Merge pull request #29 from zama-ai/ghislain/fix/mpc-node-pool

fix(mpc-party): remove node taint configuration

Author: maxnovawind

examples/mpc-party/main.tf

@@ -61,7 +61,6 @@ module "mpc_party" {
   nodegroup_enable_remote_access = var.nodegroup_enable_remote_access
   nodegroup_ec2_ssh_key          = var.nodegroup_ec2_ssh_key
   nodegroup_labels               = var.nodegroup_labels
-  nodegroup_taints               = var.nodegroup_taints
 
   kms_image_attestation_sha                = var.kms_image_attestation_sha
   kms_deletion_window_in_days              = var.kms_deletion_window_in_days

examples/mpc-party/terraform.tfvars.example

@@ -56,7 +56,6 @@ nodegroup_ami_release_version = "1.32.3-20250620"
 nodegroup_labels = {
   "nodepool" = "kms"
 }
-nodegroup_taints                        = {}
 nodegroup_additional_security_group_ids = ["sg-04e41735e6bdc6007"]
 nodegroup_enable_nitro_enclaves         = true
 nodegroup_enable_ssm_managed_instance   = true

examples/mpc-party/variables.tf

@@ -230,22 +230,6 @@ variable "nitro_enclaves_override_memory_mib" {
   default     = null
 }
 
-variable "nodegroup_taints" {
-  description = "Taints for the nodegroup"
-  type = map(object({
-    key    = string
-    value  = string
-    effect = string
-  }))
-  default = {
-    dedicated = {
-      key    = "kms_dedicated"
-      value  = "true"
-      effect = "NO_SCHEDULE"
-    }
-  }
-}
-
 variable "nodegroup_additional_security_group_ids" {
   description = "List of additional security group IDs to associate with the node group"
   type        = list(string)

modules/mpc-party/README.md

@@ -166,14 +166,6 @@ module "mpc_party" {
     "environment" = "production"
   }
   
-  nodegroup_taints = {
-    "mpc-dedicated" = {
-      key    = "mpc.io/dedicated"
-      value  = "true"
-      effect = "NO_SCHEDULE"
-    }
-  }
-
   # Nitro Enclaves Configuration
   nodegroup_enable_nitro_enclaves = true
   kms_enabled_nitro_enclaves      = true
@@ -386,7 +378,6 @@ The module can optionally create:
 | <a name="input_nodegroup_nitro_enclaves_image_repo"></a> [nodegroup\_nitro\_enclaves\_image\_repo](#input\_nodegroup\_nitro\_enclaves\_image\_repo) | Image repository for Nitro Enclaves | `string` | `"public.ecr.aws/aws-nitro-enclaves/aws-nitro-enclaves-k8s-device-plugin"` | no |
 | <a name="input_nodegroup_nitro_enclaves_image_tag"></a> [nodegroup\_nitro\_enclaves\_image\_tag](#input\_nodegroup\_nitro\_enclaves\_image\_tag) | Image tag for Nitro Enclaves | `string` | `"v0.3"` | no |
 | <a name="input_nodegroup_source_security_group_ids"></a> [nodegroup\_source\_security\_group\_ids](#input\_nodegroup\_source\_security\_group\_ids) | List of security group IDs allowed for remote access | `list(string)` | `[]` | no |
-| <a name="input_nodegroup_taints"></a> [nodegroup\_taints](#input\_nodegroup\_taints) | Map of Kubernetes taints to apply to the node group | <pre>map(object({<br/>    key    = string<br/>    value  = string<br/>    effect = string<br/>  }))</pre> | `{}` | no |
 | <a name="input_nodegroup_use_custom_launch_template"></a> [nodegroup\_use\_custom\_launch\_template](#input\_nodegroup\_use\_custom\_launch\_template) | Whether to use a custom launch template | `bool` | `true` | no |
 | <a name="input_nodegroup_use_latest_ami_release_version"></a> [nodegroup\_use\_latest\_ami\_release\_version](#input\_nodegroup\_use\_latest\_ami\_release\_version) | Whether to use the latest AMI release version | `bool` | `false` | no |
 | <a name="input_party_name"></a> [party\_name](#input\_party\_name) | The name of the MPC party (used for resource naming and tagging) | `string` | n/a | yes |
@@ -443,6 +434,7 @@ The module can optionally create:
 | <a name="output_irsa_summary"></a> [irsa\_summary](#output\_irsa\_summary) | Summary of the IRSA role for MPC party |
 | <a name="output_k8s_configmap_summary"></a> [k8s\_configmap\_summary](#output\_k8s\_configmap\_summary) | Summary of the Kubernetes ConfigMap for MPC party |
 | <a name="output_k8s_service_account_summary"></a> [k8s\_service\_account\_summary](#output\_k8s\_service\_account\_summary) | Summary of the Kubernetes service account for MPC party |
+| <a name="output_node_group_tolerations"></a> [node\_group\_tolerations](#output\_node\_group\_tolerations) | Kubernetes tolerations derived from EKS node group taints |
 | <a name="output_party_name"></a> [party\_name](#output\_party\_name) | Name of the MPC party |
 | <a name="output_rds_summary"></a> [rds\_summary](#output\_rds\_summary) | Aggregated RDS database information |
 | <a name="output_vault_bucket_storage_summary"></a> [vault\_bucket\_storage\_summary](#output\_vault\_bucket\_storage\_summary) | Summary of the vault buckets public and private storage |

modules/mpc-party/main.tf

@@ -50,6 +50,16 @@ locals {
   node_group_nitro_enclaves_memory_mib = var.nitro_enclaves_override_memory_mib != null ? var.nitro_enclaves_override_memory_mib : floor(data.aws_ec2_instance_type.this[0].memory_size * 0.75)
   private_bucket_name                  = "${var.bucket_prefix}-private-${random_id.mpc_party_suffix.hex}"
   public_bucket_name                   = "${var.bucket_prefix}-public-${random_id.mpc_party_suffix.hex}"
+
+  # Transform EKS node group taints into Kubernetes tolerations
+  node_group_tolerations = var.create_nodegroup ? [
+    for taint_key, taint_config in module.eks_managed_node_group[0].node_group_taints : {
+      key      = taint_config.key
+      operator = "Equal"
+      value    = taint_config.value
+      effect   = taint_config.effect == "NO_SCHEDULE" ? "NoSchedule" : taint_config.effect == "NO_EXECUTE" ? "NoExecute" : "PreferNoSchedule"
+    }
+  ] : []
 }
 
 # Create Kubernetes namespace (optional)
@@ -447,18 +457,18 @@ module "eks_managed_node_group" {
     source_security_group_ids = var.nodegroup_source_security_group_ids
   } : null
 
-  # Labels and Taints
+  # Labels
   labels = merge(var.nodegroup_labels, local.node_group_nitro_enclaves_enabled ? {
     "node.kubernetes.io/enclave-enabled" = "true"
   } : {})
 
-  taints = merge(var.nodegroup_taints, local.node_group_nitro_enclaves_enabled ? {
+  taints = local.node_group_nitro_enclaves_enabled ? {
     "aws-nitro-enclaves" = {
       key    = "node.kubernetes.io/enclave-enabled"
       value  = "true"
       effect = "NO_SCHEDULE"
     }
-  } : {})
+  } : {}
 
   # Tags
   tags = var.tags
@@ -559,13 +569,15 @@ resource "kubernetes_daemon_set_v1" "aws_nitro_enclaves_device_plugin" {
           host_path { path = "/sys" }
         }
 
-        toleration {
-          key      = "node.kubernetes.io/enclave-enabled"
-          operator = "Equal"
-          value    = "true"
-          effect   = "NoSchedule"
+        dynamic "toleration" {
+          for_each = local.node_group_tolerations
+          content {
+            key      = toleration.value.key
+            operator = toleration.value.operator
+            value    = toleration.value.value
+            effect   = toleration.value.effect
+          }
         }
-
       }
     }
   }

modules/mpc-party/outputs.tf

@@ -88,4 +88,10 @@ output "rds_summary" {
     password = null
     enabled  = false
   }
+}
+
+# Node Group Tolerations
+output "node_group_tolerations" {
+  description = "Kubernetes tolerations derived from EKS node group taints"
+  value       = local.node_group_tolerations
 }

modules/mpc-party/variables.tf

@@ -257,23 +257,13 @@ variable "nodegroup_additional_security_group_ids" {
   default     = []
 }
 
-# Labels and Taints
+# Labels
 variable "nodegroup_labels" {
   type        = map(string)
   description = "Key-value map of Kubernetes labels applied to the node group"
   default     = {}
 }
 
-variable "nodegroup_taints" {
-  type = map(object({
-    key    = string
-    value  = string
-    effect = string
-  }))
-  description = "Map of Kubernetes taints to apply to the node group"
-  default     = {}
-}
-
 # Nitro Enclaves Configuration
 variable "nitro_enclaves_override_cpu_count" {
   type        = number