sync with eks-charts, add linting and template gen

.github/workflows/unit-tests.yml

@@ -34,6 +34,9 @@ jobs:
     - name: Build
       run: make build-linux
 
+    - name: helm v2 and v3 lint
+      run: make helm-lint
+
     - name: Unit Tests
       run: make unit-test
 

Makefile

@@ -33,6 +33,7 @@ IMAGE_DIST = $(DESTDIR)/$(subst /,_,$(IMAGE_NAME)).tar.gz
 INIT_IMAGE = amazon/amazon-k8s-cni-init
 INIT_IMAGE_NAME = $(INIT_IMAGE)$(IMAGE_ARCH_SUFFIX):$(VERSION)
 INIT_IMAGE_DIST = $(DESTDIR)/$(subst /,_,$(INIT_IMAGE_NAME)).tar.gz
+MAKEFILE_PATH = $(dir $(realpath -s $(firstword $(MAKEFILE_LIST))))
 # METRICS_IMAGE is the CNI metrics publisher sidecar container image.
 METRICS_IMAGE = amazon/cni-metrics-helper
 METRICS_IMAGE_NAME = $(METRICS_IMAGE)$(IMAGE_ARCH_SUFFIX):$(VERSION)
@@ -238,6 +239,9 @@ lint:   ## Run golint on source code.
 	  -not -name 'mock_*' -not -name '*mocks.go' -not -name "cni.go" -not -name "eniconfig.go" \
 	  -print0 | sort -z | xargs -0 -L1 -- golint $(LINT_FLAGS) 2>/dev/null
 
+helm-lint:
+	@${MAKEFILE_PATH}test/helm/helm-lint.sh
+
 # Run go vet on source code.
 vet:    ## Run go vet on source code.
 	go vet $(ALLPKGS)

charts/aws-vpc-cni/.helmignore

@@ -14,7 +14,6 @@
 *.swp
 *.bak
 *.tmp
-*.orig
 *~
 # Various IDEs
 .project

charts/aws-vpc-cni/Chart.yaml

@@ -1,19 +1,19 @@
 apiVersion: v1
 name: aws-vpc-cni
-version: 1.1.0
-appVersion: "v1.7.3"
+version: 1.1.3
+appVersion: "v1.7.5"
 description: A Helm chart for the AWS VPC CNI
 icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png
-home: https://github.com/jayanthvn/amazon-vpc-cni-k8s
+home: https://github.com/aws/amazon-vpc-cni-k8s
 sources:
-  - https://github.com/jayanthvn/amazon-vpc-cni-k8ss
+  - https://github.com/aws/amazon-vpc-cni-k8s
 keywords:
   - eks
   - cni
   - networking
   - vpc
 maintainers:
-  - name: Jayanth Varavani 
+  - name: Jayanth Varavani
     url: https://github.com/jayanthvn
     email: [email protected]
 engine: gotpl

charts/aws-vpc-cni/README.md

@@ -29,15 +29,22 @@ The following table lists the configurable parameters for this chart and their d
 | Parameter               | Description                                             | Default                             |
 | ------------------------|---------------------------------------------------------|-------------------------------------|
 | `affinity`              | Map of node/pod affinities                              | `{}`                                |
+| `cniConfig.enabled`     | Enable overriding the default 10-aws.conflist file      | `false`                             |
+| `cniConfig.fileContents`| The contents of the custom cni config file              | `nil`                               |
+| `eniConfig.create`      | Specifies whether to create ENIConfig resource(s)       | `false`                             |
+| `eniConfig.region`      | Region to use when generating ENIConfig resource names  | `us-west-2`                         |
+| `eniConfig.subnets`     | A map of AZ identifiers to config per AZ                | `nil`                               |
+| `eniConfig.subnets.id`  | The ID of the subnet within the AZ which will be used in the ENIConfig | `nil`                |
+| `eniConfig.subnets.securityGroups`  | The IDs of the security groups which will be used in the ENIConfig | `nil`        |
 | `env`                   | List of environment variables. See [here](https://github.com/aws/amazon-vpc-cni-k8s#cni-configuration-variables) for options | (see `values.yaml`) |
 | `fullnameOverride`      | Override the fullname of the chart                      | `aws-node`                          |
 | `image.region`          | ECR repository region to use. Should match your cluster | `us-west-2`                         |
-| `image.tag`             | Image tag                                               | `v1.7.3`                            |
+| `image.tag`             | Image tag                                               | `v1.7.5`                            |
 | `image.pullPolicy`      | Container pull policy                                   | `IfNotPresent`                      |
 | `image.override`        | A custom docker image to use                            | `nil`                               |
 | `imagePullSecrets`      | Docker registry pull secret                             | `[]`                                |
 | `init.image.region`     | ECR repository region to use. Should match your cluster | `us-west-2`                         |
-| `init.image.tag`        | Image tag                                               | `v1.7.3`                            |
+| `init.image.tag`        | Image tag                                               | `v1.7.5`                            |
 | `init.image.pullPolicy` | Container pull policy                                   | `IfNotPresent`                      |
 | `init.image.override`   | A custom docker image to use                            | `nil`                               |
 | `init.env`              | List of init container environment variables. See [here](https://github.com/aws/amazon-vpc-cni-k8s#cni-configuration-variables) for options | (see `values.yaml`) |

charts/aws-vpc-cni/templates/configmap.yaml

@@ -0,0 +1,10 @@
+{{- if .Values.cniConfig.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "aws-vpc-cni.fullname" . }}
+  labels:
+{{ include "aws-vpc-cni.labels" . | indent 4 }}
+data:
+  10-aws.conflist: {{ .Values.cniConfig.fileContents | b64enc }}
+{{- end -}}

charts/aws-vpc-cni/templates/daemonset.yaml

@@ -29,51 +29,19 @@ spec:
         k8s-app: aws-node
     spec:
       priorityClassName: "{{ .Values.priorityClassName }}"
-      affinity:
-        nodeAffinity:
-          requiredDuringSchedulingIgnoredDuringExecution:
-            nodeSelectorTerms:
-              - matchExpressions:
-                  - key: "beta.kubernetes.io/os"
-                    operator: In
-                    values:
-                      - linux
-                  - key: "beta.kubernetes.io/arch"
-                    operator: In
-                    values:
-                      - amd64
-                      - arm64
-                  - key: "eks.amazonaws.com/compute-type"
-                    operator: NotIn
-                    values:
-                      - fargate
-              - matchExpressions:
-                  - key: "kubernetes.io/os"
-                    operator: In
-                    values:
-                      - linux
-                  - key: "kubernetes.io/arch"
-                    operator: In
-                    values:
-                      - amd64
-                      - arm64
-                  - key: "eks.amazonaws.com/compute-type"
-                    operator: NotIn
-                    values:
-                      - fargate
       serviceAccountName: {{ template "aws-vpc-cni.serviceAccountName" . }}
       hostNetwork: true
       initContainers:
       - name: aws-vpc-cni-init
-        image: "{{- if .Values.initContainers.image.override }}{{- .Values.initContainers.image.override }}{{- else }}{{- .Values.initContainers.image.account }}.dkr.ecr.{{- .Values.initContainers.image.region }}.{{- .Values.initContainers.image.domain }}/amazon-k8s-cni-init:{{- .Values.initContainers.image.tag }}{{- end}}"
-        imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }}
+        image: "{{- if .Values.init.image.override }}{{- .Values.init.image.override }}{{- else }}602401143452.dkr.ecr.{{- .Values.init.image.region }}.amazonaws.com/amazon-k8s-cni-init:{{- .Values.init.image.tag }}{{- end}}"
+        imagePullPolicy: {{ .Values.init.image.pullPolicy }}
         env:
-{{- range $key, $value := .Values.initContainers.env }}
+{{- range $key, $value := .Values.init.env }}
           - name: {{ $key }}
             value: {{ $value | quote }}
 {{- end }}
         securityContext:
-          {{- toYaml .Values.initContainers.securityContext | nindent 12 }}
+          {{- toYaml .Values.init.securityContext | nindent 12 }}
         volumeMounts:
           - mountPath: /host/opt/cni/bin
             name: cni-bin-dir
@@ -88,10 +56,10 @@ spec:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       containers:
         - name: aws-node
-          image: "{{- if .Values.image.override }}{{- .Values.image.override }}{{- else }}{{- .Values.image.account }}.dkr.ecr.{{- .Values.image.region }}.{{- .Values.image.domain }}/amazon-k8s-cni:{{- .Values.image.tag }}{{- end}}"
+          image: "{{- if .Values.image.override }}{{- .Values.image.override }}{{- else }}602401143452.dkr.ecr.{{- .Values.image.region }}.amazonaws.com/amazon-k8s-cni:{{- .Values.image.tag }}{{- end}}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           ports:
-            - containerPort: {{ .Values.image.port.containerPort }} 
+            - containerPort: 61678
               name: metrics
           livenessProbe:
 {{ toYaml .Values.livenessProbe | indent 12 }}
@@ -115,6 +83,13 @@ spec:
             name: cni-bin-dir
           - mountPath: /host/etc/cni/net.d
             name: cni-net-dir
+{{- if .Values.cniConfig.enabled }}
+            # the dockerfile copies the baked in config to this location, lets overwrite it with ours
+            # the entrypoint.sh script will then copy our config to /host/etc/cni/net.d on boot
+          - name: cni-config
+            mountPath: /app/10-aws.conflist
+            subPath: 10-aws.conflist
+{{- end }}
           - mountPath: /host/var/log/aws-routed-eni
             name: log-dir
           - mountPath: /var/run/dockershim.sock
@@ -130,6 +105,11 @@ spec:
       - name: cni-net-dir
         hostPath:
           path: /etc/cni/net.d
+{{- if .Values.cniConfig.enabled }}
+      - name: cni-config
+        configMap:
+          name: {{ include "aws-vpc-cni.fullname" . }}
+{{- end }}
       - name: dockershim
         hostPath:
           path: /var/run/dockershim.sock

charts/aws-vpc-cni/templates/eniconfig.yaml

@@ -0,0 +1,17 @@
+{{- if .Values.eniConfig.create }}
+{{- range $key, $value := (required ".Values.eniConfig.subnets must be specified" .Values.eniConfig.subnets) }}
+apiVersion: crd.k8s.amazonaws.com/v1alpha1
+kind: ENIConfig
+metadata:
+  name: {{ required ".Values.eniConfig.region must be specified" $.Values.eniConfig.region }}{{ $key }}
+spec:
+  {{- if $value.securityGroups }}
+  securityGroups:
+    {{- range $sg := $value.securityGroups }}
+    - {{ $sg }}
+    {{- end }}
+  {{- end }}
+  subnet: {{ $value.id }}
+---
+{{- end }}
+{{- end }}

charts/aws-vpc-cni/test.yaml

@@ -0,0 +1,159 @@
+# Test values for aws-vpc-cni.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+#
+nameOverride: aws-node
+
+init:
+  image:
+    tag: v1.7.5
+    region: us-west-2
+    pullPolicy: Always
+    # Set to use custom image
+    # override: "repo/org/image:tag"
+  env:
+    DISABLE_TCP_EARLY_DEMUX: "false"
+  securityContext:
+    privileged: true
+
+image:
+  region: us-west-2
+  tag: v1.7.5
+  pullPolicy: Always
+  # Set to use custom image
+  # override: "repo/org/image:tag"
+
+# The CNI supports a number of environment variable settings
+# See https://github.com/aws/amazon-vpc-cni-k8s#cni-configuration-variables
+env:
+  ADDITIONAL_ENI_TAGS: "{}"
+  AWS_VPC_CNI_NODE_PORT_SUPPORT: "true"
+  AWS_VPC_ENI_MTU: "9001"
+  AWS_VPC_K8S_CNI_CONFIGURE_RPFILTER: "false"
+  AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG: "false"
+  AWS_VPC_K8S_CNI_EXTERNALSNAT: "false"
+  AWS_VPC_K8S_CNI_LOG_FILE: "/host/var/log/aws-routed-eni/ipamd.log"
+  AWS_VPC_K8S_CNI_LOGLEVEL: DEBUG
+  AWS_VPC_K8S_CNI_RANDOMIZESNAT: "prng"
+  AWS_VPC_K8S_CNI_VETHPREFIX: eni
+  AWS_VPC_K8S_PLUGIN_LOG_FILE: "/var/log/aws-routed-eni/plugin.log"
+  AWS_VPC_K8S_PLUGIN_LOG_LEVEL: DEBUG
+  DISABLE_INTROSPECTION: "false"
+  DISABLE_METRICS: "false"
+  ENABLE_POD_ENI: "false"
+  WARM_ENI_TARGET: "1"
+
+# this flag enables you to use the match label that was present in the original daemonset deployed by EKS
+# You can then annotate and label the original aws-node resources and 'adopt' them into a helm release
+originalMatchLabels: false
+
+cniConfig: 
+  enabled: false
+  fileContents: ""
+
+imagePullSecrets: []
+
+fullnameOverride: "aws-node"
+
+priorityClassName: system-node-critical
+
+podSecurityContext: {}
+
+podAnnotations: {}
+
+securityContext:
+  capabilities:
+    add:
+    - "NET_ADMIN"
+
+crd:
+  create: true
+
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name:
+  annotations: {}
+    # eks.amazonaws.com/role-arn: arn:aws:iam::AWS_ACCOUNT_ID:role/IAM_ROLE_NAME
+
+livenessProbe:
+  exec:
+    command:
+      - /app/grpc-health-probe
+      - '-addr=:50051'
+  initialDelaySeconds: 60
+
+readinessProbe:
+  exec:
+    command:
+      - /app/grpc-health-probe
+      - '-addr=:50051'
+  initialDelaySeconds: 1
+
+resources:
+  requests:
+    cpu: 10m
+
+updateStrategy:
+  type: RollingUpdate
+  rollingUpdate:
+    maxUnavailable: "10%"
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity:
+  nodeAffinity:
+    requiredDuringSchedulingIgnoredDuringExecution:
+      nodeSelectorTerms:
+        - matchExpressions:
+            - key: "beta.kubernetes.io/os"
+              operator: In
+              values:
+                - linux
+            - key: "beta.kubernetes.io/arch"
+              operator: In
+              values:
+                - amd64
+                - arm64
+            - key: "eks.amazonaws.com/compute-type"
+              operator: NotIn
+              values:
+                - fargate
+        - matchExpressions:
+            - key: "kubernetes.io/os"
+              operator: In
+              values:
+                - linux
+            - key: "kubernetes.io/arch"
+              operator: In
+              values:
+                - amd64
+                - arm64
+            - key: "eks.amazonaws.com/compute-type"
+              operator: NotIn
+              values:
+                - fargate
+
+eniConfig:
+  # Specifies whether ENIConfigs should be created
+  create: false
+  region: us-west-2
+  subnets:
+    # Key identifies the AZ
+    # Value contains the subnet ID and security group IDs within that AZ
+    # a:
+    #   id: subnet-123
+    #   securityGroups:
+    #   - sg-123
+    # b:
+    #   id: subnet-456
+    #   securityGroups:
+    #   - sg-456
+    # c:
+    #   id: subnet-789
+    #   securityGroups:
+    #   - sg-789