docs: Update documentation for 1.24 changes to containerd, ensure examples are functioning as intended (#2463)

Resolves undefined
2026-02-24 19:44:49 +01:00 · 2023-02-09 13:03:01 -05:00
parent aaea28dfa0
commit 07653b6249
8 changed files with 26 additions and 128 deletions
--- a/examples/eks_managed_node_group/README.md
+++ b/examples/eks_managed_node_group/README.md
@@ -12,34 +12,6 @@ Configuration in this directory creates an AWS EKS cluster with various EKS Mana

 See the [AWS documentation](https://docs.aws.amazon.com/eks/latest/userguide/managed-node-groups.html) for further details.

-## Container Runtime & User Data
-
-When using the default AMI provided by the EKS Managed Node Group service (i.e. - not specifying a value for `ami_id`), users should be aware of the limitations of configuring the node bootstrap process via user data. Due to not having direct access to the bootstrap.sh script invocation and therefore its configuration flags (this is provided by the EKS Managed Node Group service in the node user data), a workaround for ensuring the appropriate configuration settings is shown below. The following example shows how to inject configuration variables ahead of the merged user data provided by the EKS Managed Node Group service as well as how to enable the containerd runtime using this approach. More details can be found [here](https://github.com/awslabs/amazon-eks-ami/issues/844).
-
-```hcl
-  ...
-  # Demo of containerd usage when not specifying a custom AMI ID
-  # (merged into user data before EKS MNG provided user data)
-  containerd = {
-    name = "containerd"
-
-    # See issue https://github.com/awslabs/amazon-eks-ami/issues/844
-    pre_bootstrap_user_data = <<-EOT
-    #!/bin/bash
-    set -ex
-    cat <<-EOF > /etc/profile.d/bootstrap.sh
-    export CONTAINER_RUNTIME="containerd"
-    export USE_MAX_PODS=false
-    export KUBELET_EXTRA_ARGS="--max-pods=110"
-    EOF
-    # Source extra environment variables in bootstrap script
-    sed -i '/^set -o errexit/a\\nsource /etc/profile.d/bootstrap.sh' /etc/eks/bootstrap.sh
-    sed -i 's/KUBELET_EXTRA_ARGS=$2/KUBELET_EXTRA_ARGS="$2 $KUBELET_EXTRA_ARGS"/' /etc/eks/bootstrap.sh
-    EOT
-  }
-  ...
-```
-
 ## Usage

 To run this example you need to execute:
@@ -71,7 +43,7 @@ Note that this example may create resources which cost money. Run `terraform des

 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_ebs_kms_key"></a> [ebs\_kms\_key](#module\_ebs\_kms\_key) | terraform-aws-modules/kms/aws | ~> 1.1 |
+| <a name="module_ebs_kms_key"></a> [ebs\_kms\_key](#module\_ebs\_kms\_key) | terraform-aws-modules/kms/aws | ~> 1.5 |
 | <a name="module_eks"></a> [eks](#module\_eks) | ../.. | n/a |
 | <a name="module_key_pair"></a> [key\_pair](#module\_key\_pair) | terraform-aws-modules/key-pair/aws | ~> 2.0 |
 | <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3.0 |
--- a/examples/eks_managed_node_group/main.tf
+++ b/examples/eks_managed_node_group/main.tf
@@ -181,25 +181,6 @@ module "eks" {
      instance_types = ["t4g.medium"]
    }

-    # Demo of containerd usage when not specifying a custom AMI ID
-    # (merged into user data before EKS MNG provided user data)
-    containerd = {
-      name = "containerd"
-
-      # See issue https://github.com/awslabs/amazon-eks-ami/issues/844
-      pre_bootstrap_user_data = <<-EOT
-        #!/bin/bash
-        set -ex
-        cat <<-EOF > /etc/profile.d/bootstrap.sh
-        export CONTAINER_RUNTIME="containerd"
-        export USE_MAX_PODS=false
-        export KUBELET_EXTRA_ARGS="--max-pods=110"
-        EOF
-        # Source extra environment variables in bootstrap script
-        sed -i '/^set -o errexit/a\\nsource /etc/profile.d/bootstrap.sh' /etc/eks/bootstrap.sh
-      EOT
-    }
-
    # Complete
    complete = {
      name            = "complete-eks-mng"
@@ -213,11 +194,9 @@ module "eks" {

      ami_id                     = data.aws_ami.eks_default.image_id
      enable_bootstrap_user_data = true
-      bootstrap_extra_args       = "--container-runtime containerd --kubelet-extra-args '--max-pods=20'"

      pre_bootstrap_user_data = <<-EOT
-        export CONTAINER_RUNTIME="containerd"
-        export USE_MAX_PODS=false
+        export FOO=bar
      EOT

      post_bootstrap_user_data = <<-EOT
@@ -259,7 +238,7 @@ module "eks" {
            iops                  = 3000
            throughput            = 150
            encrypted             = true
-            kms_key_id            = module.ebs_kms_key.key_id
+            kms_key_id            = module.ebs_kms_key.key_arn
            delete_on_termination = true
          }
        }
@@ -315,6 +294,7 @@ module "vpc" {

  public_subnet_ipv6_prefixes  = [0, 1, 2]
  private_subnet_ipv6_prefixes = [3, 4, 5]
+  intra_subnet_ipv6_prefixes   = [6, 7, 8]

  enable_nat_gateway   = true
  single_nat_gateway   = true
@@ -355,7 +335,7 @@ module "vpc_cni_irsa" {

 module "ebs_kms_key" {
  source  = "terraform-aws-modules/kms/aws"
-  version = "~> 1.1"
+  version = "~> 1.5"

  description = "Customer managed key to encrypt EKS managed node group volumes"

@@ -363,7 +343,8 @@ module "ebs_kms_key" {
  key_administrators = [
    data.aws_caller_identity.current.arn
  ]
-  key_service_users = [
+
+  key_service_roles_for_autoscaling = [
    # required for the ASG to manage encrypted volumes for nodes
    "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling",
    # required for the cluster / persistentvolume-controller to create encrypted PVCs