Enable Windows IPAM when creating a Windows nodegroup, deprecate install-vpc-controllers

[cPu1]

Description

This changelist enables Windows IPAM when creating a new nodegroup in create cluster and create nodegroup, and adds a --delete flag to eksctl utils install-vpc-controllers to allow deleting an existing installation of VPC controller from worker nodes.

Closes #2401

Logs from testing:

$ eksctl utils install-vpc-controllers --delete --cluster <cluster>
2021-10-14 16:21:47 [ℹ]  using region us-west-2
2021-10-14 16:21:50 [ℹ]  (plan) would have deleted "kube-system:MutatingWebhookConfiguration.admissionregistration.k8s.io/vpc-admission-webhook-cfg"
2021-10-14 16:21:51 [ℹ]  (plan) would have deleted "CertificateSigningRequest.certificates.k8s.io/vpc-admission-webhook.kube-system"
2021-10-14 16:21:51 [ℹ]  (plan) would have deleted "kube-system:Deployment.apps/vpc-admission-webhook"
2021-10-14 16:21:51 [ℹ]  (plan) would have deleted "ClusterRole.rbac.authorization.k8s.io/vpc-resource-controller"
2021-10-14 16:21:52 [ℹ]  (plan) would have deleted "ClusterRoleBinding.rbac.authorization.k8s.io/vpc-resource-controller"
2021-10-14 16:21:52 [ℹ]  (plan) would have deleted "kube-system:Deployment.apps/vpc-resource-controller"
2021-10-14 16:21:52 [ℹ]  (plan) would have deleted "kube-system:Secret/vpc-admission-webhook-certs"
2021-10-14 16:21:52 [!]  no changes were applied, run again with '--approve' to apply the changes

$ eksctl utils install-vpc-controllers --delete --cluster <cluster> --approve
2021-10-14 16:23:18 [ℹ]  using region us-west-2
2021-10-14 16:23:22 [ℹ]  deleted "kube-system:MutatingWebhookConfiguration.admissionregistration.k8s.io/vpc-admission-webhook-cfg"
2021-10-14 16:23:23 [ℹ]  deleted "CertificateSigningRequest.certificates.k8s.io/vpc-admission-webhook.kube-system"
2021-10-14 16:23:28 [ℹ]  deleted "kube-system:Deployment.apps/vpc-admission-webhook"
2021-10-14 16:23:29 [ℹ]  deleted "ClusterRole.rbac.authorization.k8s.io/vpc-resource-controller"
2021-10-14 16:23:30 [ℹ]  deleted "ClusterRoleBinding.rbac.authorization.k8s.io/vpc-resource-controller"
2021-10-14 16:23:40 [ℹ]  deleted "kube-system:Deployment.apps/vpc-resource-controller"
2021-10-14 16:23:41 [ℹ]  deleted "kube-system:Secret/vpc-admission-webhook-certs"

Checklist

• Added tests that cover your change (if possible)
• Added/modified documentation as required (such as the README.md, or the userdocs directory)
• Manually tested
• Made sure the title of the PR is a good description that can go into the release notes
• (Core team) Added labels for change area (e.g. area/nodegroup) and kind (e.g. kind/improvement)

BONUS POINTS checklist: complete for good vibes and maybe prizes?! 🤯

• Backfilled missing tests for code in same general area 🎉
• Refactored something and made the world a better place 🌟

[Skarlso]

:D

[aclevername]

unit tests?

[Skarlso]

I was about to say the same.

[cPu1]

I have added a test suite.

[aclevername]

Suggested change

	// Enable enables Windows IPAM
	// Enable enables Windows IPAM in the VPC CNI configmap

[aclevername]

Suggested change

	return errors.Wrap(err, "error getting resource")
	return errors.Wrapf(err, "error getting %q configmap", vpcCNIName)

[Skarlso]

There are more fmt.Errorf results than errors.Wrapf. Which one do we use under what circumstance? It would be nice to be uniform. :)

[aclevername]

agreed, I prefer fmt.Errorf as it has %w for wrapping errors

[cPu1]

Most calls to fmt.Errorf are used without the %w verb, so they are equivalent to errors.Errorf. For consistency, I prefer using errors.Wrapf.

[aclevername]

Suggested change

	return errors.Wrap(err, "failed to patch resource")
	return errors.Wrapf(err, "failed to patch %q configmap", vpcCNIName)

[aclevername]

what happens if someone enables this functionality while also having the legacy windows VPC controller installed? Do we need to warn them?

[cPu1]

We are not providing a dedicated command to enable this functionality, but rather enabling IPAM behind the scenes when a Windows nodegroup is created as part of create cluster or create nodegroup. We log a warning in create cluster and utils install-vpc-controllers.

[aclevername]

what about existing clusters with windows nodegroups?

[cPu1]

We don't query the cluster for existing Windows nodegroups, but an improvement would be to log the same warning if the cluster has Windows nodegroups and VPC controller installed.

[Skarlso]

This is a nit, but would you mind ordering these imports please?

[Skarlso]

Suggested change

	"context"
	"encoding/json"
	"github.com/kris-nova/logger"
	"k8s.io/apimachinery/pkg/types"
	jsonpatch "github.com/evanphx/json-patch/v5"
	corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
	corev1 "k8s.io/api/core/v1"
	apierrors "k8s.io/apimachinery/pkg/api/errors"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"github.com/pkg/errors"
	"k8s.io/client-go/kubernetes"
	import (
	"context"
	"encoding/json"
	jsonpatch "github.com/evanphx/json-patch/v5"
	"github.com/kris-nova/logger"
	"github.com/pkg/errors"
	corev1 "k8s.io/api/core/v1"
	apierrors "k8s.io/apimachinery/pkg/api/errors"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"k8s.io/apimachinery/pkg/types"
	"k8s.io/client-go/kubernetes"
	corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
	)

[cPu1]

Sounds good. I usually rely on goimports to do the sorting.

[Skarlso]

Huh, I do the same. This the result of it. 🤔 I don't think I'm setting any funky settings.

[Skarlso]

I'm not following this logic. You already have the original object. You don't need jsonpatch here.

Just use this:

newCM := cm.DeepCopy()
newCM.Data[windowsIPAMField] = "true"
data, err := json.Marshal(newCM)
if err != nil {
    return nil, err
}

if _, err := configMaps.Patch(ctx, vpcCNIName, types.StrategicMergePatchType, data, metav1.PatchOptions{}); err != nil {
	return errors.Wrapf(err, "failed to patch %q configmap", vpcCNIName)
}

And done. Unless I'm mis-reading something :)

[cPu1]

We do need a JSON patch here to avoid overwriting any changes made by other clients between get configmap and patch configmap.

[Skarlso]

Oh wait. But then shouldn't you be defining a JSONPatchType instead of strategic merge?

[cPu1]

The StrategicMergePatchType constant is actually the application/strategic-merge-patch+json media type, which also handles JSON patch.

[Skarlso]

ah, okay. Cool then :) You win.:D

[Skarlso]

Suggested change

	In addition to having Windows nodes, a Linux node in the cluster is required to run CoreDNS, as Microsoft doesn't support host-networking mode yet. Thus, a Windows EKS cluster will be a mixed-mode cluster containing Windows nodes and at least one Linux node.
	In addition to having Windows nodes, a Linux node in the cluster is required to run CoreDNS, as Microsoft doesn't support host-networking mode yet. Thus, a Windows EKS cluster will be a mixed-node cluster containing Windows nodes and at least one Linux node.

I think that's supposed to be mixed-node, right? I can see that it was mixed-mode previously as well, but I think that's a typo.

[cPu1]

I'm unsure because mixed-node also seems unclear to me. WDYT about rephrasing it to "Thus, a Windows EKS cluster will be a mixture of Windows nodes and at least one Linux node"?

[Skarlso]

Yep, that sounds a lot better. Thanks! :)

[Skarlso]

Suggested change

	For existing clusters, you can enable it manually and run `eksctl utils install-vpc-controllers` with the `--delete` flag
	For existing clusters, you can enable it manually by running `eksctl utils install-vpc-controllers` with the `--delete` flag

[cPu1]

eksctl utils install-vpc-controllers --delete does not enable Windows IPAM. In this part, we are asking users to enable IPAM manually by following the linked documentation and then delete VPC controller which is no longer required.

[Skarlso]

Ah, so, enabling it manually is a step they have to take? Can you separate the two sentences then please? Because reading that made me think I'm enabling it by running that command. :)

[Skarlso]

Just put a , after manually I guess.

[cPu1]

Ah, so, enabling it manually is a step they have to take?

Correct.

Can you separate the two sentences then please?

Sure, makes sense.

[aclevername]

lgtm!

[Skarlso]

Yep, from me too