Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Add support for networking ip_family which enables support for IPV6 #1759

Merged
merged 8 commits into from
Jan 14, 2022
Merged

feat: Add support for networking ip_family which enables support for IPV6 #1759

merged 8 commits into from
Jan 14, 2022

Conversation

bryantbiggs
Copy link
Member

@bryantbiggs bryantbiggs commented Jan 10, 2022
edited
Loading

Description

  • add support for networking ip_family which enables support for IPV6
  • add policy for AmazonEKS_CNI_IPv6_Policy for nodes using VPC CNI to connect when IPV6 is enabled
    • propagate cluster_ip_family down to sub-modules to be able to determine which CNI policy should be used
    • all sub-modules now utilize the iam_role_attach_cni_policy variable to control whether the CNI policy should be attached or not
  • bump Terraform AWS provider min version required to support ip_family attribute
  • update eks-managed-node-group example to demonstrate/validate use of IPV6

Note: IPV6 can only be enabled on new clusters, not existing. So the addition of the IPV6 rule on the security groups is non-breaking (does not affect current clusters either)

Motivation and Context

Breaking Changes

  • No

How Has This Been Tested?

  • I have tested and validated these changes using one or more of the provided examples/* projects
    • Validated using eks-managed-node-group example

@z0rc z0rc mentioned this pull request Jan 12, 2022
Closed
@stevehipwell
Copy link
Contributor

@bryantbiggs this looks great to me, now that the AWS provider v3.72.0 do you anticipate this can be released soon?

@bryantbiggs
Copy link
Member Author

@stevehipwell yes! I just wanted to have at least one deploy to ensure it works as advertised. Just launched a cluster this morning and everythings looking good
image

@bryantbiggs bryantbiggs marked this pull request as ready for review January 14, 2022 12:49
@bryantbiggs bryantbiggs marked this pull request as draft January 14, 2022 12:59
@bryantbiggs
Copy link
Member Author

@stevehipwell just trying to figure out why the CoreDNS plugin is not registering as healthy under IPV6 - working through this now https://aws.amazon.com/blogs/containers/amazon-eks-launches-ipv6-support/ - let me know if you have any insight (see eks-managed-node-group example in this PR for the configs currently used)

@stevehipwell
Copy link
Contributor

@bryantbiggs I assume you're using the latest cordns version (v1.8.4), are you using the add-in or manually managing it? I don't think there was anything in the IPv6 announcement about coredns specifically.

Have you looked at the bootstrap options to see if there is an issue with the old logic?

@mKeRix
Copy link

mKeRix commented Jan 14, 2022
edited
Loading

@bryantbiggs We observed a while back that when launching a new cluster, compute nodes need to be available before the CoreDNS plugin will launch successfully. Since we manage the cluster addons outside of the module we solved this by simply putting a depends_on = [module.eks] in our case, as that will force it to run after the nodegroup in the module finished creating. Is it possible that you're hitting the same wall? You could try launching the cluster without the addon first and then add it back to see if that works.

Note that this happens on IPv4 clusters as well, so it's not related to your changes here.

@bryantbiggs
Copy link
Member Author

@bryantbiggs I assume you're using the latest cordns version (v1.8.4), are you using the add-in or manually managing it? I don't think there was anything in the IPv6 announcement about coredns specifically.

Have you looked at the bootstrap options to see if there is an issue with the old logic?

Ya, the addons are all pulling the latest versions that are specified in the announcement. I assume there are no changes in the bootstrap logic (I hope) - I would presume this is all handled in the bootstrap.sh script, I didn't see any mention in the docs/announcements

@bryantbiggs
Copy link
Member Author

@bryantbiggs We observed a while back that when launching a new cluster, compute nodes need to be available before the CoreDNS plugin will launch successfully. Since we manage the cluster addons outside of the module we solved this by simply putting a depends_on = [module.eks] in our case, as that will force it to run after the nodegroup in the module finished creating. Is it possible that you're hitting the same wall? You could try launching the cluster without the addon first and then add it back to see if that works.

Note that this happens on IPv4 clusters as well, so it's not related to your changes here.

Yes, this works today in the eks-managed-node-group - the addons are the last bit and the node groups in that example all come up; the CoreDNS plugin takes the longest but it eventually turns healthy all in one terraform apply. I may tear down the cluster and have another go because I did have to update the VPC settings a bit (add egress only gateway and assign IPV6 on launch) and update the node security group for IPV6 egress

@bryantbiggs
Copy link
Member Author

Between this module and MSK, talk about longest turn around time to test out changes 😅 🕐

@bryantbiggs
Copy link
Member Author

bryantbiggs commented Jan 14, 2022
edited
Loading

ah, might be a permissions issue https://docs.aws.amazon.com/eks/latest/userguide/cni-iam-role.html#cni-iam-role-create-ipv6-policy

You must attach an IPv6 IAM policy to your node IAM or CNI IAM role. Between the two, we recommend that you attach it to a CNI IAM role. For more information, see Step 1: (Optional) Create IAM policy for IPv6 and Step 2: Create the Amazon VPC CNI plugin IAM role.

@bryantbiggs bryantbiggs marked this pull request as ready for review January 14, 2022 17:38
@bryantbiggs
Copy link
Member Author

Policy addition fixed it - should be all set for review now
image

@antonbabenko antonbabenko merged commit 314192e into terraform-aws-modules:master Jan 14, 2022
antonbabenko pushed a commit that referenced this pull request Jan 14, 2022
@semantic-release-bot
chore(release): version 18.1.0 [skip ci]
aba9400 
## [18.1.0](v18.0.6...v18.1.0) (2022-01-14)

### Features

* Add support for networking `ip_family` which enables support for IPV6 ([#1759](#1759)) ([314192e](314192e))
@antonbabenko
Copy link
Member

This PR is included in version 18.1.0 🎉

@bryantbiggs bryantbiggs deleted the feat/ipv6-support branch January 14, 2022 20:20
baibailiha added a commit to baibailiha/terraform-aws-eks that referenced this pull request Sep 13, 2022
@baibailiha @semantic-release-bot
chore(release): version 18.1.0 [skip ci]
1093547 
## [18.1.0](terraform-aws-modules/terraform-aws-eks@v18.0.6...v18.1.0) (2022-01-14)

### Features

* Add support for networking `ip_family` which enables support for IPV6 ([#1759](terraform-aws-modules/terraform-aws-eks#1759)) ([c016dfb](terraform-aws-modules/terraform-aws-eks@c016dfb))
@github-actions
Copy link

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 10, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@antonbabenko antonbabenko Awaiting requested review from antonbabenko

@daroga0002 daroga0002 Awaiting requested review from daroga0002

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support creating IPv6 EKS clusters
4 participants
@bryantbiggs @stevehipwell @mKeRix @antonbabenko