fix: worker security group handling when worker_create_security_group=false #1461
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
PR o'clock
Description
Currently when you enable create_launch_template=true on the nodegroup, it switches from using primary cluster security group to worker security group which can cause various problems.
The first work around attempted was to use cluster_primary_security_group_id as worker_security_group_id, but that caused variable cycle error.
The second workaround was to add the primary security group as worker_additional_security_group_ids, however that causes the ALB ingress controller to fail in AWS because the ingress controller cannot work when there are multiple SG attached to the network interface.
The solution was to delete the unused worker security group, however that causes the failure on launch template creation due to the empty security group id.
This PR cleans up the security groups for launch template if theres an empty string in the list.
There was also a
cluster_private_access_sg_source
rule which was trying to add the worker security group when the worker security group didn't exist, which is fixed in this PR.Checklist