Default AWSMachine in admission controller

Author: fiunchinho

api/v1beta2/awsmachine_webhook.go

@@ -460,6 +460,11 @@ func (*awsMachineWebhook) Default(_ context.Context, obj runtime.Object) error {
 		r.Spec.Ignition.Version = DefaultIgnitionVersion
 	}
 
+	if r.Spec.InstanceMetadataOptions == nil {
+		r.Spec.InstanceMetadataOptions = &InstanceMetadataOptions{}
+	}
+	r.Spec.InstanceMetadataOptions.SetDefaults()
+
 	return nil
 }
 

api/v1beta2/awsmachine_webhook_test.go

@@ -38,6 +38,11 @@ func TestMachineDefault(t *testing.T) {
 	err := (&awsMachineWebhook{}).Default(context.Background(), machine)
 	g.Expect(err).NotTo(HaveOccurred())
 	g.Expect(machine.Spec.CloudInit.SecureSecretsBackend).To(Equal(SecretBackendSecretsManager))
+	g.Expect(machine.Spec.InstanceMetadataOptions).NotTo(BeNil())
+	g.Expect(machine.Spec.InstanceMetadataOptions.HTTPEndpoint).To(Equal(InstanceMetadataEndpointStateEnabled))
+	g.Expect(machine.Spec.InstanceMetadataOptions.HTTPPutResponseHopLimit).To(Equal(int64(1)))
+	g.Expect(machine.Spec.InstanceMetadataOptions.HTTPTokens).To(Equal(HTTPTokensStateOptional))
+	g.Expect(machine.Spec.InstanceMetadataOptions.InstanceMetadataTags).To(Equal(InstanceMetadataEndpointStateDisabled))
 }
 
 func TestAWSMachineCreate(t *testing.T) {

controllers/awsmachine_controller.go

@@ -195,8 +195,6 @@ func (r *AWSMachineReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 		return ctrl.Result{}, nil
 	}
 
-	infrav1.SetDefaults_AWSMachineSpec(&awsMachine.Spec)
-
 	if isPaused, conditionChanged, err := paused.EnsurePausedCondition(ctx, r.Client, cluster, awsMachine); err != nil || isPaused || conditionChanged {
 		return ctrl.Result{}, err
 	}
@@ -719,12 +717,6 @@ func (r *AWSMachineReconciler) reconcileOperationalState(ec2svc services.EC2Inte
 	}
 	conditions.MarkTrue(machineScope.AWSMachine, infrav1.SecurityGroupsReadyCondition)
 
-	err = r.ensureInstanceMetadataOptions(ec2svc, instance, machineScope.AWSMachine)
-	if err != nil {
-		machineScope.Error(err, "failed to ensure instance metadata options")
-		return err
-	}
-
 	return nil
 }
 
@@ -1318,11 +1310,3 @@ func (r *AWSMachineReconciler) ensureStorageTags(ec2svc services.EC2Interface, i
 		}
 	}
 }
-
-func (r *AWSMachineReconciler) ensureInstanceMetadataOptions(ec2svc services.EC2Interface, instance *infrav1.Instance, machine *infrav1.AWSMachine) error {
-	if cmp.Equal(machine.Spec.InstanceMetadataOptions, instance.InstanceMetadataOptions) {
-		return nil
-	}
-
-	return ec2svc.ModifyInstanceMetadataOptions(instance.ID, machine.Spec.InstanceMetadataOptions)
-}

controllers/awsmachine_controller_test.go

@@ -482,6 +482,12 @@ func getAWSMachine() *infrav1.AWSMachine {
 			},
 			InstanceType: "test",
 			Subnet:       &infrav1.AWSResourceReference{ID: aws.String("subnet-1")},
+			InstanceMetadataOptions: &infrav1.InstanceMetadataOptions{
+				HTTPEndpoint:            infrav1.InstanceMetadataEndpointStateEnabled,
+				HTTPPutResponseHopLimit: 1,
+				HTTPTokens:              infrav1.HTTPTokensStateOptional,
+				InstanceMetadataTags:    infrav1.InstanceMetadataEndpointStateDisabled,
+			},
 		},
 	}
 }

controllers/awsmachine_controller_unit_test.go

@@ -87,6 +87,12 @@ func TestAWSMachineReconciler(t *testing.T) {
 		}
 		klog.SetOutput(GinkgoWriter)
 
+		// Ensure InstanceMetadataOptions defaults are set (webhook sets these normally, but not in unit tests)
+		if awsMachine.Spec.InstanceMetadataOptions == nil {
+			awsMachine.Spec.InstanceMetadataOptions = &infrav1.InstanceMetadataOptions{}
+			awsMachine.Spec.InstanceMetadataOptions.SetDefaults()
+		}
+
 		secret := &corev1.Secret{
 			ObjectMeta: metav1.ObjectMeta{
 				Name: "bootstrap-data",
@@ -346,6 +352,12 @@ func TestAWSMachineReconciler(t *testing.T) {
 				instance = &infrav1.Instance{
 					ID:        "myMachine",
 					VolumeIDs: []string{"volume-1", "volume-2"},
+					InstanceMetadataOptions: &infrav1.InstanceMetadataOptions{
+						HTTPEndpoint:            infrav1.InstanceMetadataEndpointStateEnabled,
+						HTTPPutResponseHopLimit: 1,
+						HTTPTokens:              infrav1.HTTPTokensStateOptional,
+						InstanceMetadataTags:    infrav1.InstanceMetadataEndpointStateDisabled,
+					},
 				}
 				instance.State = infrav1.InstanceStatePending
 
@@ -752,6 +764,12 @@ func TestAWSMachineReconciler(t *testing.T) {
 					ID:               "myMachine",
 					VolumeIDs:        []string{"volume-1", "volume-2"},
 					AvailabilityZone: "us-east-1",
+					InstanceMetadataOptions: &infrav1.InstanceMetadataOptions{
+						HTTPEndpoint:            infrav1.InstanceMetadataEndpointStateEnabled,
+						HTTPPutResponseHopLimit: 1,
+						HTTPTokens:              infrav1.HTTPTokensStateOptional,
+						InstanceMetadataTags:    infrav1.InstanceMetadataEndpointStateDisabled,
+					},
 				}
 				instance.State = infrav1.InstanceStatePending
 			}
@@ -1008,6 +1026,12 @@ func TestAWSMachineReconciler(t *testing.T) {
 				instance = &infrav1.Instance{
 					ID:    "myMachine",
 					State: infrav1.InstanceStatePending,
+					InstanceMetadataOptions: &infrav1.InstanceMetadataOptions{
+						HTTPEndpoint:            infrav1.InstanceMetadataEndpointStateEnabled,
+						HTTPPutResponseHopLimit: 1,
+						HTTPTokens:              infrav1.HTTPTokensStateOptional,
+						InstanceMetadataTags:    infrav1.InstanceMetadataEndpointStateDisabled,
+					},
 				}
 
 				ec2Svc.EXPECT().GetRunningInstanceByTags(gomock.Any()).Return(nil, nil).AnyTimes()
@@ -1045,6 +1069,12 @@ func TestAWSMachineReconciler(t *testing.T) {
 				instance = &infrav1.Instance{
 					ID:    "myMachine",
 					State: infrav1.InstanceStatePending,
+					InstanceMetadataOptions: &infrav1.InstanceMetadataOptions{
+						HTTPEndpoint:            infrav1.InstanceMetadataEndpointStateEnabled,
+						HTTPPutResponseHopLimit: 1,
+						HTTPTokens:              infrav1.HTTPTokensStateOptional,
+						InstanceMetadataTags:    infrav1.InstanceMetadataEndpointStateDisabled,
+					},
 				}
 
 				ec2Svc.EXPECT().GetRunningInstanceByTags(gomock.Any()).Return(nil, nil).AnyTimes()
@@ -1069,6 +1099,12 @@ func TestAWSMachineReconciler(t *testing.T) {
 
 				instance = &infrav1.Instance{
 					ID: "myMachine",
+					InstanceMetadataOptions: &infrav1.InstanceMetadataOptions{
+						HTTPEndpoint:            infrav1.InstanceMetadataEndpointStateEnabled,
+						HTTPPutResponseHopLimit: 1,
+						HTTPTokens:              infrav1.HTTPTokensStateOptional,
+						InstanceMetadataTags:    infrav1.InstanceMetadataEndpointStateDisabled,
+					},
 				}
 
 				ms.Machine.Status.NodeRef = &corev1.ObjectReference{
@@ -1205,6 +1241,12 @@ func TestAWSMachineReconciler(t *testing.T) {
 
 				instance = &infrav1.Instance{
 					ID: "myMachine",
+					InstanceMetadataOptions: &infrav1.InstanceMetadataOptions{
+						HTTPEndpoint:            infrav1.InstanceMetadataEndpointStateEnabled,
+						HTTPPutResponseHopLimit: 1,
+						HTTPTokens:              infrav1.HTTPTokensStateOptional,
+						InstanceMetadataTags:    infrav1.InstanceMetadataEndpointStateDisabled,
+					},
 				}
 
 				ms.AWSMachine.Spec.CloudInit = infrav1.CloudInit{
@@ -1302,6 +1344,12 @@ func TestAWSMachineReconciler(t *testing.T) {
 
 				instance = &infrav1.Instance{
 					ID: "myMachine",
+					InstanceMetadataOptions: &infrav1.InstanceMetadataOptions{
+						HTTPEndpoint:            infrav1.InstanceMetadataEndpointStateEnabled,
+						HTTPPutResponseHopLimit: 1,
+						HTTPTokens:              infrav1.HTTPTokensStateOptional,
+						InstanceMetadataTags:    infrav1.InstanceMetadataEndpointStateDisabled,
+					},
 				}
 				instance.State = infrav1.InstanceStatePending
 				secretSvc.EXPECT().Create(gomock.Any(), gomock.Any()).Return(secretPrefix, int32(1), nil).Times(1)
@@ -1354,6 +1402,12 @@ func TestAWSMachineReconciler(t *testing.T) {
 					instance = &infrav1.Instance{
 						ID:    "myMachine",
 						State: infrav1.InstanceStatePending,
+						InstanceMetadataOptions: &infrav1.InstanceMetadataOptions{
+							HTTPEndpoint:            infrav1.InstanceMetadataEndpointStateEnabled,
+							HTTPPutResponseHopLimit: 1,
+							HTTPTokens:              infrav1.HTTPTokensStateOptional,
+							InstanceMetadataTags:    infrav1.InstanceMetadataEndpointStateDisabled,
+						},
 					}
 					fakeS3URL := "s3://foo"
 
@@ -1387,6 +1441,12 @@ func TestAWSMachineReconciler(t *testing.T) {
 					instance = &infrav1.Instance{
 						ID:    "myMachine",
 						State: infrav1.InstanceStatePending,
+						InstanceMetadataOptions: &infrav1.InstanceMetadataOptions{
+							HTTPEndpoint:            infrav1.InstanceMetadataEndpointStateEnabled,
+							HTTPPutResponseHopLimit: 1,
+							HTTPTokens:              infrav1.HTTPTokensStateOptional,
+							InstanceMetadataTags:    infrav1.InstanceMetadataEndpointStateDisabled,
+						},
 					}
 
 					//nolint:gosec
@@ -1414,6 +1474,12 @@ func TestAWSMachineReconciler(t *testing.T) {
 
 					instance = &infrav1.Instance{
 						ID: "myMachine",
+						InstanceMetadataOptions: &infrav1.InstanceMetadataOptions{
+							HTTPEndpoint:            infrav1.InstanceMetadataEndpointStateEnabled,
+							HTTPPutResponseHopLimit: 1,
+							HTTPTokens:              infrav1.HTTPTokensStateOptional,
+							InstanceMetadataTags:    infrav1.InstanceMetadataEndpointStateDisabled,
+						},
 					}
 
 					ms.Machine.Status.NodeRef = &corev1.ObjectReference{
@@ -1497,6 +1563,12 @@ func TestAWSMachineReconciler(t *testing.T) {
 
 					instance = &infrav1.Instance{
 						ID: "myMachine",
+						InstanceMetadataOptions: &infrav1.InstanceMetadataOptions{
+							HTTPEndpoint:            infrav1.InstanceMetadataEndpointStateEnabled,
+							HTTPPutResponseHopLimit: 1,
+							HTTPTokens:              infrav1.HTTPTokensStateOptional,
+							InstanceMetadataTags:    infrav1.InstanceMetadataEndpointStateDisabled,
+						},
 					}
 					ec2Svc.EXPECT().GetRunningInstanceByTags(gomock.Any()).Return(instance, nil).AnyTimes()
 				}
@@ -1606,6 +1678,12 @@ func TestAWSMachineReconciler(t *testing.T) {
 					instance = &infrav1.Instance{
 						ID:    "myMachine",
 						State: infrav1.InstanceStatePending,
+						InstanceMetadataOptions: &infrav1.InstanceMetadataOptions{
+							HTTPEndpoint:            infrav1.InstanceMetadataEndpointStateEnabled,
+							HTTPPutResponseHopLimit: 1,
+							HTTPTokens:              infrav1.HTTPTokensStateOptional,
+							InstanceMetadataTags:    infrav1.InstanceMetadataEndpointStateDisabled,
+						},
 					}
 					fakeS3URL := "s3://foo"
 

pkg/cloud/services/ec2/instances.go

@@ -1122,24 +1122,6 @@ func (s *Service) checkRootVolume(rootVolume *infrav1.Volume, imageID string) (*
 	return rootDeviceName, nil
 }
 
-// ModifyInstanceMetadataOptions modifies the metadata options of the given EC2 instance.
-func (s *Service) ModifyInstanceMetadataOptions(instanceID string, options *infrav1.InstanceMetadataOptions) error {
-	input := &ec2.ModifyInstanceMetadataOptionsInput{
-		HttpEndpoint:            types.InstanceMetadataEndpointState(string(options.HTTPEndpoint)),
-		HttpPutResponseHopLimit: utils.ToInt32Pointer(&options.HTTPPutResponseHopLimit),
-		HttpTokens:              types.HttpTokensState(string(options.HTTPTokens)),
-		InstanceMetadataTags:    types.InstanceMetadataTagsState(string(options.InstanceMetadataTags)),
-		InstanceId:              aws.String(instanceID),
-	}
-
-	s.scope.Info("Updating instance metadata options", "instance id", instanceID, "options", input)
-	if _, err := s.EC2Client.ModifyInstanceMetadataOptions(context.TODO(), input); err != nil {
-		return err
-	}
-
-	return nil
-}
-
 // GetDHCPOptionSetDomainName returns the domain DNS name for the VPC from the DHCP Options.
 func (s *Service) GetDHCPOptionSetDomainName(ec2client common.EC2API, vpcID *string) *string {
 	log := s.scope.GetLogger()

pkg/cloud/services/interfaces.go

@@ -73,7 +73,6 @@ type EC2Interface interface {
 	GetInstanceSecurityGroups(instanceID string) (map[string][]string, error)
 	UpdateInstanceSecurityGroups(id string, securityGroups []string) error
 	UpdateResourceTags(resourceID *string, create, remove map[string]string) error
-	ModifyInstanceMetadataOptions(instanceID string, options *infrav1.InstanceMetadataOptions) error
 
 	TerminateInstanceAndWait(instanceID string) error
 	DetachSecurityGroupsFromNetworkInterface(groups []string, interfaceID string) error