Enable enclave options in EC2 Launch Template (#8349)

Author: tarikdem

pkg/apis/eksctl.io/v1alpha5/assets/schema.json

@@ -1840,6 +1840,11 @@
           "description": "Enable EC2 detailed monitoring",
           "x-intellij-html-description": "Enable EC2 detailed monitoring"
         },
+        "enclaveEnabled": {
+          "type": "boolean",
+          "description": "determines if the EC2 instance will be Nitro enclave enabled",
+          "x-intellij-html-description": "determines if the EC2 instance will be Nitro enclave enabled"
+        },
         "iam": {
           "$ref": "#/definitions/NodeGroupIAM"
         },
@@ -2068,7 +2073,8 @@
         "kubeletExtraConfig",
         "containerRuntime",
         "maxInstanceLifetime",
-        "localZones"
+        "localZones",
+        "enclaveEnabled"
       ],
       "additionalProperties": false,
       "description": "holds configuration attributes that are specific to an unmanaged nodegroup",

pkg/apis/eksctl.io/v1alpha5/types.go

@@ -1332,6 +1332,10 @@ type NodeGroup struct {
 	// The cluster should have been created with all of the local zones specified in this field.
 	// +optional
 	LocalZones []string `json:"localZones,omitempty"`
+
+	// EnclaveEnabled determines if the EC2 instance will be Nitro enclave enabled
+	// +optional
+	EnclaveEnabled *bool `json:"enclaveEnabled,omitempty"`
 }
 
 // GetContainerRuntime returns the container runtime.

pkg/cfn/builder/fakes/fake_cfn_template.go

@@ -168,6 +168,9 @@ type LaunchTemplateData struct {
 	CreditSpecification *struct {
 		CPUCredits string
 	}
+	EnclaveOptions *struct {
+		Enabled *bool
+	}
 	MetadataOptions                  MetadataOptions
 	TagSpecifications                []TagSpecification
 	Placement                        Placement

pkg/cfn/builder/nodegroup.go

@@ -461,6 +461,12 @@ func newLaunchTemplateData(ctx context.Context, n *NodeGroupResourceSet) (*gfnec
 		TagSpecifications: makeTags(ng.NodeGroupBase, n.options.ClusterConfig.Metadata),
 	}
 
+	if ng.EnclaveEnabled != nil {
+		launchTemplateData.EnclaveOptions = &gfnec2.LaunchTemplate_EnclaveOptions{
+			Enabled: gfnt.NewBoolean(*ng.EnclaveEnabled),
+		}
+	}
+
 	if ng.CapacityReservation != nil {
 		valueOrNil := func(value *string) *gfnt.Value {
 			if value != nil {

pkg/cfn/builder/nodegroup_test.go

@@ -1354,6 +1354,17 @@ var _ = Describe("Unmanaged NodeGroup Template Builder", func() {
 					Expect(ngTemplate.Resources).NotTo(HaveKey("EgressInterClusterAPI"))
 				})
 			})
+
+			Context("ng.EnclaveEnabled is set", func() {
+				BeforeEach(func() {
+					ng.EnclaveEnabled = aws.Bool(true)
+				})
+
+				It("enables the value on the launch template", func() {
+					properties := ngTemplate.Resources["NodeGroupLaunchTemplate"].Properties
+					Expect(properties.LaunchTemplateData.EnclaveOptions.Enabled).To(Equal(aws.Bool(true)))
+				})
+			})
 		})
 	})