From fd16a9a24d9384262ffe8b380c93623957c298ad Mon Sep 17 00:00:00 2001
From: Reed Schalo <reed0schalo@gmail.com>
Date: Wed, 19 Jun 2024 15:51:11 -0700
Subject: [PATCH] feat: Reduce hop token count (#6346)

---
 pkg/apis/crds/karpenter.k8s.aws_ec2nodeclasses.yaml | 4 ++--
 pkg/apis/v1beta1/ec2nodeclass.go                    | 4 ++--
 pkg/providers/instancetype/suite_test.go            | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/pkg/apis/crds/karpenter.k8s.aws_ec2nodeclasses.yaml b/pkg/apis/crds/karpenter.k8s.aws_ec2nodeclasses.yaml
index aec3d01d61d4..f0e4d018cf08 100644
--- a/pkg/apis/crds/karpenter.k8s.aws_ec2nodeclasses.yaml
+++ b/pkg/apis/crds/karpenter.k8s.aws_ec2nodeclasses.yaml
@@ -245,7 +245,7 @@ spec:
                 default:
                   httpEndpoint: enabled
                   httpProtocolIPv6: disabled
-                  httpPutResponseHopLimit: 2
+                  httpPutResponseHopLimit: 1
                   httpTokens: required
                 description: |-
                   MetadataOptions for the generated launch template of provisioned nodes.
@@ -262,7 +262,7 @@ spec:
                   (https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node)
                   for limiting exposure of Instance Metadata and User Data to pods.
                   If omitted, defaults to httpEndpoint enabled, with httpProtocolIPv6
-                  disabled, with httpPutResponseLimit of 2, and with httpTokens
+                  disabled, with httpPutResponseLimit of 1, and with httpTokens
                   required.
                 properties:
                   httpEndpoint:
diff --git a/pkg/apis/v1beta1/ec2nodeclass.go b/pkg/apis/v1beta1/ec2nodeclass.go
index 66a2926b2ced..58b0b67acc34 100644
--- a/pkg/apis/v1beta1/ec2nodeclass.go
+++ b/pkg/apis/v1beta1/ec2nodeclass.go
@@ -108,9 +108,9 @@ type EC2NodeClassSpec struct {
 	// (https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node)
 	// for limiting exposure of Instance Metadata and User Data to pods.
 	// If omitted, defaults to httpEndpoint enabled, with httpProtocolIPv6
-	// disabled, with httpPutResponseLimit of 2, and with httpTokens
+	// disabled, with httpPutResponseLimit of 1, and with httpTokens
 	// required.
-	// +kubebuilder:default={"httpEndpoint":"enabled","httpProtocolIPv6":"disabled","httpPutResponseHopLimit":2,"httpTokens":"required"}
+	// +kubebuilder:default={"httpEndpoint":"enabled","httpProtocolIPv6":"disabled","httpPutResponseHopLimit":1,"httpTokens":"required"}
 	// +optional
 	MetadataOptions *MetadataOptions `json:"metadataOptions,omitempty"`
 	// Context is a Reserved field in EC2 APIs
diff --git a/pkg/providers/instancetype/suite_test.go b/pkg/providers/instancetype/suite_test.go
index 3843909d641a..77b85b79dd8b 100644
--- a/pkg/providers/instancetype/suite_test.go
+++ b/pkg/providers/instancetype/suite_test.go
@@ -2175,7 +2175,7 @@ var _ = Describe("InstanceTypeProvider", func() {
 			awsEnv.EC2API.CalledWithCreateLaunchTemplateInput.ForEach(func(ltInput *ec2.CreateLaunchTemplateInput) {
 				Expect(*ltInput.LaunchTemplateData.MetadataOptions.HttpEndpoint).To(Equal(ec2.LaunchTemplateInstanceMetadataEndpointStateEnabled))
 				Expect(*ltInput.LaunchTemplateData.MetadataOptions.HttpProtocolIpv6).To(Equal(ec2.LaunchTemplateInstanceMetadataProtocolIpv6Disabled))
-				Expect(*ltInput.LaunchTemplateData.MetadataOptions.HttpPutResponseHopLimit).To(Equal(int64(2)))
+				Expect(*ltInput.LaunchTemplateData.MetadataOptions.HttpPutResponseHopLimit).To(Equal(int64(1)))
 				Expect(*ltInput.LaunchTemplateData.MetadataOptions.HttpTokens).To(Equal(ec2.LaunchTemplateHttpTokensStateRequired))
 			})
 		})