New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
For existing AWS VPC & subnets created outside of pulumi, pulumi needs a means to tag any public or private subnets for Kubernetes use, that aren't already used by Workers #64
Comments
Note that hashicorp/terraform-provider-aws#3143 is related to this. |
I hit another rendition of this:
The main takeaway here is that:
tl;dr:
To truly resolve this tagging dilemma for the user, we should:
|
So - I'm a little confused about the issue here. It seems two topics are being conflated:
So I think the only problem being discussed here is (2), which is not strictly about EKS. Is that right? Assuming so, a few thoughts: First, in standard "desired state configuration" approach, the typical approach to tagging resources would be to require that the owner of the resources include that tags as part of the definition of that resource. I think strictly speaking - this addresses the issue at hand here. This is limiting though - it means that even in cases like this where logically the owner of the resource doesn't think about things like Kubernetes LoadBalancers, they are responsible for including the annotations - and feels generally like a layering violation. But that's arguably a layering violation in the design of the Kubernetes Service Subnet tagging approach. Moreover, making this the responsibility of the owner of the Subnet is the only truly robust and consistent way to drive to a desired state given the underlying APIs and approaches to communicating this information (e.g. looking up tags to drive runtime behaviour). If other layers can change the desired state of some part of the resource (it's tags), then there can be multiple layers thinking they are driving the same "thing" to different desired states, which can (and does) cause complications. In practice, (1) above leads to this sort of thing, where two different systems think they own these, and it causes problems like hashicorp/terraform#6632. Now, in practice, for Tags, there is sort of a "gentleman's agreement" that this is a bag that anyone can party on and that "hopefully things won't conflict". It's sort of intentionally a thing which other layers can think they get to own some subset of the tags for a resource they aren't responsible for in any other way. In most cases where this model is encouraged, the cloud provider breaks things into two different resources that can be managed separately. Unfortunately, this is not quite how AWS handles Tags. We and/or Terraform could paper over this and expose an Alternatively, as a more immediate workaround, a But I think the real answer is a boring one - the right way to do this (at least right now) is to tell the person who owns the definition of the Subnet that they need to add these Tags. |
You bring up some great points, especially about numerous layers thinking they are owning and driving the tags, and this causing complications down the road. You've convinced me here that auto-tagging the subnets can lead to further problems and is not something we should do. I agree that the simplest, and most likely real answer here is to require that the subnet owner 1) have a subnet in all AZs of the region for LB HA, and 2) that they all be tagged with the cluster name by the owner. I thought this answer ^ could be further facilitated by Pulumi having a means to do it that is accessible by the user to not have to do this out of band from Pulumi e.g. manually in AWS, bash script etc. but it may not work well with the "desired state" model Pulumi employs. |
Closing this issue, as the simplest solution is to call out the subnet tagging requirement before using an existing VPC |
To use existing AWS VPC subnets created outside of pulumi with EKS, the user must manually tag the desired subnets on AWS with the required Kubernetes k/v pair.
If they are not manually tagged, then Kubernetes will not be able to discover them when needing to create Public or Private Load Balancers on AWS in those subnets - unless those subnets were already in use by running instances of the Workers.
Specifically, the VPC and subnets that the Workers are running in are automatically tagged for us in AWS by the EKS service with the key:
kubernetes.io/cluster/${clusterName}
, and the value:shared
, where${clusterName}
is the name of the new EKS cluster. The cluster name is not known to the user or Pulumi until after the cluster has been created and auto-named.However, this tagging is not done for any other public or private subnets that the Workers aren't already running in, as they are 1) not occupied by running Workers and 2) subsequently, are not automatically tagged by the EKS service.
The manual tagging on these other subnets is a required work around to enable a couple of use cases, such as when a user wants to:
See this gist for a repro of use case # 1, where Workers are in private subnets, and a Public LoadBalancer Service never comes up if you don't have public subnets appropriately tagged in AWS for Kubernetes discovery. Once you properly tag a public subnet in the VPC for the repro, only then does the Public LoadBalancer get provisioned for the cluster.
After my attempt above, I tried going down the path of retrieving the existing public subnet object using a couple of ways listed below, to modify its
.tags
props, but this does not seem possible:aws.ec2.Subnet.get(...)
and
awsx.Network.fromVpc(...)
awsx.ec2.Subnet(...)
constructor, with Vpc object returned from above as a param.However, none of my attempts allowed me to modify the
.tags
prop on the existing subnets as needed.The Vpc/
awsx.Network
object returned fromawsx.Network.fromVpc(...)
captures all private and public subnets already, so defining and leveraging this object IMO feels like its part of the right approach to ultimately: retrieve the existing subnet(s) in question, and tag them as needed after the cluster has been created, and its pulumi auto-generated name is known. I'm certainly open to hear other alternatives if I'm misunderstanding the use of the packages, or how to best integrate this work around into the right package(s).It doesn't seem like this is necessarily an issue with
pulumi/pulumi-eks
, but more about better understanding how to leverage and/or improve@pulumi/pulumi
,@pulumi/pulumi-aws
and@pulumi/pulumi-awsx
to auto-tag any existing subnets in AWS needed by the user.The text was updated successfully, but these errors were encountered: