Release v1.3.8: GitHub Container Registry Migration and Configuration Synchronization

.gitignore

@@ -57,5 +57,7 @@ recommended-sample-improvements.yaml
 
 # Test artifacts that shouldn't be committed
 sriov-device-plugin-hostpath.yaml
-charts/aws-multi-eni-controller/values.yaml
-aws-multi-eni-controller
+
+charts/aws-multi-eni-controller/values.yaml.backup
+deploy/deployment.yaml.backup
+deploy/eni-manager-daemonset.yaml.backup

README.md

@@ -76,6 +76,7 @@ Before deploying the AWS Multi-ENI Controller, ensure you have:
 - kubectl configured to access your cluster
 - Helm 3.0+ (for Helm installation)
 - IAM permissions for EC2 ENI operations
+- **Amazon Linux 2023 Support**: The controller includes full IMDSv2 support for AL2023 nodes
 
 ### Required IAM Permissions
 
@@ -104,6 +105,18 @@ The controller requires the following IAM permissions:
 }
 ```
 
+### IMDSv2 Support
+
+The AWS Multi-ENI Controller includes comprehensive support for **Instance Metadata Service Version 2 (IMDSv2)**, ensuring compatibility with both Amazon Linux 2 and Amazon Linux 2023 nodes:
+
+- **Amazon Linux 2023**: Full support for nodes with `HttpTokens: required` (IMDSv2 enforcement)
+- **Amazon Linux 2**: Backward compatibility with both `HttpTokens: optional` and `HttpTokens: required`
+- **Automatic Hop Limit Configuration**: Automatically configures EC2 instance metadata hop limit for containerized environments
+- **Strict IMDSv2 Enforcement**: Configurable IMDSv1 fallback prevention for enhanced security
+- **Timeout & Retry**: Optimized timeout and retry settings for reliable credential retrieval
+
+For detailed information about IMDSv2 implementation and automatic configuration, see [IMDSv2 Support Documentation](docs/imdsv2-support.md).
+
 ## Installation
 
 ### Option 1: Install with Helm (Recommended)

charts/aws-multi-eni-controller/Chart.yaml

@@ -2,8 +2,8 @@ apiVersion: v2
 name: aws-multi-eni-controller
 description: A Helm chart for AWS Multi-ENI Controller
 type: application
-version: "1.3.5"
-appVersion: "v1.3.5"
+version: "1.3.8"
+appVersion: "v1.3.8"
 home: https://github.com/johnlam90/aws-multi-eni-controller
 sources:
   - https://github.com/johnlam90/aws-multi-eni-controller
@@ -20,12 +20,13 @@ keywords:
 annotations:
   artifacthub.io/license: Apache-2.0
   artifacthub.io/changes: |
-    - Update version to v1.3.5
-    - Fix ENI Manager incorrectly generating SR-IOV config for regular ENI configurations
-    - Implement proper PCI address mapping for SR-IOV configurations
-    - Prioritize PCI address matching over device index for SR-IOV interfaces
-    - Add comprehensive test coverage for interface-to-NodeENI mapping
-    - Resolve PCI address mismatches in SR-IOV device plugin configuration
-    - Improve separation between regular ENI and SR-IOV functionality
-    - Add detailed logging for interface mapping decisions
-    - Fix issue where regular ENI configs triggered unnecessary SR-IOV operations
+    - Update version to v1.3.7 with comprehensive test suite
+    - Fix ens8 interface device index calculation (ens_number - 5 formula)
+    - Implement robust hybrid device index calculation (sysfs + fallback)
+    - Add comprehensive unit tests for device index calculation logic
+    - Support scalability testing for 10+ ENI interfaces per node
+    - Add cross-platform compatibility for Amazon Linux 2 vs 2023
+    - Implement concurrent device index lookup performance testing
+    - Add error handling and graceful degradation for sysfs failures
+    - Include NodeENI integration testing and regression prevention
+    - Performance benchmarks: 2.6M+ operations/second for device index calculation

charts/aws-multi-eni-controller/templates/controller-deployment.yaml

@@ -37,6 +37,34 @@ spec:
           value: "eni-controller"
         - name: AWS_REGION
           value: "{{ .Values.awsRegion }}"
+        # AWS SDK configuration for strict IMDSv2 enforcement
+        # These settings ensure IMDSv2-only operation for enhanced security
+        - name: AWS_EC2_METADATA_DISABLED
+          value: "false"
+        - name: AWS_EC2_METADATA_V1_DISABLED
+          value: "true"
+        - name: AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE
+          value: "IPv4"
+        - name: AWS_EC2_METADATA_SERVICE_ENDPOINT
+          value: "http://169.254.169.254"
+        # Increased timeout and retry configuration for reliable IMDS calls
+        - name: AWS_METADATA_SERVICE_TIMEOUT
+          value: "30"
+        - name: AWS_METADATA_SERVICE_NUM_ATTEMPTS
+          value: "5"
+        # IMDS hop limit auto-configuration
+        - name: IMDS_AUTO_CONFIGURE_HOP_LIMIT
+          value: "{{ .Values.imds.autoConfigureHopLimit }}"
+        - name: IMDS_HOP_LIMIT
+          value: "{{ .Values.imds.hopLimit }}"
+        # Enable aggressive IMDS configuration for node replacement scenarios
+        - name: IMDS_AGGRESSIVE_CONFIGURATION
+          value: "{{ .Values.imds.aggressiveConfiguration }}"
+        # Node name for Kubernetes context
+        - name: NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
         - name: LOG_LEVEL
           value: "{{ .Values.logLevel }}"
         - name: MAX_CONCURRENT_ENI_CLEANUP

charts/aws-multi-eni-controller/templates/manager-daemonset.yaml

@@ -29,11 +29,18 @@ spec:
       {{- if .Values.eniManager.dpdk.enabled }}
       initContainers:
       - name: dpdk-setup
-        image: alpine:3.19
+        image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
         command: ["/bin/sh", "-c"]
         args:
         - |
           echo "Setting up DPDK environment..."
+
+          # Detect AMI type for better debugging
+          if nsenter -t 1 -m -u -i -n -p -- test -f /etc/os-release; then
+            echo "Host OS information:"
+            nsenter -t 1 -m -u -i -n -p -- cat /etc/os-release | head -5
+          fi
+
           # Install required packages
           apk --no-cache add kmod pciutils python3 build-base linux-headers git
 
@@ -99,9 +106,16 @@ spec:
           # Enable unsafe NOIOMMU mode
           nsenter -t 1 -m -u -i -n -p -- sh -c 'echo 1 > /sys/module/vfio/parameters/enable_unsafe_noiommu_mode' || echo "Failed to enable unsafe NOIOMMU mode"
 
-          # Copy DPDK binding script to host
+          # Debug: Show available DPDK files
+          echo "Available DPDK files in container:"
+          echo "From Docker image (/opt/dpdk):"
+          ls -la /opt/dpdk/ || echo "No /opt/dpdk directory"
+          echo "From ConfigMap (/opt/dpdk-configmap):"
+          ls -la /opt/dpdk-configmap/ || echo "No /opt/dpdk-configmap directory"
+
+          # Copy DPDK binding script to host (from ConfigMap)
           mkdir -p /host/usr/bin
-          cp -f /opt/dpdk/dpdk-devbind.py /host/usr/bin/
+          cp -f /opt/dpdk-configmap/dpdk-devbind.py /host/usr/bin/
           chmod 755 /host/usr/bin/dpdk-devbind.py
 
           # Create module load configuration for persistence across reboots
@@ -121,11 +135,17 @@ spec:
           else
             echo "Write Combining is not enabled, attempting to patch vfio-pci"
 
-            # Use the pre-packaged patch script
-            cd /opt/dpdk/scripts
-
-            # Run the patch script to enable Write Combining
-            nsenter -t 1 -m -u -i -n -p -- /opt/dpdk/scripts/get-vfio-with-wc.sh || echo "Failed to patch vfio-pci for Write Combining"
+            # Check if the DPDK scripts directory exists (from Docker image)
+            if [ -d "/opt/dpdk/scripts" ] && [ -f "/opt/dpdk/scripts/get-vfio-with-wc.sh" ]; then
+              echo "Using DPDK scripts from Docker image"
+              cd /opt/dpdk/scripts
+              # Run the patch script to enable Write Combining
+              nsenter -t 1 -m -u -i -n -p -- /opt/dpdk/scripts/get-vfio-with-wc.sh || echo "Failed to patch vfio-pci for Write Combining"
+            else
+              echo "DPDK scripts not found in expected location, skipping Write Combining patch"
+              echo "This is expected on Amazon Linux 2023 and other newer distributions"
+              echo "DPDK will still function without Write Combining optimization"
+            fi
           fi
 
           # Final verification of DPDK environment
@@ -163,7 +183,7 @@ spec:
         - name: host-root
           mountPath: /host
         - name: dpdk-tools
-          mountPath: /opt/dpdk
+          mountPath: /opt/dpdk-configmap
         - name: host-modules
           mountPath: /lib/modules
           readOnly: true
@@ -181,6 +201,29 @@ spec:
           value: "eni-manager"
         - name: AWS_REGION
           value: "{{ .Values.awsRegion }}"
+        # AWS SDK configuration for strict IMDSv2 enforcement
+        # These settings ensure IMDSv2-only operation for enhanced security
+        - name: AWS_EC2_METADATA_DISABLED
+          value: "false"
+        - name: AWS_EC2_METADATA_V1_DISABLED
+          value: "true"
+        - name: AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE
+          value: "IPv4"
+        - name: AWS_EC2_METADATA_SERVICE_ENDPOINT
+          value: "http://169.254.169.254"
+        # Increased timeout and retry configuration for reliable IMDS calls
+        - name: AWS_METADATA_SERVICE_TIMEOUT
+          value: "30"
+        - name: AWS_METADATA_SERVICE_NUM_ATTEMPTS
+          value: "5"
+        # IMDS hop limit auto-configuration
+        - name: IMDS_AUTO_CONFIGURE_HOP_LIMIT
+          value: "{{ .Values.imds.autoConfigureHopLimit }}"
+        - name: IMDS_HOP_LIMIT
+          value: "{{ .Values.imds.hopLimit }}"
+        # Enable aggressive IMDS configuration for node replacement scenarios
+        - name: IMDS_AGGRESSIVE_CONFIGURATION
+          value: "{{ .Values.imds.aggressiveConfiguration }}"
         - name: LOG_LEVEL
           value: "{{ .Values.logLevel }}"
         - name: DEFAULT_MTU
@@ -231,7 +274,7 @@ spec:
           mountPath: /host/run
         {{- if .Values.eniManager.dpdk.enabled }}
         - name: dpdk-tools
-          mountPath: /opt/dpdk
+          mountPath: /opt/dpdk-configmap
         - name: sriov-dp-config
           mountPath: /etc/pcidp
         {{- end }}

charts/aws-multi-eni-controller/values.yaml

@@ -5,7 +5,7 @@
 # Image configuration
 image:
   repository: ghcr.io/johnlam90/aws-multi-eni-controller
-  tag: v1.3.5
+  tag: v1.3.8
   pullPolicy: Always
 
 # Namespace to deploy the controller
@@ -14,6 +14,24 @@ namespace: eni-controller-system
 # AWS Region configuration
 awsRegion: us-east-1
 
+# IMDS (Instance Metadata Service) configuration
+imds:
+  # Enable automatic configuration of IMDS hop limit for container compatibility
+  autoConfigureHopLimit: true
+  # Desired hop limit value (2 is recommended for containerized environments)
+  hopLimit: 2
+  # Enable aggressive IMDS configuration for node replacement scenarios
+  # This allows VPC-wide IMDS configuration as a last resort
+  aggressiveConfiguration: true
+
+# Cloud-native authentication configuration
+# This enables automatic node replacement recovery without manual intervention
+cloudNativeAuth:
+  # Enable cloud-native authentication strategies
+  enabled: true
+  # Prefer IRSA (IAM Roles for Service Accounts) over IMDS
+  preferIRSA: true
+
 # Controller configuration
 controller:
   # Maximum number of concurrent ENI cleanup operations
@@ -36,7 +54,7 @@ eniManager:
   # Enable debug logging
   debug: true
   # Pattern to match ENI interfaces
-  eniPattern: "^(eth|ens|eni|en)[0-9]+"
+  eniPattern: "^(eth|ens|eni|en|enX)[0-9]+"
   # Interfaces to ignore
   ignoreInterfaces: "tunl0,gre0,gretap0,erspan0,ip_vti0,ip6_vti0,sit0,ip6tnl0,ip6gre0"
   # Use netlink for interface monitoring
@@ -90,6 +108,9 @@ serviceAccount:
   # If not set and create is true, a name is generated using the fullname template
   name: "eni-controller"
   # Annotations to add to the service account
+  # For IRSA (IAM Roles for Service Accounts), add the role ARN annotation:
+  # annotations:
+  #   eks.amazonaws.com/role-arn: arn:aws:iam::ACCOUNT-ID:role/AWSMultiENIControllerRole
   annotations: {}
 
 # RBAC configuration

deploy/deployment.yaml

@@ -173,20 +173,48 @@ spec:
       #   - "kubernetes"
       containers:
       - name: manager
-        image: johnlam90/aws-multi-eni-controller:v1.3.5
+        image: ghcr.io/johnlam90/aws-multi-eni-controller:v1.3.8
         env:
         - name: COMPONENT
           value: "eni-controller"
         # Users should set this to their preferred AWS region
         # This is a placeholder that should be customized
         - name: AWS_REGION
           value: "us-east-1"
+        # AWS SDK configuration for strict IMDSv2 enforcement
+        # These settings ensure IMDSv2-only operation for enhanced security
+        - name: AWS_EC2_METADATA_DISABLED
+          value: "false"
+        - name: AWS_EC2_METADATA_V1_DISABLED
+          value: "true"
+        - name: AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE
+          value: "IPv4"
+        - name: AWS_EC2_METADATA_SERVICE_ENDPOINT
+          value: "http://169.254.169.254"
+        # Increased timeout and retry configuration for reliable IMDS calls
+        - name: AWS_METADATA_SERVICE_TIMEOUT
+          value: "30"
+        - name: AWS_METADATA_SERVICE_NUM_ATTEMPTS
+          value: "5"
+        # IMDS hop limit auto-configuration
+        - name: IMDS_AUTO_CONFIGURE_HOP_LIMIT
+          value: "true"
+        - name: IMDS_HOP_LIMIT
+          value: "2"
+        # Enable aggressive IMDS configuration for node replacement scenarios
+        - name: IMDS_AGGRESSIVE_CONFIGURATION
+          value: "true"
         # Maximum number of concurrent ENI cleanup operations
         - name: MAX_CONCURRENT_ENI_CLEANUP
           value: "3"
         # Maximum number of concurrent reconciles
         - name: MAX_CONCURRENT_RECONCILES
-          value: "1"
+          value: "5"
+        # Node name for Kubernetes context
+        - name: NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
         # Let Kubernetes handle service discovery automatically
         # - name: KUBERNETES_SERVICE_HOST
         #   value: "172.20.0.1"
@@ -197,8 +225,8 @@ spec:
         - --enable-leader-election
         resources:
           limits:
-            cpu: 100m
-            memory: 128Mi
+            cpu: 500m
+            memory: 512Mi
           requests:
             cpu: 100m
             memory: 128Mi