions.
diff --git a/examples/custom-managed-nodegroup/index.ts b/examples/custom-managed-nodegroup/index.ts
@@ -23,7 +23,13 @@ const cluster = new eks.Cluster("example-managed-nodegroup", {
   publicSubnetIds: eksVpc.publicSubnetIds,
   // Private subnets will be used for cluster nodes
   privateSubnetIds: eksVpc.privateSubnetIds,
-  instanceRoles: [instanceRole],
+  authenticationMode: eks.AuthenticationMode.API,
+  accessEntries: {
+    instanceRole: {
+      principalArn: instanceRole.arn,
+      type: eks.AccessEntryType.EC2_LINUX,
+    }
+  }
 });
 
 // Export the cluster's kubeconfig.

diff --git a/nodejs/eks/nodegroup.ts b/nodejs/eks/nodegroup.ts
@@ -19,6 +19,7 @@ import * as pulumi from "@pulumi/pulumi";
 import * as crypto from "crypto";
 import * as netmask from "netmask";
 
+import { supportsAccessEntries } from "./authenticationMode";
 import { Cluster, ClusterInternal, CoreData } from "./cluster";
 import randomSuffix from "./randomSuffix";
 import { createNodeGroupSecurityGroup } from "./securitygroup";
@@ -1667,13 +1668,16 @@ function createManagedNodeGroupInternal(
         });
     });
 
-    nodegroupRole.apply((role) => {
-        if (!role) {
-            throw new Error(
-                `A managed node group cannot be created without first setting its role in the cluster's instanceRoles`,
-            );
-        }
-    });
+    pulumi
+        .all([core.cluster.accessConfig.authenticationMode, nodegroupRole])
+        .apply(([authMode, role]) => {
+            // access entries can be added out of band, so we don't require them to be set in the cluster.
+            if (!supportsAccessEntries(authMode) && !role) {
+                throw new Error(
+                    `A managed node group cannot be created without first setting its role in the cluster's instanceRoles`,
+                );
+            }
+        });
 
     // Compute the node group subnets to use.
     let subnetIds: pulumi.Output<string[]>;