Skip to content

Add support for custom Bottlerocket AMIs for MNG #8418

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 17, 2025
Merged

Add support for custom Bottlerocket AMIs for MNG #8418

merged 1 commit into from
Jun 17, 2025

Conversation

koooosh
Copy link
Contributor

@koooosh koooosh commented Jun 12, 2025
edited
Loading

Issue

Close: #8419

Description

Currently, when creating MNGs using a custom Bottlerocket AMI with eksctl, we get the error:

Error: could not create cluster provider from options: cannot set amiFamily to Bottlerocket when using a custom AMI for managed nodes, only AmazonLinux2023, AmazonLinux2, UbuntuPro2404, Ubuntu2404, UbuntuPro2204, Ubuntu2204, Ubuntu2004, Ubuntu1804 are supported

This PR adds support for custom Bottlerocket AMIs for MNG.

Also, it improves tests in managed_bottlerocket_test.go so they verify specific settings rather than entire strings 😁

Testing

  • make test
  • Manual test:
  1. Locally built eksctl
  2. Manifest with an MNG using a custom Bottlerocket AMI:
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig

metadata:
  name: br-custom-ami-cluster
  region: us-west-2
  version: '1.31'

managedNodeGroups:
  - name: br-custom-ami-mng
    instanceType: m5.large
    desiredCapacity: 1
    ami: ami-02516a800443b52d6   # aws ssm get-parameters --names "/aws/service/bottlerocket/aws-k8s-1.31/x86_64/1.40.0/image_id" --region us-west-2
    amiFamily: Bottlerocket
    disableIMDSv1: true
    iam:
       attachPolicyARNs:
          - arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy
          - arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy
          - arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly
          - arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
    bottlerocket:
      settings:
        motd: "Hello from eksctl!"
  1. ./eksctl create cluster -f <MANIFEST> successfully creates cluster and MNG with custom AMI

Checklist

  • Added tests that cover your change (if possible)
  • Added/modified documentation as required (such as the README.md, or the userdocs directory)
  • Manually tested
  • Made sure the title of the PR is a good description that can go into the release notes
  • (Core team) Added labels for change area (e.g. area/nodegroup) and kind (e.g. kind/improvement)

BONUS POINTS checklist: complete for good vibes and maybe prizes?! 🤯

  • Backfilled missing tests for code in same general area 🎉
  • Refactored something and made the world a better place 🌟

koooosh
koooosh commented Jun 12, 2025
View reviewed changes
pkg/nodebootstrap/managed_bottlerocket.go
if userData == "" {
return "", errors.New("generated unexpected empty TOML user-data from input")
// Generate TOML for launch in this NodeGroup.
data, err := bottlerocketSettingsTOML(b.clusterConfig, b.ng.NodeGroupBase, settings)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

bottlerocketSettingsTOML, similar to ProtectTOMLKeys a few lines above, comes from bottlerocket.go and is used to set the kubernetes cluster settings, which is necessary for the nodes to join the cluster.

Without this function, I was seeing the following error in the kubelet logs:

err="failed to construct kubelet dependencies: unable to loadclient CA file /etc/kubernetes/pki/ca.crt: error creating pool from /etc/kubernetes/pki/ca.crt: data does not contain any valid RSA or ECDSA certificates"

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This test passing verifies that these settings cannot be manually set thru userdata, only injected.

koooosh
koooosh commented Jun 12, 2025
View reviewed changes
pkg/nodebootstrap/managed_bottlerocket_test.go
Comment on lines +128 to +129
Expect(tree.HasPath([]string{"settings", "kubernetes", "node-labels"})).To(BeFalse())
Expect(tree.HasPath([]string{"settings", "kubernetes", "node-taints"})).To(BeFalse())
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These settings actually exist, but should not be set thru userdata: https://bottlerocket.dev/en/os/1.39.x/api/settings/kubernetes/#node-labels

@koooosh koooosh marked this pull request as ready for review June 12, 2025 03:04
cartermckinnon
cartermckinnon approved these changes Jun 12, 2025
View reviewed changes
Copy link

@cartermckinnon cartermckinnon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm!

naclonts
naclonts approved these changes Jun 17, 2025
View reviewed changes
Copy link
Member

@naclonts naclonts left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the contribution! 🚀

@naclonts naclonts merged commit 88a1dc5 into eksctl-io:main Jun 17, 2025
9 of 20 checks passed
@eksctl-bot eksctl-bot mentioned this pull request Jun 17, 2025
Merged
@koooosh koooosh mentioned this pull request Jul 25, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@naclonts naclonts naclonts approved these changes

@cartermckinnon cartermckinnon cartermckinnon approved these changes

Assignees
No one assigned
Labels
area/managed-nodegroup EKS Managed Nodegroups kind/improvement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Feature] Support custom Bottlerocket AMIs for Managed Nodes
3 participants
@koooosh @naclonts @cartermckinnon