terraform: Allow nodes to join the cluster when using a jump host by removing the `constellation-uid` tag

3u13r commented 3 months ago

Context

May 03 12:39:20 fedora bootstrapper[3378]: {"time":"2024-05-03T12:39:20.374587495Z","level":"ERROR","source":{"function":"github.com/edgelesssys/constellation/v2/bootstrapper/internal/joinclient.(*JoinClient).getControlPlaneIPs","file":"bootstrapper/internal/joinclient/joinclient.go","line":357},"msg":"Failed to list instances from metadata API","bootstrapper":{"join-client":{"error":"retrieving tag for instance i-03976588af8c28747: tag \"constellation-role\" not found"}}}

Proposed change(s)

Remove the constellation-uid tag from the jump host since the tag signals that the instance belongs to the Constellation cluster which the jump host does not.

Note that the jump host is only ever applied when using a load balancer and the debug mode.

Checklist

[x] Add labels (e.g., for changelog category)
[x] Is PR title adequate for changelog?
[x] Link to Milestone

netlify[bot] commented 3 months ago

Deploy Preview for constellation-docs canceled.

Name	Link
Latest commit	0fee1a27183f7be0e4d6ef22613f78319bbb06ac
Latest deploy log	https://app.netlify.com/sites/constellation-docs/deploys/6637683b04b5650008ca7dff

daniel-weisse commented 3 months ago

Wouldn't it make more sense to simply skip over the instance when the tag can't be parsed? Otherwise all instances in the VPC must have the "constellation-role" tag set.

3u13r commented 3 months ago

Otherwise all instances in the VPC must have the "constellation-role" tag set.

This is not true (at least for AWS). All instances which have the same constellation-uid tag set must also have a constellation-role which makes sense. Therefore removing the constellation-uid tag from the jump host.

This also restores the behavior before the change: https://github.com/edgelesssys/constellation/pull/3033

edgelesssys / constellation