Revert "Enable Windows IPAM when creating a Windows nodegroup, deprecate install-vpc-controllers" (#4340)

Author: Jake Klein

examples/14-windows-nodes.yaml

@@ -1,5 +1,5 @@
 # An example of ClusterConfig containing Windows and Linux node groups to support Windows workloads
-# This example should be run with `eksctl create cluster -f 14-windows-nodes.yaml`
+# This example should be run with `eksctl create cluster -f 14-windows-nodes.yaml --install-vpc-controllers`
 ---
 apiVersion: eksctl.io/v1alpha5
 kind: ClusterConfig
@@ -13,8 +13,6 @@ nodeGroups:
     amiFamily: WindowsServer2019FullContainer
     minSize: 2
     maxSize: 3
-
-managedNodeGroups:
   - name: linux-ng
     instanceType: t2.large
     minSize: 2

integration/tests/windows/windows_test.go

@@ -70,6 +70,7 @@ var _ = Describe("(Integration) [Windows Nodegroups]", func() {
 				"--config-file", "-",
 				"--verbose", "4",
 				"--kubeconfig", params.KubeconfigPath,
+				"--install-vpc-controllers",
 			).
 			WithoutArg("--region", params.Region).
 			WithStdin(bytes.NewReader(data))

pkg/actions/nodegroup/create.go

@@ -160,15 +160,6 @@ func (m *Manager) nodeCreationTasks(options CreateOpts, nodegroupFilter filter.N
 		taskTree.Append(m.stackManager.NewClusterCompatTask())
 	}
 
-	if m.cfg.HasWindowsNodeGroup() {
-		taskTree.Append(&eks.WindowsIPAMTask{
-			Info: "enable Windows IPAM",
-			ClientsetFunc: func() (kubernetes.Interface, error) {
-				return m.ctl.NewStdClientSet(m.cfg)
-			},
-		})
-	}
-
 	awsNodeUsesIRSA, err := init.DoesAWSNodeUseIRSA(m.ctl.Provider, m.clientSet)
 	if err != nil {
 		return errors.Wrap(err, "couldn't check aws-node for annotation")

pkg/addons/assets.go

@@ -0,0 +1,20 @@
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: vpc-admission-webhook-cfg
+  namespace: kube-system
+  labels:
+    app: vpc-admission-webhook
+webhooks:
+  - name: vpc-admission-webhook.amazonaws.com
+    clientConfig:
+      service:
+        name: vpc-admission-webhook
+        namespace: kube-system
+        path: "/mutate"
+    rules:
+      - operations: [ "CREATE" ]
+        apiGroups: [""]
+        apiVersions: ["v1"]
+        resources: ["pods"]
+    failurePolicy: Ignore

pkg/addons/assets/vpc-admission-webhook-config.yaml

@@ -0,0 +1,11 @@
+apiVersion: certificates.k8s.io/v1beta1
+kind: CertificateSigningRequest
+metadata:
+  name: vpc-admission-webhook.kube-system
+spec:
+  groups:
+  - system:authenticated
+  usages:
+  - digital signature
+  - key encipherment
+  - server auth

pkg/addons/assets/vpc-admission-webhook-csr.yaml

@@ -0,0 +1,61 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: vpc-admission-webhook
+  namespace: kube-system
+  labels:
+    app: vpc-admission-webhook
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: vpc-admission-webhook
+  template:
+    metadata:
+      labels:
+        app: vpc-admission-webhook
+    spec:
+      containers:
+        - name: vpc-admission-webhook
+          args:
+            - -tlsCertFile=/etc/webhook/certs/cert.pem
+            - -tlsKeyFile=/etc/webhook/certs/key.pem
+            - -OSLabelSelectorOverride=windows
+            - -alsologtostderr
+            - -v=4
+            - 2>&1
+          image: '%s.dkr.ecr.%s.%s/eks/vpc-admission-webhook:v0.2.6'
+          imagePullPolicy: Always
+          volumeMounts:
+            - name: webhook-certs
+              mountPath: /etc/webhook/certs
+              readOnly: true
+      hostNetwork: true
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: beta.kubernetes.io/os
+                operator: In
+                values:
+                - linux
+              - key: beta.kubernetes.io/arch
+                operator: In
+                values:
+                - amd64
+            - matchExpressions:
+              - key: kubernetes.io/os
+                operator: In
+                values:
+                - linux
+              - key: kubernetes.io/arch
+                operator: In
+                values:
+                - amd64
+      volumes:
+        - name: webhook-certs
+          secret:
+            secretName: vpc-admission-webhook-certs

pkg/addons/assets/vpc-admission-webhook-dep.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: vpc-admission-webhook
+  namespace: kube-system
+  labels:
+    app: vpc-admission-webhook
+spec:
+  ports:
+  - port: 443
+    targetPort: 443
+  selector:
+    app: vpc-admission-webhook

pkg/addons/assets/vpc-admission-webhook.yaml

@@ -0,0 +1,64 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: vpc-resource-controller
+  namespace: kube-system
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: vpc-resource-controller
+      tier: backend
+      track: stable
+  template:
+    metadata:
+      labels:
+        app: vpc-resource-controller
+        tier: backend
+        track: stable
+    spec:
+      serviceAccount: vpc-resource-controller
+      containers:
+      - command:
+        - /vpc-resource-controller
+        args:
+        - -stderrthreshold=info
+        image: '%s.dkr.ecr.%s.%s/eks/windows-vpc-resource-controller:v0.2.6'
+        imagePullPolicy: Always
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            host: 127.0.0.1
+            path: /healthz
+            port: 61779
+            scheme: HTTP
+          initialDelaySeconds: 30
+          periodSeconds: 30
+          timeoutSeconds: 5
+        name: vpc-resource-controller
+        securityContext:
+          privileged: true
+      hostNetwork: true
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: beta.kubernetes.io/os
+                operator: In
+                values:
+                - linux
+              - key: beta.kubernetes.io/arch
+                operator: In
+                values:
+                - amd64
+            - matchExpressions:
+              - key: kubernetes.io/os
+                operator: In
+                values:
+                - linux
+              - key: kubernetes.io/arch
+                operator: In
+                values:
+                - amd64