Enable creating IPV6 clusters with pod identities in addition to IRSA

[simonmarty]

• Fix typo on "associations"
• Add VS Code folder to gitignore
• Enable creating IPV6 clusters with pod identities

Description

Currently, creating an IPV6 cluster fails validation if withOIDC is not set to true. Since the advent of EKS pod identities, OIDC is no longer necessary as long as the pod identity agent is added, and the VPC CNI addon is configured with a pod identity association. Updated the validation logic to allow either pod identities or IRSA for IPV6 clusters.

Unrelated: caught two typos and added the VS Code folder to the gitignore since that's my IDE of choice (and a pretty common one at that).

Checklist

• Added tests that cover your change (if possible)
• Added/modified documentation as required (such as the README.md, or the userdocs directory)
• Manually tested
• Made sure the title of the PR is a good description that can go into the release notes
• (Core team) Added labels for change area (e.g. area/nodegroup) and kind (e.g. kind/improvement)

BONUS POINTS checklist: complete for good vibes and maybe prizes?! 🤯

• Backfilled missing tests for code in same general area 🎉
• Refactored something and made the world a better place 🌟

[github-actions]

Hello simonmarty 👋 Thank you for opening a Pull Request in eksctl project. The team will review the Pull Request and aim to respond within 1-10 business days. Meanwhile, please read about the Contribution and Code of Conduct guidelines here. You can find out more information about eksctl on our website

[cheeseandcereal]

I'm a little confused by this check. So if the pod identity addon does exist, then we check for OIDC, but if it doesn't, then we check for pod identity settings on the addon itself? Am I reading that correctly? If so, I'm not really sure I understand. Shouldn't it be if there is no pod identity addon, then OIDC needs to be enabled, otherwise either OIDC OR pod identity can be used?

[simonmarty]

The first if block

if len(c.addonContainsManagedAddons([]string{PodIdentityAgentAddon})) != 0 && (c.IAM == nil || c.IAM != nil && IsDisabled(c.IAM.WithOIDC)) {

Checks that there is at least one way to provide credentials to the VPC CNI addon. If there is not at least one provider (either Pod identity Agent or IRSA), then we exit early.

The second block

if len(c.addonContainsManagedAddons([]string{PodIdentityAgentAddon})) == 0 && !c.AddonsConfig.AutoApplyPodIdentityAssociations {

Performs extra validations needed if we are using pod identities (namely, that the VPC CNI addon has a pod identity configured in one way or another).

I can add comments to clarify this, if you think of a better way to organize these conditions lmk.

[cheeseandcereal]

Ah ok, that makes sense too. Yeah I was thinking in my head like 'do the oidc check' then [if still needed] 'do the pod identity check' might make it more clear what's going on, rather than adding a condition to the earlier one just to short-circuit.

Either way, comments would be helpful :)

[cheeseandcereal]

Ah ok, that makes sense too. Yeah I was thinking in my head like 'do the oidc check' then [if still needed] 'do the pod identity check' might make it more clear what's going on, rather than adding a condition to the earlier one just to short-circuit.

Either way, comments would be helpful :)

[cheeseandcereal]

Thanks for the contribution!