-
Bug
-
Resolution: Fixed
-
Minor
-
None
-
Master: Docker jenkins:2.176.2 running in Kubernetes, Workers: CentOS EC2 w/ Docker 18.09.6 and OpenJDK 8, EC2 plugin version: 1.43
-
-
ec-2.46
Issue
When configuring agent templates for the EC2 plugin, if you choose subnet(s) that have "Auto-assign public IPv4 address" enabled (on the AWS side), then agents will be launched with a public IPv4 address whether "Associate Public IP" is enabled in Jenkins or not. I am not sure if this is the intended behavior of the plugin, but I would like a way to be able to not assign a public IP, even if I've chosen a subnet with this setting enabled.
Observed/expected behavior
Given a subnet with "Auto-assign public IPv4 address" enabled in AWS but "Associate Public IP" disabled in Jenkins:
- Observed: Agent launches with public IP
- Expected: Agent launches without public IP
How to reproduce
In an agent template:
- Use a subnet that has "Auto-assign public IPv4 address" enabled in AWS
- Ensure "Associate Public IP" is unchecked
- Launch an agent using the template
- Check EC2 instance in the AWS console or other method
- Instance will have a public IPv4 address and public DNS
Workaround
This issue unsurprisingly does not occur when using a subnet that has "Auto-assign public IPv4 address" disabled. We are doing this as a workaround for now. The subnets I eventually wish to use happen to have this flag enabled (for other purposes), but for Jenkins I'd like to be able to use these subnets while not assigning public IPs to agents.
Possible fix
Based on some digging through the code, I believe the possible culprits are here for on-demand instances and here for spot instances, namely:
if (getAssociatePublicIp()) { net.setAssociatePublicIpAddress(true); net.setDeviceIndex(0); riRequest.withNetworkInterfaces(net); }
Here, if associatePublicIp is true, then true will be passed to the network interface. However, if associatePublicIp is false, then it is likely instead defaulting to whatever is set on the subnet. Given this, I would propose something like the following:
For "Associate Public IP", utilize a drop-down menu similar to the one in the AWS console itself, which has three options: Use subnet setting (default), Yes, and No. When "No" is selected, explicitly pass in false. Perhaps use an enum for this, similar to ConnectionStrategy.