Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add or change OIDC setting after a cluster is created #676

Closed
elylee opened this issue Nov 19, 2021 · 1 comment
Closed

Add or change OIDC setting after a cluster is created #676

elylee opened this issue Nov 19, 2021 · 1 comment
Assignees
@mitalipaygude

Comments

@elylee
Copy link

elylee commented Nov 19, 2021

What would you like to be added:
Add or change OIDC setting after a cluster is created

Why is this needed:
"My organization may change our OIDC provider in near future. I don't want having to recreate my EKS-A cluster just to change the OIDC setting".
@smarsh-tim
Copy link

smarsh-tim commented Dec 29, 2021
edited
Loading

I found two work-arounds for this.

First option - Correct the EKS deployment to include OIDC

  1. Scale down the eksa-controller-manager Deployment (this allows for editing the "immutable" field)
  2. Login to the cluster and manually edit the Cluster spec to include the identityProviderRefs section 
    apiVersion: anywhere.eks.amazonaws.com/v1alpha1
kind: Cluster
metadata:
  creationTimestamp: null
  name: <cluster_name>
spec:
  ...
  identityProviderRefs:
  - kind: OIDCConfig
    name: "<name>"
...
status: {}
  3. Manually create a new resource in your Kubernetes cluster for OIDC 
    ---
apiVersion: anywhere.eks.amazonaws.com/v1alpha1
kind: OIDCConfig
metadata:
  annotations:
    anywhere.eks.amazonaws.com/control-plane: "true"
    anywhere.eks.amazonaws.com/etcd: "true"
  creationTimestamp: null
  name: "<name>"
spec:
...
  4. Make a change to your Control Plane machine config - such that the eksctl upgrade command will recreate those nodes 
    ---
apiVersion: anywhere.eks.amazonaws.com/v1alpha1
kind: VSphereMachineConfig
metadata:
  annotations:
    anywhere.eks.amazonaws.com/control-plane: "true"
  creationTimestamp: null
  name: "<name>"
spec:
  memory: 7196 #8192 (original value)
  5. Execute the upgrade command
  6. Scale back up eksa-controller-manager Deployment if needed

Second option - manually correct the kube-apiserver pod one each control plane node
(this isn't preferable, as these settings will be lost in future upgrades"

  1. SSH to each control plane node
  2. Edit this file: /etc/kubernetes/manifests/kube-apiserver.yaml
  3. Restart kubelet to apply the changes: 'systemctl restart kubelet'

I think the eksctl anywhere cli tooling / bootstrap process should be able to apply those changes. But it says that identityProviderRefs is an immutable field for the Cluster resource - which it isn't and doesn't seem to need to be.

@jaxesn jaxesn added this to the next+1 milestone Jan 26, 2022
@jaxesn jaxesn modified the milestones: next+1, next Feb 1, 2022
This was referenced Feb 23, 2022
Closed
Merged
@mitalipaygude mitalipaygude mentioned this issue Mar 17, 2022
Merged
@jaxesn jaxesn removed this from the next milestone May 13, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mitalipaygude mitalipaygude

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jaxesn @elylee @mitalipaygude @smarsh-tim