fix(eks): cluster built with clusterLogging property set prevents the cluster from being modified #21362
Conversation
|
|
There was a problem hiding this comment.
Please make sure that your PR title confirms to the conventional commit standard (fix, feat, chore) and that it is written in a style that will reflect correctly in the change log.
Additionally, please make sure that your PR body describes the problem the PR is solving, and the design approach and alternatives considered. Explain why the PR solves the problem. A link to an issue is helpful, but does not replace an explanation of your thought process (See Contributing Guide, Pull Requests)
|
I think we also need some integration tests for this fix. |
watany-dev
changed the title
|
Thank you. I will challenge the INTEGRATION TESTS and take this issue in a better direction. |
TheRealAmazonKendra
changed the title
| @@ -137,10 +137,17 @@ export class ClusterResourceHandler extends ResourceHandler { | |||
| } | |||
|
|
|||
| if (updates.updateLogging || updates.updateAccess) { | |||
There was a problem hiding this comment.
@watany-dev an error should be thrown when updates.updateLogging and updates.updateAccess are both true, as updating both logging configuration and resources vpc configuration results in an error from the EKS API (even though it is not documented in EKS UpdateClusterConfig API)
There was a problem hiding this comment.
It seems I did not know the correct specifications. I will try to re-write it again with that useful information. Thanks.
mergify
bot
dismissed
TheRealAmazonKendra’s stale review
Pull request has been modified.
TheRealAmazonKendra
changed the title
There was a problem hiding this comment.
Overall this needs more testing. I've already mentioned integration tests, I think, but this also needs a bit more unit testing coverage for the change. If it's actually already covered but is just not showing up in this PR because you didn't make changes to it, please just link it and I'll take a look to ensure I think it's enough.
| }); | ||
| Template.fromStack(stack); |
There was a problem hiding this comment.
This is no longer testing anything.
| @@ -136,23 +136,33 @@ export class ClusterResourceHandler extends ResourceHandler { | |||
| return this.updateClusterVersion(this.newProps.version); | |||
| } | |||
|
|
|||
| if (updates.updateLogging || updates.updateAccess) { | |||
| //error should be thrown when updates.updateLogging and updates.updateAccess are both true | |||
There was a problem hiding this comment.
| //error should be thrown when updates.updateLogging and updates.updateAccess are both true | |
| // Error should be thrown when updates.updateLogging and updates.updateAccess are both true |
| if (updates.updateLogging || updates.updateAccess) { | ||
| //error should be thrown when updates.updateLogging and updates.updateAccess are both true | ||
| if (updates.updateLogging && updates.updateAccess) { | ||
| throw new Error('Cannot update cluster updateLogging and updateAccess are both true'); |
There was a problem hiding this comment.
| throw new Error('Cannot update cluster updateLogging and updateAccess are both true'); | |
| throw new Error('updateLogging and updateAccess cannot both be set to true'); |
| }); | ||
|
|
||
|
|
There was a problem hiding this comment.
TheRealAmazonKendra
changed the title
|
Thanks for your comment. I will re-implement this policy.
I am embarrassed to ask this because it is an elementary question. if (updates.updateLogging) {
const config: aws.EKS.UpdateClusterConfigRequest = {
name: this.clusterName,
logging: this.newProps.logging,
};
if (!updates.updateAccess) {
const updateResponse1: aws.EKS.UpdateClusterConfigResponse = await this.eks.updateClusterConfig(config);
return { EksUpdateId: updateResponse1.update?.id };
}
const config2: aws.EKS.UpdateClusterConfigRequest = {
name: this.clusterName,
};
config2.resourcesVpcConfig = {
endpointPrivateAccess: this.newProps.resourcesVpcConfig.endpointPrivateAccess,
endpointPublicAccess: this.newProps.resourcesVpcConfig.endpointPublicAccess,
publicAccessCidrs: this.newProps.resourcesVpcConfig.publicAccessCidrs,
};
const updateResponse1 = await this.eks.updateClusterConfig(config);
const updateResponse2 = await this.eks.updateClusterConfig(config2);
const updateResponse = { ...updateResponse1, ...updateResponse2 };
// some deep copy?
return { EksUpdateId: (updateResponse.update?.id) };
} |
@watany-dev I'm not sure the suggested logic will work (even before merging the responses, which has its own issues), as when you update the cluster configuration in the first command, it transitions to an "Updating" state, and will reject any further requests until that operation is done, and the cluster is back to an "Active" state. You should have some waiting logic that ensures the cluster has applied the first update before continuing to the next operation. |
@yakireliyahu1987 Thanks for adding your input on this. I would think that adding in retry logic would do the trick here. |
Absolutely no need to be embarrassed by any questions! I'm happy to deep dive with you on this. Investing in our contributor community both helps everyone learn and helps us get better code. Besides my generic answer of adding a retry, I'll provide some more thoughts on approaches shortly. I need to look a little closer at the codebase here. It's not one of my areas of expertise. |
|
So sorry that I didn't get back to this. I'll provide some thoughts for real on Monday. |
|
So, basically, what you want to do here is probably add a while loop around the first update being performed that waits for |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
I apologize for closing with an operational error. |
fixed: #20779
The original issue was that in
update-cluster-config,updates.updateLoggingandupdates.updateAccesswere not separated and were state dependent.We reviewed the logic in the conditional branch and decided to make a decision for each state.
As a point of interest for this repair, we picked out the case where updateClusterConfigRequest is
updates.updateLogging && updates.updateAccess, and used unittest and We have not added integtest because it seems that the existing integtest is sufficient to verify that the existing behavior is as before.I would be very glad to get advice on this, as I have a little trouble coming up with a perspective to check if it is necessary.
All Submissions:
Adding new Unconventional Dependencies:
New Features
yarn integto deploy the infrastructure and generate the snapshot (i.e.yarn integwithout--dry-run)?By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license