Update the EFA integration test to create cluster that generates real metrics and tests new EFA metrics #622
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ribute using { ... }.
…t attribute using { ... }.
…t attribute using { ... }.
…ch Observability addon
This reverts commit 4fbf9a1.
…isable KMS key creation
- Create dedicated VPC (10.0.0.0/16) for EFA integration test - Add public subnets (10.0.1.0/24, 10.0.2.0/24) for control plane - Add private subnets (10.0.10.0/24, 10.0.11.0/24) for worker nodes - Configure NAT Gateway for outbound internet access from private subnets - Deploy EKS node group in private subnets for security - Add proper routing tables and security groups
- Change Kubernetes version from 1.33 to 1.31 (has GPU AMI support) - Use AL2_x86_64_GPU AMI type for EFA workloads - Fixes SSM parameter not found error for 1.33 GPU AMI
- Add null_resource validator to run Go tests after EKS deployment - Enable cluster_endpoint_public_access for kubectl and validator access - Validator runs up to 10 attempts with 60s intervals
- Replace node group IAM policy with proper Pod Identity associations - Create dedicated IAM role with CloudWatchAgentServerPolicy - Add Pod Identity associations for cloudwatch-agent and fluent-bit service accounts - Remove unnecessary AWSXRayDaemonWriteAccess policy - Follow AWS recommended approach for EKS addon permissions
movence
reviewed
Nov 21, 2025
terraform/eks/daemon/efa/main.tf
Outdated
| endpoint_public_access = true | ||
| enable_cluster_creator_admin_permissions = true | ||
| # CloudWatch logging - renamed from cluster_enabled_log_types | ||
| enabled_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"] |
Author
There was a problem hiding this comment.
not sure about enabled_log_types or endpoint_public_access, but enable_cluster_creator_admin_permissions is definitely required. i can try a run without enabled_log_types and endpoint_public_access.
Author
There was a problem hiding this comment.
endpoint_public_access is required:
null_resource.kubectl (local-exec): E1121 17:22:06.055143 2841 memcache.go:265] "Unhandled Error" err="couldn't get current server API group list: Get \"https://2e7eb4b9b85c98e6965f6b2f7f4f15aa.gr7.us-west-2.eks.amazonaws.com/api?timeout=32s\": dial tcp 10.0.1.142:443: i/o timeout"
Contributor
There was a problem hiding this comment.
Sure but I was referring to enabled_log_types
… remove unnecessary configs - Use var.k8s_version instead of hardcoded '1.31' - Use var.ami_type instead of hardcoded 'AL2_x86_64_GPU' to support AL2023_x86_64_NVIDIA - Remove endpoint_public_access and enabled_log_types as they are not required - Keep enable_cluster_creator_admin_permissions as it is required for cluster access
This reverts commit 7c75b77.
…o v5 - Add missing AWS provider configuration - Downgrade from AWS provider v6.22.0 to v5.x to avoid tag handling bug - Fixes panic: Value Conversion Error with unknown tag values
otherwise we get ``` null_resource.kubectl (local-exec): E1121 17:22:06.055143 2841 memcache.go:265] "Unhandled Error" err="couldn't get current server API group list: Get \"https://2E...15AA.gr7.us-west-2.eks.amazonaws.com/api?timeout=32s\": dial tcp 10.0.1.142:443: i/o timeout" ```
This reverts commit 494d32c.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Updates the EFA integration test to match the actual metrics being published to CloudWatch.
Previously we mocked the EFA sysfs files, but it didn't work because the mock was incomplete - missing the GID file needed for MAC address lookup and EC2 API calls.
Now, we create an EKS cluster that has EFA enabled and validate those metrics.
Testing
https://github.com/aws/amazon-cloudwatch-agent/actions/runs/19522425520/job/55954299359round 2 testing, incorporating @movence's comments: https://github.com/aws/amazon-cloudwatch-agent/actions/runs/19579639336/job/56074086384
Related
amazon-contributing/opentelemetry-collector-contrib#385
aws/amazon-cloudwatch-agent#1941