Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No GovCloud region ARNs present in worker nodes Yaml #6

Open
kakarotbyte opened this issue Jun 7, 2021 · 1 comment
Open

No GovCloud region ARNs present in worker nodes Yaml #6

kakarotbyte opened this issue Jun 7, 2021 · 1 comment

Comments

@kakarotbyte
Copy link

kakarotbyte commented Jun 7, 2021
edited
Loading

  1. There are no Gov cloud regions mentioned.

opensource-4g-core-eks/x86-Architecture/cfn-templates/open5gs-worker-x86.yaml

Lines 11 to 41 in 56ad4ac

LayerArn:
ap-northeast-1:
kubectl: "arn:aws:lambda:ap-northeast-1:903779448426:layer:eks-kubectl-layer:30"
ap-northeast-2:
kubectl: "arn:aws:lambda:ap-northeast-2:903779448426:layer:eks-kubectl-layer:2"
ap-southeast-1:
kubectl: "arn:aws:lambda:ap-southeast-1:903779448426:layer:eks-kubectl-layer:2"
ap-southeast-2:
kubectl: "arn:aws:lambda:ap-southeast-2:903779448426:layer:eks-kubectl-layer:2"
ca-central-1:
kubectl: "arn:aws:lambda:ca-central-1:903779448426:layer:eks-kubectl-layer:1"
us-east-1:
kubectl: "arn:aws:lambda:us-east-1:903779448426:layer:eks-kubectl-layer:2"
us-west-1:
kubectl: "arn:aws:lambda:us-west-1:903779448426:layer:eks-kubectl-layer:1"
us-west-2:
kubectl: "arn:aws:lambda:us-west-2:903779448426:layer:eks-kubectl-layer:2"
us-east-2:
kubectl: "arn:aws:lambda:us-east-2:903779448426:layer:eks-kubectl-layer:3"
eu-central-1:
kubectl: "arn:aws:lambda:eu-central-1:903779448426:layer:eks-kubectl-layer:2"
eu-west-1:
kubectl: "arn:aws:lambda:eu-west-1:903779448426:layer:eks-kubectl-layer:2"
eu-north-1:
kubectl: "arn:aws:lambda:eu-north-1:903779448426:layer:eks-kubectl-layer:1"
sa-east-1:
kubectl: "arn:aws:lambda:sa-east-1:903779448426:layer:eks-kubectl-layer:1"
cn-north-1:
kubectl: "arn:aws-cn:lambda:cn-north-1:937788672844:layer:eks-kubectl-layer:2"
cn-northwest-1:
kubectl: "arn:aws-cn:lambda:cn-northwest-1:937788672844:layer:eks-kubectl-layer:2"

  1. Also see an error with the SAM:

    Transform AWS::Serverless-2016-10-31 failed with: Invalid Serverless Application Specification document. Number of errors found: 1. Resource with id [ConfigMapUpdate] is invalid. User: arn:aws-us-gov:iam::xxxxxxxxxx:user/<Redacted> is not authorized to perform: serverlessrepo:CreateCloudFormationTemplate on resource: arn:aws:serverlessrepo:us-east-1:903779448426:applications/eks-auth-update-hook. Rollback requested by user.

This can be because of the following reason
[] AWS Serverless Application Repository - How AWS Serverless Application Repository Differs for AWS GovCloud (US) - https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-sar.html#govcloud-sar-diffs

> Applications that are publicly shared in other AWS Regions are not automatically available in AWS GovCloud (US) Regions. To make applications available in AWS GovCloud (US) Regions, you must publish and share them independently of other AWS Regions.

opensource-4g-core-eks/x86-Architecture/cfn-templates/open5gs-worker-x86.yaml

Lines 770 to 788 in 56ad4ac

Type: AWS::Serverless::Application
Properties:
Location:
# serverless app from all regoins should be able to import this ApplicationId from 'us-east-1' across accounts.
ApplicationId: arn:aws:serverlessrepo:us-east-1:903779448426:applications/eks-auth-update-hook
SemanticVersion: 1.0.0
Parameters:
ClusterName:
Fn::ImportValue:
!Sub "${InfraStackName}-EksCluster"
LambdaRoleArn:
Fn::ImportValue:
!Sub "${InfraStackName}-EksAdminRoleForLambdaArn"
LambdaLayerKubectlArn: !FindInMap
- LayerArn
- !Ref "AWS::Region"
- kubectl
NodeInstanceRoleArn: !GetAtt NodeInstanceRole.Arn
FunctionName: !Sub "eks-auth-update-hook-${AWS::StackName}"

@jungy-aws
Copy link
Contributor

Hi @kakarotbyte, simple fix of this issue that removing out ConfigMapUpdate custom resource from the CloudFormation. It is purely optional steps to make aws-auth-cm.yaml update to be done automatically. As mentioned in the blogpost (of below) and also illustrated in below UG, you can update manually aws-auth-cm.yaml so that wordernode group can be added to the cluster w/o this SAR application.
https://docs.aws.amazon.com/eks/latest/userguide/launch-workers.html

...
Run the CloudFormation for worker node group creation (open5gs-worker.yaml)
...
Optional: If worker node groups don’t get joined to the EKS cluster, then manually update aws-auth-cm.yaml ConfigMap so that the EKS cluster control plane can register the worker nodes. (This step is usually not required if a step of Bastion Host Configuration-4 has been done properly.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kakarotbyte @jungy-aws