VPC CNI creation does not respect the proxy config or HTTP_PROXY environment variable

[miadabrin]

What happened?

When creating a cluster with public endpoint disabled and using the proxy variable (and HTTP_PROXY environment variable) to use a private proxy to access cluster, the kubectl apply -f command for creating the vpc cni fails. Here is the error message:

warning: configured Kubernetes cluster is unreachable: unable to load schema information from the API server: Get "https://*****.sk1.ca-central-1.eks.amazonaws.com/openapi/v2?timeout=32s": dial tcp ******:443: i/o timeout
error: configured Kubernetes cluster is unreachable. If the cluster was deleted, you can remove this resource from Pulumi state by rerunning the operation with the PULUMI_K8S_DELETE_UNREACHABLE environment variable set to "true"
error: error validating "/var/folders/m7/5pc_qrhx72g_grd3md7hzftc0000gn/T/tmp-747385hRwjppawMzD.tmp": error validating data: failed to download openapi: Get "https://*****.sk1.ca-central-1.eks.amazonaws.com/openapi/v2?timeout=32s": dial tcp *****:443: i/o timeout; if you choose to ignore these errors, turn validation off with --validate=false

error: Command failed: kubectl apply -f /var/folders/m7/5pc_qrhx72g_grd3md7hzftc0000gn/T/tmp-747385hRwjppawMzD.tmp
error: error validating "/var/folders/m7/5pc_qrhx72g_grd3md7hzftc0000gn/T/tmp-747385hRwjppawMzD.tmp": error validating data: failed to download openapi: Get "https://9FBFDD077550C4CA53ECF87BF123DDB0.sk1.ca-central-1.eks.amazonaws.com/openapi/v2?timeout=32s": dial tcp *****:443: i/o timeout; if you choose to ignore these errors, turn validation off with --validate=false

After reading the code, the issue seems to be because

pulumi-eks/nodejs/eks/cmd/provider/cni.ts

Line 301 in 92465dc

const manifest = applyVpcCniYaml(<VpcCniInputs>inputs);

pulumi-eks/nodejs/eks/cmd/provider/cni.ts

Line 269 in 92465dc

env: { ...process.env, KUBECONFIG: tmpKubeconfig.name },

does not pass the correct environment variables (or the ability to do customizations/overrides on kube config)

Example

const cluster = new eks.Cluster(clusterName, {
		name: clusterName,
		authenticationMode:,
		privateSubnetIds: config.requireObject("eks-private-subnet-ids"),
		publicSubnetIds: config.requireObject("eks-public-subnet-ids"),
		endpointPublicAccess: config.getBoolean("eks-endpoint-public-access"),
		endpointPrivateAccess: true,
		skipDefaultNodeGroup: true,
		createOidcProvider: true,
		version: "1.26",
		vpcId: getEksVpcId(),
		proxy: config.get("eks-proxy"),
		roleMappings: [
			****
		],
		userMappings: config.requireObject("eks-iam-user-mappings"),
		enabledClusterLogTypes: config.requireObject("enabled-cluster-log-types"),
	}, {
		
	});

Output of pulumi about

pulumi about
CLI          
Version      3.119.0
Go Version   go1.22.4
Go Compiler  gc

Plugins
KIND      NAME        VERSION
resource  aws         6.39.0
resource  eks         2.6.0
resource  kubernetes  4.13.1
resource  kubernetes  3.21.4
language  nodejs      unknown

Host     
OS       darwin
Version  14.2.1
Arch     x86_64

This project is written in nodejs: executable='/Users/miadabrin/.nvm/versions/node/v20.10.0/bin/node' version='v20.10.0'

Current Stack: *****

TYPE                                                 URN
*****


Found no pending operations associated with fellowapp/staging

Backend        
Name           pulumi.com
URL            https://app.pulumi.com/miadabrin
User           miadabrin
Organizations  miadabrin, fellowapp
Token type     personal

Dependencies:
NAME                              VERSION
@pulumi/pulumi                    3.119.0
prettier                          2.6.1
lodash                            4.17.21
@types/node                       17.0.23
@typescript-eslint/eslint-plugin  4.33.0
eslint-config-prettier            8.5.0
@pulumi/eks                       v2.6.0
@pulumi/kubernetes                v3.21.4
typescript                        4.6.3
eslint                            7.32.0
ts-dedent                         2.2.0
@pulumi/aws                       6.39.0
@types/lodash                     4.14.182
@typescript-eslint/parser         4.33.0

Pulumi locates its logs in /var/folders/m7/5pc_qrhx72g_grd3md7hzftc0000gn/T/ by default

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[rquitales]

Thanks for reporting this issue. We're looking into migrating the way we handle management of the VPC CNI addon (tracked by #1132). This should also resolve the issues faced here.

[flostadler]

The VPC CNI will be managed with EKS addons starting in pulumi-eks v3. This means cluster connectivity will no longer be needed for that