Test consul 1.21 on eks 1.34

.github/workflows/nightly-cleanup.yml

@@ -21,6 +21,8 @@ jobs:
       with:
         workflow: cleanup.yml
         repo: hashicorp/consul-k8s-workflows
-        ref: main
+        # ref: main
+        # TODO: change ref to main after testing
+        ref: c1.21eks
         token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
         inputs: '{ "context":"${{ env.CONTEXT }}", "repository":"${{ github.repository }}", "branch":"${{ env.BRANCH }}", "sha":"${{ github.sha }}", "token":"${{ secrets.ELEVATED_GITHUB_TOKEN }}" }'

.github/workflows/pr.yml

@@ -17,20 +17,20 @@ jobs:
   conditional-skip:
     uses: ./.github/workflows/reusable-conditional-skip.yml
 
-  test:
-    name: test
-    needs: [ conditional-skip ]
-    if: needs.conditional-skip.outputs.skip-ci != 'true'
-    runs-on: ubuntu-latest
-    steps:
-    - uses: benc-uk/workflow-dispatch@25b02cc069be46d637e8fe2f1e8484008e9e9609 # v1.2.3
-      name: test
-      with:
-        workflow: test.yml
-        repo: hashicorp/consul-k8s-workflows
-        ref: main
-        token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
-        inputs: '{ "context":"${{ env.CONTEXT }}-${{ github.event.pull_request.number }}", "actor":"${{ github.actor }}", "repository":"${{ github.repository }}", "branch":"${{ env.BRANCH }}", "sha":"${{ env.SHA }}", "token":"${{ secrets.ELEVATED_GITHUB_TOKEN }}" }'
+  # test:
+  #   name: test
+  #   needs: [ conditional-skip ]
+  #   if: needs.conditional-skip.outputs.skip-ci != 'true'
+  #   runs-on: ubuntu-latest
+  #   steps:
+  #   - uses: benc-uk/workflow-dispatch@25b02cc069be46d637e8fe2f1e8484008e9e9609 # v1.2.3
+  #     name: test
+  #     with:
+  #       workflow: test.yml
+  #       repo: hashicorp/consul-k8s-workflows
+  #       ref: main
+  #       token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
+  #       inputs: '{ "context":"${{ env.CONTEXT }}-${{ github.event.pull_request.number }}", "actor":"${{ github.actor }}", "repository":"${{ github.repository }}", "branch":"${{ env.BRANCH }}", "sha":"${{ env.SHA }}", "token":"${{ secrets.ELEVATED_GITHUB_TOKEN }}" }'
 
   pass-required-checks-on-skip:
     needs: [ conditional-skip ]
@@ -61,3 +61,18 @@ jobs:
         INPUT_SHA: ${{ env.SHA }}
         INPUT_DETAILS_URL: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
         INPUT_OWNER: "hashicorp"
+
+  cloud-acceptance:
+    name: cloud-acceptance
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: benc-uk/workflow-dispatch@25b02cc069be46d637e8fe2f1e8484008e9e9609 # v1.2.3
+        name: cloud
+        with:
+          workflow: cloud.yml
+          repo: hashicorp/consul-k8s-workflows
+          # ref: main
+          # TODO: change ref to main after testing
+          ref: c1.21eks
+          token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
+          inputs: '{ "context":"${{ env.CONTEXT }}-${{ github.event.pull_request.number }}", "repository":"${{ github.repository }}", "branch":"${{ env.BRANCH }}", "sha":"${{ github.sha }}", "token":"${{ secrets.ELEVATED_GITHUB_TOKEN }}" }'

charts/consul/test/terraform/eks/main.tf

@@ -4,17 +4,24 @@
 terraform {
   required_providers {
     aws = {
-      version = ">= 4.0.0"
+      version = "~> 5.0"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "~> 2.27.0"
     }
   }
 }
 
 provider "aws" {
   region = var.region
 
-  assume_role {
-    role_arn = var.role_arn
-    duration = "2700s"
+  dynamic "assume_role" {
+    for_each = var.role_arn != "" ? [1] : []
+    content {
+      role_arn = var.role_arn
+      duration = "14400s"
+    }
   }
 }
 
@@ -35,7 +42,7 @@ resource "random_string" "suffix" {
 module "vpc" {
   count   = var.cluster_count
   source  = "terraform-aws-modules/vpc/aws"
-  version = "4.0.0"
+  version = "5.0.0"
 
   name = "consul-k8s-${random_id.suffix[count.index].dec}"
   # The cidr range needs to be unique in each VPC to allow setting up a peering connection.
@@ -91,6 +98,27 @@ module "eks" {
   tags = var.tags
 }
 
+
+# K8s Provider for the FIRST cluster (cluster 0)
+provider "kubernetes" {
+  alias = "cluster0"
+  host                   = module.eks[0].cluster_endpoint
+  cluster_ca_certificate = base64decode(module.eks[0].cluster_certificate_authority_data)
+  token                  = data.aws_eks_cluster_auth.cluster[0].token
+}
+
+# Provider for the SECOND cluster (cluster 1)
+provider "kubernetes" {
+  alias = "cluster1"
+
+  # Use null to disable the provider configuration if cluster_count is not > 1
+  # This avoids errors from empty string credentials.
+  host                   = var.cluster_count > 1 ? module.eks[1].cluster_endpoint : null
+  cluster_ca_certificate = var.cluster_count > 1 ? base64decode(module.eks[1].cluster_certificate_authority_data) : null
+  token                  = var.cluster_count > 1 ? data.aws_eks_cluster_auth.cluster[1].token : null
+}
+
+
 resource "aws_iam_role" "csi-driver-role" {
   count = var.cluster_count
   assume_role_policy = jsonencode({
@@ -143,6 +171,53 @@ data "aws_eks_cluster_auth" "cluster" {
   name  = module.eks[count.index].cluster_id
 }
 
+
+# Add a default StorageClass for dynamic volume provisioning
+# This is the primary fix for the "unbound PersistentVolumeClaims" issue 
+# as we do not specify storage class in default helm values.yaml.
+
+# StorageClass for the FIRST cluster
+resource "kubernetes_storage_class" "ebs_gp3_cluster0" {
+  provider = kubernetes.cluster0
+  depends_on = [module.eks, aws_eks_addon.csi-driver[0]]
+
+  metadata {
+    name = "gp3"
+    annotations = {
+      "storageclass.kubernetes.io/is-default-class" = "true"
+    }
+  }
+  storage_provisioner = "ebs.csi.aws.com"
+  parameters = {
+    type = "gp3"
+    encrypted = "true"
+  }
+  reclaim_policy      = "Delete"
+  volume_binding_mode = "WaitForFirstConsumer"
+}
+
+# StorageClass for the SECOND cluster
+resource "kubernetes_storage_class" "ebs_gp3_cluster1" {
+  count = var.cluster_count > 1 ? 1 : 0
+
+  provider = kubernetes.cluster1 
+  depends_on = [module.eks, aws_eks_addon.csi-driver[1]]
+  metadata {
+    name = "gp3"
+    annotations = {
+      "storageclass.kubernetes.io/is-default-class" = "true"
+    }
+  }
+  storage_provisioner = "ebs.csi.aws.com"
+  parameters = {
+    type = "gp3"
+    encrypted = "true"
+  }
+  reclaim_policy      = "Delete"
+  volume_binding_mode = "WaitForFirstConsumer"
+}
+
+
 # The following resources are only applied when cluster_count=2 to set up vpc peering and the appropriate routes and
 # security groups so traffic between VPCs is allowed. There is validation to ensure cluster_count can be 1 or 2.