Validate credential provider during install

aws · Jan 27, 2025 · 824b8c8 · 824b8c8
1 parent 3a1e65a
commit 824b8c8
Showing 4 changed files with 43 additions and 1 deletion.
diff --git a/cmd/nodeadm/install/install.go b/cmd/nodeadm/install/install.go
@@ -82,6 +82,9 @@ func (c *command) Run(log *zap.Logger, opts *cli.GlobalOptions) error {
 	if err != nil {
 		return err
 	}
+	if err = creds.ValidateCredentialProvider(credentialProvider); err != nil {
+		return err
+	}
 
 	// Default containerd source to distro
 	if c.containerdSource == "" {

diff --git a/internal/creds/validation.go b/internal/creds/validation.go
@@ -1,11 +1,15 @@
 package creds
 
 import (
+	"fmt"
+	"strings"
+
 	"github.com/aws/aws-sdk-go-v2/aws"
 
 	"github.com/aws/eks-hybrid/internal/api"
 	"github.com/aws/eks-hybrid/internal/iamrolesanywhere"
 	"github.com/aws/eks-hybrid/internal/ssm"
+	"github.com/aws/eks-hybrid/internal/system"
 	"github.com/aws/eks-hybrid/internal/validation"
 )
 
@@ -23,3 +27,29 @@ func Validations(config aws.Config, node *api.NodeConfig) []validation.Validatio
 
 	return nil
 }
+
+func ValidateCredentialProvider(provider CredentialProvider) error {
+	if provider == IamRolesAnywhereCredentialProvider {
+		osName, osVersion := system.GetOsNameWithVersion()
+		majorOsVersion, err := getMajorVersion(osVersion)
+		if err != nil {
+			return err
+		}
+
+		// Both RHEL8 and Ubuntu 20 have older version of glibc which iam roles anywhere credential helper doesn't work with
+		// Until we have a fix for that, we will validate and avoid these os version combinations
+		// https://github.com/aws/rolesanywhere-credential-helper/issues/90
+		if (osName == system.RhelOsName && majorOsVersion == "8") || (osName == system.UbuntuOsName && majorOsVersion == "20") {
+			return fmt.Errorf("iam-ra credential provider is not supported on %s %s based operating systems. Please use ssm credential provider", osName, osVersion)
+		}
+	}
+	return nil
+}
+
+func getMajorVersion(version string) (string, error) {
+	parts := strings.Split(version, ".")
+	if len(parts) > 0 {
+		return parts[0], nil
+	}
+	return "", fmt.Errorf("failed to parse input version: %s", version)
+}
diff --git a/internal/system/os.go b/internal/system/os.go
@@ -16,6 +16,12 @@ func GetOsName() string {
 	return cfg.Section("").Key("ID").String()
 }
 
+// GetOsNameWithVersion returns the os name and version on /etc/os-release file
+func GetOsNameWithVersion() (string, string) {
+	cfg, _ := ini.Load("/etc/os-release")
+	return cfg.Section("").Key("ID").String(), cfg.Section("").Key("VERSION_ID").String()
+}
+
 func GetVersionCodeName() string {
 	cfg, _ := ini.Load("/etc/os-release")
 	return cfg.Section("").Key("VERSION_CODENAME").String()

diff --git a/test/e2e/os/rhel.go b/test/e2e/os/rhel.go
@@ -202,5 +202,8 @@ func findLatestImage(ctx context.Context, client *ec2.Client, amiPrefix, arch st
 }
 
 func paginationDone(in *ec2.DescribeImagesInput, out *ec2.DescribeImagesOutput) bool {
-	return (in.NextToken != nil && in.NextToken == out.NextToken) || len(out.Images) == 0
+	// When filters are used, they are applied on the client side per page
+	// This function helps go through all the pages to make sure if filtered
+	// result shows up in any one of the pages
+	return out.NextToken == nil || (in.NextToken != nil && in.NextToken == out.NextToken)
 }