feedback addressed

Author: edibble21

go.mod

@@ -7,7 +7,7 @@ require (
 	github.com/PuerkitoBio/goquery v1.10.1
 	github.com/avast/retry-go v3.0.0+incompatible
 	github.com/aws/amazon-vpc-resource-controller-k8s v1.6.3
-	github.com/aws/aws-sdk-go-v2 v1.36.0
+	github.com/aws/aws-sdk-go-v2 v1.36.1
 	github.com/aws/aws-sdk-go-v2/config v1.29.4
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.27
 	github.com/aws/aws-sdk-go-v2/service/ec2 v1.202.2
@@ -52,8 +52,8 @@ require (
 	github.com/Masterminds/semver/v3 v3.2.1 // indirect
 	github.com/andybalholm/cascadia v1.3.3 // indirect
 	github.com/aws/aws-sdk-go-v2/credentials v1.17.57 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.31 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.31 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.32 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.32 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.2 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.2 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.10.12 // indirect

go.sum

@@ -10,18 +10,18 @@ github.com/avast/retry-go v3.0.0+incompatible h1:4SOWQ7Qs+oroOTQOYnAHqelpCO0biHS
 github.com/avast/retry-go v3.0.0+incompatible/go.mod h1:XtSnn+n/sHqQIpZ10K1qAevBhOOCWBLXXy3hyiqqBrY=
 github.com/aws/amazon-vpc-resource-controller-k8s v1.6.3 h1:B4o15iZP8CQoyDjoNAoQiyEPabLsgxXLY5tv3uvvCic=
 github.com/aws/amazon-vpc-resource-controller-k8s v1.6.3/go.mod h1:k4zcf2Dz/Mvrgo8NVzAEWP5HK4USqbJTD93pVVDxvc0=
-github.com/aws/aws-sdk-go-v2 v1.36.0 h1:b1wM5CcE65Ujwn565qcwgtOTT1aT4ADOHHgglKjG7fk=
-github.com/aws/aws-sdk-go-v2 v1.36.0/go.mod h1:5PMILGVKiW32oDzjj6RU52yrNrDPUHcbZQYr1sM7qmM=
+github.com/aws/aws-sdk-go-v2 v1.36.1 h1:iTDl5U6oAhkNPba0e1t1hrwAo02ZMqbrGq4k5JBWM5E=
+github.com/aws/aws-sdk-go-v2 v1.36.1/go.mod h1:5PMILGVKiW32oDzjj6RU52yrNrDPUHcbZQYr1sM7qmM=
 github.com/aws/aws-sdk-go-v2/config v1.29.4 h1:ObNqKsDYFGr2WxnoXKOhCvTlf3HhwtoGgc+KmZ4H5yg=
 github.com/aws/aws-sdk-go-v2/config v1.29.4/go.mod h1:j2/AF7j/qxVmsNIChw1tWfsVKOayJoGRDjg1Tgq7NPk=
 github.com/aws/aws-sdk-go-v2/credentials v1.17.57 h1:kFQDsbdBAR3GZsB8xA+51ptEnq9TIj3tS4MuP5b+TcQ=
 github.com/aws/aws-sdk-go-v2/credentials v1.17.57/go.mod h1:2kerxPUUbTagAr/kkaHiqvj/bcYHzi2qiJS/ZinllU0=
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.27 h1:7lOW8NUwE9UZekS1DYoiPdVAqZ6A+LheHWb+mHbNOq8=
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.27/go.mod h1:w1BASFIPOPUae7AgaH4SbjNbfdkxuggLyGfNFTn8ITY=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.31 h1:lWm9ucLSRFiI4dQQafLrEOmEDGry3Swrz0BIRdiHJqQ=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.31/go.mod h1:Huu6GG0YTfbPphQkDSo4dEGmQRTKb9k9G7RdtyQWxuI=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.31 h1:ACxDklUKKXb48+eg5ROZXi1vDgfMyfIA/WyvqHcHI0o=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.31/go.mod h1:yadnfsDwqXeVaohbGc/RaD287PuyRw2wugkh5ZL2J6k=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.32 h1:BjUcr3X3K0wZPGFg2bxOWW3VPN8rkE3/61zhP+IHviA=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.32/go.mod h1:80+OGC/bgzzFFTUmcuwD0lb4YutwQeKLFpmt6hoWapU=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.32 h1:m1GeXHVMJsRsUAqG6HjZWx9dj7F5TR+cF1bjyfYyBd4=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.32/go.mod h1:IitoQxGfaKdVLNg0hD8/DXmAqNy0H4K2H2Sf91ti8sI=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.2 h1:Pg9URiobXy85kgFev3og2CuOZ8JZUBENF+dcgWBaYNk=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.2/go.mod h1:FbtygfRFze9usAadmnGJNc8KsP346kEe+y2/oyhGAGc=
 github.com/aws/aws-sdk-go-v2/service/ec2 v1.202.2 h1:qas57zkkMX8OM+MVz+4sMaOaD9HRmeFJRb8nzMdYkx0=

pkg/controllers/nodeclass/validation.go

@@ -82,23 +82,25 @@ func (n Validation) Reconcile(ctx context.Context, nodeClass *v1.EC2NodeClass) (
 	createFleetInput.DryRun = aws.Bool(true)
 
 	if _, err := n.ec2api.CreateFleet(ctx, createFleetInput); awserrors.IgnoreDryRunError(err) != nil {
-		nodeClass.StatusConditions().SetFalse(v1.ConditionTypeValidationSucceeded, "CreateFleetAuthCheckFailed", "Controller isn't authorized to call CreateFleet")
 		if awserrors.IgnoreUnauthorizedOperationError(err) != nil {
+			// Dry run should only ever return UnauthorizedOperation or DryRunOperation so if we receive any other error
+			// it would be an unexpected state
 			return reconcile.Result{}, fmt.Errorf("unexpected error during CreateFleet validation: %w", err)
 		}
+		nodeClass.StatusConditions().SetFalse(v1.ConditionTypeValidationSucceeded, "CreateFleetAuthCheckFailed", "Controller isn't authorized to call CreateFleet")
 		return reconcile.Result{}, nil
 	}
 
 	createLaunchTemplateInput := launchtemplate.GetCreateLaunchTemplateInput(mockOptions(*nodeClaim, nodeClass, tags), corev1.IPv4Protocol, "")
 	createLaunchTemplateInput.DryRun = aws.Bool(true)
 
 	if _, err := n.ec2api.CreateLaunchTemplate(ctx, createLaunchTemplateInput); awserrors.IgnoreDryRunError(err) != nil {
-		nodeClass.StatusConditions().SetFalse(v1.ConditionTypeValidationSucceeded, "CreateLaunchTemplateAuthCheckFailed", "Controller isn't authorized to call CreateLaunchTemplate")
 		if awserrors.IgnoreUnauthorizedOperationError(err) != nil {
 			// Dry run should only ever return UnauthorizedOperation or DryRunOperation so if we receive any other error
 			// it would be an unexpected state
 			return reconcile.Result{}, fmt.Errorf("unexpected error during CreateLaunchTemplate validation: %w", err)
 		}
+		nodeClass.StatusConditions().SetFalse(v1.ConditionTypeValidationSucceeded, "CreateLaunchTemplateAuthCheckFailed", "Controller isn't authorized to call CreateLaunchTemplate")
 		return reconcile.Result{}, nil
 	}
 
@@ -108,19 +110,18 @@ func (n Validation) Reconcile(ctx context.Context, nodeClass *v1.EC2NodeClass) (
 	}
 
 	var instanceType ec2types.InstanceType
-	if len(nodeClass.Status.AMIs) > 0 {
-		requirements := scheduling.NewRequirements(lo.Map(nodeClass.Status.AMIs[0].Requirements, func(req corev1.NodeSelectorRequirement, _ int) *scheduling.Requirement {
-			return scheduling.NewRequirement(req.Key, req.Operator, req.Values...)
-		})...)
-
-		if arch := requirements.Get("kubernetes.io/arch"); len(arch.Values()) > 0 {
-			switch arch.Values()[0] {
-			case "amd64":
-				instanceType = ec2types.InstanceTypeM5Large
-			case "arm64":
-				instanceType = ec2types.InstanceTypeM6gLarge
-			}
+	requirements := scheduling.NewNodeSelectorRequirements(lo.Map(nodeClass.Status.AMIs[0].Requirements, func(req corev1.NodeSelectorRequirement, _ int) corev1.NodeSelectorRequirement {
+		return corev1.NodeSelectorRequirement{
+			Key:      req.Key,
+			Operator: req.Operator,
+			Values:   req.Values,
 		}
+	})...)
+
+	if requirements.Get(corev1.LabelArchStable).Has(karpv1.ArchitectureAmd64) {
+		instanceType = ec2types.InstanceTypeM5Large
+	} else if requirements.Get(corev1.LabelArchStable).Has(karpv1.ArchitectureArm64) {
+		instanceType = ec2types.InstanceTypeM6gLarge
 	}
 
 	runInstancesInput := &ec2.RunInstancesInput{
@@ -129,9 +130,11 @@ func (n Validation) Reconcile(ctx context.Context, nodeClass *v1.EC2NodeClass) (
 		MinCount:     aws.Int32(1),
 		InstanceType: instanceType,
 		MetadataOptions: &ec2types.InstanceMetadataOptionsRequest{
-			HttpTokens:              ec2types.HttpTokensStateRequired,
-			HttpEndpoint:            ec2types.InstanceMetadataEndpointStateDisabled,
-			HttpPutResponseHopLimit: aws.Int32(2),
+			HttpEndpoint: ec2types.InstanceMetadataEndpointState(lo.FromPtr(nodeClass.Spec.MetadataOptions.HTTPEndpoint)),
+			HttpTokens:   ec2types.HttpTokensState(lo.FromPtr(nodeClass.Spec.MetadataOptions.HTTPTokens)),
+			//aws sdk v2 changed this type to *int32 instead of *int64
+			//nolint: gosec
+			HttpPutResponseHopLimit: aws.Int32(int32(lo.FromPtr(nodeClass.Spec.MetadataOptions.HTTPPutResponseHopLimit))),
 		},
 		TagSpecifications: []ec2types.TagSpecification{
 			{
@@ -151,12 +154,12 @@ func (n Validation) Reconcile(ctx context.Context, nodeClass *v1.EC2NodeClass) (
 	}
 
 	if _, err = n.ec2api.RunInstances(ctx, runInstancesInput); awserrors.IgnoreDryRunError(err) != nil {
-		nodeClass.StatusConditions().SetFalse(v1.ConditionTypeValidationSucceeded, "RunInstancesAuthCheckFailed", "Controller isn't authorized to call RunInstances")
 		if awserrors.IgnoreUnauthorizedOperationError(err) != nil {
 			// Dry run should only ever return UnauthorizedOperation or DryRunOperation so if we receive any other error
 			// it would be an unexpected state
 			return reconcile.Result{}, fmt.Errorf("unexpected error during RunInstances validation: %w", err)
 		}
+		nodeClass.StatusConditions().SetFalse(v1.ConditionTypeValidationSucceeded, "RunInstancesAuthCheckFailed", "Controller isn't authorized to call RunInstances")
 		return reconcile.Result{}, nil
 	}
 	nodeClass.StatusConditions().SetTrue(v1.ConditionTypeValidationSucceeded)
@@ -195,7 +198,7 @@ func mockOptions(nodeClaim karpv1.NodeClaim, nodeClass *v1.EC2NodeClass, tags ma
 			HTTPEndpoint:            nodeClass.Spec.MetadataOptions.HTTPEndpoint,
 			HTTPTokens:              nodeClass.Spec.MetadataOptions.HTTPTokens,
 			HTTPProtocolIPv6:        nodeClass.Spec.MetadataOptions.HTTPProtocolIPv6,
-			HTTPPutResponseHopLimit: aws.Int64(1),
+			HTTPPutResponseHopLimit: nodeClass.Spec.MetadataOptions.HTTPPutResponseHopLimit,
 		},
 		AMIID:               nodeClaim.Status.ImageID,
 		BlockDeviceMappings: nodeClass.Spec.BlockDeviceMappings,

test/suites/integration/nodeclass_test.go

@@ -111,64 +111,4 @@ var _ = Describe("NodeClass IAM Permissions", func() {
 			g.Expect(nodeClass.StatusConditions().Get(v1.ConditionTypeValidationSucceeded).IsTrue()).To(BeTrue())
 		}, "60s", "5s").Should(Succeed())
 	})
-
-	It("Service Control Policy Tests",
-		func() {
-			policyDoc := fmt.Sprintf(`{
-				"Version": "2012-10-17",
-				"Statement": [
-					{
-						"Effect": "Deny",
-						"Action": ["ec2:RunInstances"],
-						"Resource": "*",
-						"Condition": {
-							"StringNotLike": {
-								"%s": ["%s"]
-							}
-						}
-					}
-				]
-			}`, v1.LabelNodeClass, nodeClass.Name)
-			deployment := &appsv1.Deployment{}
-			err := env.Client.Get(env.Context, types.NamespacedName{
-				Namespace: "kube-system",
-				Name:      "karpenter",
-			}, deployment)
-			Expect(err).To(BeNil())
-
-			sa := &corev1.ServiceAccount{}
-			err = env.Client.Get(env.Context, types.NamespacedName{
-				Namespace: "kube-system",
-				Name:      deployment.Spec.Template.Spec.ServiceAccountName,
-			}, sa)
-			Expect(err).To(BeNil())
-
-			roleName = strings.Split(sa.Annotations["eks.amazonaws.com/role-arn"], "/")[1]
-			policyName = fmt.Sprintf("TestSCP-%s", uuid.New().String())
-
-			// Attach the test SCP-like policy
-			_, err = env.IAMAPI.PutRolePolicy(env.Context, &iam.PutRolePolicyInput{
-				RoleName:       aws.String(roleName),
-				PolicyName:     aws.String(policyName),
-				PolicyDocument: aws.String(policyDoc),
-			})
-			Expect(err).To(BeNil())
-
-			DeferCleanup(func() {
-				_, err := env.IAMAPI.DeleteRolePolicy(env.Context, &iam.DeleteRolePolicyInput{
-					RoleName:   aws.String(roleName),
-					PolicyName: aws.String(policyName),
-				})
-				Expect(err).To(BeNil())
-			})
-
-			env.ExpectCreated(nodeClass)
-			Eventually(func(g Gomega) {
-				env.ExpectUpdated(nodeClass)
-				g.Expect(nodeClass.StatusConditions().Get(v1.ConditionTypeValidationSucceeded).IsFalse()).To(BeTrue())
-				g.Expect(nodeClass.StatusConditions().Get(v1.ConditionTypeValidationSucceeded).Reason).To(Equal("RunInstancesAuthCheckFailed"))
-			}, "240s", "5s").Should(Succeed())
-			ExpectStatusConditions(env, env.Client, 1*time.Minute, nodeClass, status.Condition{Type: status.ConditionReady, Status: metav1.ConditionFalse, Message: "ValidationSucceeded=False"})
-		},
-	)
 })