aws: Set IMDS defaults for existing clusters

2022-12-26 06:08:17 +02:00 · 2022-12-26 06:08:17 +02:00 · 62f1d20c96
parent 7e7ad105fe
commit 62f1d20c96
2 changed files with 36 additions and 22 deletions
--- a/pkg/model/awsmodel/autoscalinggroup.go
+++ b/pkg/model/awsmodel/autoscalinggroup.go
@ -181,7 +181,7 @@ func (b *AutoscalingGroupModelBuilder) buildLaunchTemplateTask(c *fi.CloudupMode
 		Lifecycle:                    b.Lifecycle,
 		CPUCredits:                   fi.PtrTo(fi.ValueOf(ig.Spec.CPUCredits)),
 		HTTPPutResponseHopLimit:      fi.PtrTo(int64(1)),
-		HTTPTokens:                   fi.PtrTo(ec2.LaunchTemplateHttpTokensStateOptional),
+		HTTPTokens:                   fi.PtrTo(ec2.LaunchTemplateHttpTokensStateRequired),
 		HTTPProtocolIPv6:             fi.PtrTo(ec2.LaunchTemplateInstanceMetadataProtocolIpv6Disabled),
 		IAMInstanceProfile:           link,
 		ImageID:                      fi.PtrTo(ig.Spec.Image),
@ -281,10 +281,14 @@ func (b *AutoscalingGroupModelBuilder) buildLaunchTemplateTask(c *fi.CloudupMode

 	if ig.Spec.InstanceMetadata != nil && ig.Spec.InstanceMetadata.HTTPPutResponseHopLimit != nil {
 		lt.HTTPPutResponseHopLimit = ig.Spec.InstanceMetadata.HTTPPutResponseHopLimit
+	} else if ig.IsControlPlane() && (b.Cluster.IsKubernetesLT("1.26") || !b.UseServiceAccountExternalPermissions()) {
+		lt.HTTPPutResponseHopLimit = fi.PtrTo[int64](3)
 	}

 	if ig.Spec.InstanceMetadata != nil && ig.Spec.InstanceMetadata.HTTPTokens != nil {
 		lt.HTTPTokens = ig.Spec.InstanceMetadata.HTTPTokens
+	} else if b.IsKubernetesLT("1.27") {
+		lt.HTTPTokens = fi.PtrTo(ec2.LaunchTemplateHttpTokensStateOptional)
 	}

 	if rootVolumeType == ec2.VolumeTypeIo1 || rootVolumeType == ec2.VolumeTypeIo2 {
--- a/upup/pkg/fi/cloudup/new_cluster.go
+++ b/upup/pkg/fi/cloudup/new_cluster.go
@ -877,14 +877,16 @@ func setupControlPlane(opt *NewClusterOptions, cluster *api.Cluster, zoneToSubne
 				g.Spec.Zones = []string{zone}
 			}

-			if cloudProvider == api.CloudProviderAWS {
-				g.Spec.InstanceMetadata = &api.InstanceMetadataOptions{
-					HTTPPutResponseHopLimit: fi.PtrTo(int64(3)),
-					HTTPTokens:              fi.PtrTo("required"),
+			if cluster.IsKubernetesLT("1.27") {
+				if cloudProvider == api.CloudProviderAWS {
+					g.Spec.InstanceMetadata = &api.InstanceMetadataOptions{
+						HTTPPutResponseHopLimit: fi.PtrTo(int64(3)),
+						HTTPTokens:              fi.PtrTo("required"),
+					}
+				}
+				if cluster.IsKubernetesGTE("1.26") && fi.ValueOf(cluster.Spec.IAM.UseServiceAccountExternalPermissions) {
+					g.Spec.InstanceMetadata.HTTPPutResponseHopLimit = fi.PtrTo(int64(1))
 				}
-			}
-			if cluster.IsKubernetesGTE("1.26") && fi.ValueOf(cluster.Spec.IAM.UseServiceAccountExternalPermissions) {
-				g.Spec.InstanceMetadata.HTTPPutResponseHopLimit = fi.PtrTo(int64(1))
 			}

 			g.Spec.MachineType = opt.ControlPlaneSize
@ -1006,10 +1008,12 @@ func setupNodes(opt *NewClusterOptions, cluster *api.Cluster, zoneToSubnetMap ma
 			g.Spec.Zones = []string{zone}
 		}

-		if cloudProvider == api.CloudProviderAWS {
-			g.Spec.InstanceMetadata = &api.InstanceMetadataOptions{
-				HTTPPutResponseHopLimit: fi.PtrTo(int64(1)),
-				HTTPTokens:              fi.PtrTo("required"),
+		if cluster.IsKubernetesLT("1.27") {
+			if cloudProvider == api.CloudProviderAWS {
+				g.Spec.InstanceMetadata = &api.InstanceMetadataOptions{
+					HTTPPutResponseHopLimit: fi.PtrTo(int64(1)),
+					HTTPTokens:              fi.PtrTo("required"),
+				}
 			}
 		}

@ -1028,9 +1032,11 @@ func setupKarpenterNodes(opt *NewClusterOptions, cluster *api.Cluster, zoneToSub
 	g.Spec.Manager = api.InstanceManagerKarpenter
 	g.ObjectMeta.Name = "nodes"

-	g.Spec.InstanceMetadata = &api.InstanceMetadataOptions{
-		HTTPPutResponseHopLimit: fi.PtrTo(int64(1)),
-		HTTPTokens:              fi.PtrTo("required"),
+	if cluster.IsKubernetesLT("1.27") {
+		g.Spec.InstanceMetadata = &api.InstanceMetadataOptions{
+			HTTPPutResponseHopLimit: fi.PtrTo(int64(1)),
+			HTTPTokens:              fi.PtrTo("required"),
+		}
 	}

 	return []*api.InstanceGroup{g}, nil
@ -1073,10 +1079,12 @@ func setupAPIServers(opt *NewClusterOptions, cluster *api.Cluster, zoneToSubnetM
 			g.Spec.Zones = []string{zone}
 		}

-		if cloudProvider == api.CloudProviderAWS {
-			g.Spec.InstanceMetadata = &api.InstanceMetadataOptions{
-				HTTPPutResponseHopLimit: fi.PtrTo(int64(1)),
-				HTTPTokens:              fi.PtrTo("required"),
+		if cluster.IsKubernetesLT("1.27") {
+			if cloudProvider == api.CloudProviderAWS {
+				g.Spec.InstanceMetadata = &api.InstanceMetadataOptions{
+					HTTPPutResponseHopLimit: fi.PtrTo(int64(1)),
+					HTTPTokens:              fi.PtrTo("required"),
+				}
 			}
 		}

@ -1275,9 +1283,11 @@ func setupTopology(opt *NewClusterOptions, cluster *api.Cluster, allZones sets.S
 				bastionGroup.Spec.Zones = allZones.List()
 			}

-			bastionGroup.Spec.InstanceMetadata = &api.InstanceMetadataOptions{
-				HTTPPutResponseHopLimit: fi.PtrTo(int64(1)),
-				HTTPTokens:              fi.PtrTo("required"),
+			if cluster.IsKubernetesLT("1.27") {
+				bastionGroup.Spec.InstanceMetadata = &api.InstanceMetadataOptions{
+					HTTPPutResponseHopLimit: fi.PtrTo(int64(1)),
+					HTTPTokens:              fi.PtrTo("required"),
+				}
 			}

 			bastionGroup.Spec.Image = opt.BastionImage