diff --git a/ci-operator/config/openshift/installer/openshift-installer-master.yaml b/ci-operator/config/openshift/installer/openshift-installer-master.yaml index d3ffc6f0b7a5b..7a19604272daa 100644 --- a/ci-operator/config/openshift/installer/openshift-installer-master.yaml +++ b/ci-operator/config/openshift/installer/openshift-installer-master.yaml @@ -238,6 +238,14 @@ tests: steps: cluster_profile: aws workflow: openshift-e2e-aws-sharednetwork +- as: e2e-aws-imdsv2 + optional: true + run_if_changed: aws + steps: + cluster_profile: aws + env: + AWS_METADATA_SERVICE_AUTH: Required + workflow: openshift-e2e-aws - as: e2e-gcp optional: true skip_if_only_changed: (^(docs|upi|hack)/)|((^|/)OWNERS(_ALIASES)?$)|((^|/)[A-Z]+\.md$)|(^(data/.*|pkg/.*|terraform/providers)/(alibabacloud|aws|azure|azurestack|baremetal|ibmcloud|libvirt|nutanix|openstack|ovirt|powervs|vsphere)/) diff --git a/ci-operator/jobs/openshift/installer/openshift-installer-master-presubmits.yaml b/ci-operator/jobs/openshift/installer/openshift-installer-master-presubmits.yaml index 61a786467da55..74adc1b3ecf14 100644 --- a/ci-operator/jobs/openshift/installer/openshift-installer-master-presubmits.yaml +++ b/ci-operator/jobs/openshift/installer/openshift-installer-master-presubmits.yaml @@ -294,6 +294,80 @@ presubmits: secret: secretName: result-aggregator trigger: (?m)^/test( | .* )e2e-aws-fips,?($|\s.*) + - agent: kubernetes + always_run: false + branches: + - ^master$ + - ^master- + cluster: build03 + context: ci/prow/e2e-aws-imdsv2 + decorate: true + labels: + ci-operator.openshift.io/cloud: aws + ci-operator.openshift.io/cloud-cluster-profile: aws + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-installer-master-e2e-aws-imdsv2 + optional: true + rerun_command: /test e2e-aws-imdsv2 + run_if_changed: aws + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --secret-dir=/usr/local/e2e-aws-imdsv2-cluster-profile + - --target=e2e-aws-imdsv2 + command: + - ci-operator + image: ci-operator:latest + imagePullPolicy: Always + name: "" + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /usr/local/e2e-aws-imdsv2-cluster-profile + name: cluster-profile + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: cluster-profile + secret: + secretName: cluster-secrets-aws + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )e2e-aws-imdsv2,?($|\s.*) - agent: kubernetes always_run: false branches: diff --git a/ci-operator/step-registry/ipi/conf/aws/ipi-conf-aws-commands.sh b/ci-operator/step-registry/ipi/conf/aws/ipi-conf-aws-commands.sh index 25f1640578aa4..7eab0c953bfe9 100755 --- a/ci-operator/step-registry/ipi/conf/aws/ipi-conf-aws-commands.sh +++ b/ci-operator/step-registry/ipi/conf/aws/ipi-conf-aws-commands.sh @@ -138,3 +138,25 @@ EOF /tmp/yq m -x -i "${CONFIG}" "${CONFIG_PATCH_AMI}" cp "${SHARED_DIR}/install-config-ami.yaml.patch" "${ARTIFACT_DIR}/" fi + + +if [[ ${AWS_METADATA_SERVICE_AUTH} =~ ^(Required|Optional)$ ]]; then + echo "setting up metadata auth in install-config.yaml. Set metadata service auth to: ${AWS_METADATA_SERVICE_AUTH}" + METADATA_AUTH_PATCH="${SHARED_DIR}/install-config-metadata-auth.yaml.patch" + + cat > "${METADATA_AUTH_PATCH}" << EOF +controlPlane: + platform: + aws: + metadataService: + authentication: ${AWS_METADATA_SERVICE_AUTH} +compute: +- platform: + aws: + metadataService: + authentication: ${AWS_METADATA_SERVICE_AUTH} +EOF + + /tmp/yq m -x -i "${CONFIG}" "${METADATA_AUTH_PATCH}" + cp "${METADATA_AUTH_PATCH}" "${ARTIFACT_DIR}/" +fi diff --git a/ci-operator/step-registry/ipi/conf/aws/ipi-conf-aws-ref.yaml b/ci-operator/step-registry/ipi/conf/aws/ipi-conf-aws-ref.yaml index 94930a6b7f222..2968a633390b7 100644 --- a/ci-operator/step-registry/ipi/conf/aws/ipi-conf-aws-ref.yaml +++ b/ci-operator/step-registry/ipi/conf/aws/ipi-conf-aws-ref.yaml @@ -41,5 +41,18 @@ ref: default: "origin-ci-int-aws.dev.rhcloud.com" documentation: |- A fully-qualified domain or subdomain name. The base domain of the cloud provider is used for setting baseDomain variable of the install configuration of the cluster. + - name: AWS_METADATA_SERVICE_AUTH + default: "" + documentation: |- + The state of IMDSv2 (requirement of auth on instance metadata service). + More info: + https://github.com/openshift/enhancements/blob/master/enhancements/machine-api/aws-imds-v2-support.md + https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html + + Valid values are: + * "" (default) - corresponds to "Optional" behaviour. + * "Required" - sets IMDSv2 to Required for all machines in install-config, metadata service is not accessible without auth procedure. + * "Optional" - auth procedure on metadata service is optional + documentation: |- The IPI AWS configure step generates the AWS-specific install-config.yaml contents based on the cluster profile and optional input files.