Update Our K8s nodes to use IMDSv2

[ben851]

Description

As an operator of GC Notify I want our K8s nodes to run on IMDSv2 to ensure that the system is free of tech debt while also increasing security and reliability.

WHY are we building?

AWS will be deprecating IMDSv1 mid 2024, and will force us to move to IMDSv2. It would be best to do this before then to ensure there are no issues in migration.

This will increase security and has been recommended to us by the AWS TAM for the last two years or so.

WHAT are we building?

Creating EC2 launch template with IMDSv2 enabled in Terraform, and reference that in the EKS cluster (Pat has been working on this) Modifying the log pipelines in fluent bit to use IMDSv2 (Will need to be coordinated with release of the above) Modifying Karpenter to either use IMDSv2 or the launch template from terraform (Will also need to be coordinated with above)

VALUE created by our solution

Maintenance, Security, reliability, tech debt reduction.

Acceptance Criteria

• [ ] K8s is running on IMDSv2
• [ ] Karpenter is using IMDSv2
• [ ] Fluent Bit pipelines have been updated to IMDSv2

QA Steps

• [ ] Smoke tests pass with both spot and on demand instance
• [ ] Logs are still logging
• [ ] Performance test in staging

[jimleroyer]

Closing this one in favor of duplicate #246