Onboard EKS to ci-mgmt #1142
Comments
This was referenced Nov 12, 2024
blampe
added a commit
to pulumi/pulumi-eks
that referenced
this issue
Nov 13, 2024
Preparation for pulumi/ci-mgmt#1142. This renames custom workflows to have an "eks-" prefix to prevent ci-mgmt from deleting them (similar to pulumi/pulumi-aws#4418). This also adds a missing `.actionlint.yml` config file, copied from [azure-native](https://github.com/pulumi/pulumi-azure-native/blob/master/.actionlint.yml). The `lint_workflows` action currently has no effect without this file ([example](https://github.com/pulumi/pulumi-eks/actions/runs/11468567327/job/31913961281)): > could not read config file ".actionlint.yml": open .actionlint.yml: no such file or directory
VenelinMartinov
added
kind/engineering
blampe
added a commit
to pulumi/pulumi-eks
that referenced
this issue
Nov 14, 2024
This PR changes our kubeconfig logic to use a `--profile` arg instead of an `AWS_PROFILE` environment variable so it will always use the expected profile. It also parallelizes the relevant tests and simplifies workflows slightly. As a user, if I generate a kubeconfig for a particular profile I would expect that configuration to _always_ use the profile I specified. However, because we rely on `AWS_PROFILE` it is possible for our generated kubeconfig to be inadvertently overridden by the presence of `AWS_ACCESS_KEY_ID`. > Credentials from environment variables have precedence over credentials from the shared credentials and AWS CLI config file. Credentials specified in the shared credentials file have precedence over credentials in the AWS CLI config file. If AWS_PROFILE environment variable is set and the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables are set, then the credentials provided by AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY will override the credentials located in the profile provided by AWS_PROFILE. https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#id1 I'll note that I discovered this as part of the prep work for pulumi/ci-mgmt#1142. In particular, our tests currently do a few things to exercise profile switching behavior: 1. During CI setup, we set some fixed access keys for the `default` profile. (This is unnecessary.) 2. During CI setup, we set some fixed access keys for an `alt` profile. This is the profile we expect to use in `TestAccAwsProfile*` tests. 3. During `TestAccAwsProfile*` tests we unset `AWS_SECRET_ACCESS_KEY`, `AWS_ACCESS_KEY_ID`, and `AWS_SESSION_TOKEN` for our process. Importantly, (3) is currently implemented such that (a) it prevents parallelization, and (b) subsequent queries to the k8s API server also lack ambient credentials. After I refactored (3) to allow parallelization the tests started failing. Eventually I realized this was because I was unsetting credentials for the `pulumi` subprocess and our test's k8s client now had ambient credentials taking priority over the expected profile.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Use the generic ci-mgmt template to manage EKS. Will require support for sharding.
The text was updated successfully, but these errors were encountered: