feat: support setting EKS AuthenticationMode

Author: joshfrench

Dockerfile

@@ -41,11 +41,10 @@ COPY ./ ./
 ARG package=.
 ARG ARCH
 ARG LDFLAGS
-ARG GCFLAGS
 RUN --mount=type=cache,target=/root/.cache/go-build \
     --mount=type=cache,target=/go/pkg/mod \
     --mount=type=cache,target=/root/.local/share/golang \
-    CGO_ENABLED=0 GOOS=linux GOARCH=${ARCH} go build -gcflags "${GCFLAGS}" -ldflags "${LDFLAGS} -extldflags '-static'"  -o manager ${package}
+    CGO_ENABLED=0 GOOS=linux GOARCH=${ARCH} go build -ldflags "${LDFLAGS} -extldflags '-static'"  -o manager ${package}
 ENTRYPOINT [ "/start.sh", "/workspace/manager" ]
 
 # Copy the controller-manager into a thin image

Makefile

@@ -137,9 +137,6 @@ RBAC_ROOT ?= $(MANIFEST_ROOT)/rbac
 # Allow overriding the imagePullPolicy
 PULL_POLICY ?= Always
 
-# Allow overriding the GCFLAGS
-GCFLAGS ?=
-
 # Set build time variables including version details
 LDFLAGS := $(shell source ./hack/version.sh; version::ldflags)
 
@@ -390,12 +387,12 @@ binaries: managers clusterawsadm ## Builds and installs all binaries
 
 .PHONY: clusterawsadm
 clusterawsadm: ## Build clusterawsadm binary
-	go build -gcflags "$(GCFLAGS)" -ldflags "$(LDFLAGS)" -o $(BIN_DIR)/clusterawsadm ./cmd/clusterawsadm
+	go build -ldflags "$(LDFLAGS)" -o $(BIN_DIR)/clusterawsadm ./cmd/clusterawsadm
 
 
 .PHONY: docker-build
 docker-build: docker-pull-prerequisites ## Build the docker image for controller-manager
-	docker build --build-arg ARCH=$(ARCH) --build-arg builder_image=$(GO_CONTAINER_IMAGE) --build-arg GCFLAGS="$(GCFLAGS)" --build-arg LDFLAGS="$(LDFLAGS)" . -t $(CORE_CONTROLLER_IMG)-$(ARCH):$(TAG)
+	docker build --build-arg ARCH=$(ARCH) --build-arg builder_image=$(GO_CONTAINER_IMAGE) --build-arg LDFLAGS="$(LDFLAGS)" . -t $(CORE_CONTROLLER_IMG)-$(ARCH):$(TAG)
 
 .PHONY: docker-build-all ## Build all the architecture docker images
 docker-build-all: $(addprefix docker-build-,$(ALL_ARCH))
@@ -414,7 +411,7 @@ managers: ## Alias for manager-aws-infrastructure
 
 .PHONY: manager-aws-infrastructure
 manager-aws-infrastructure: ## Build manager binary
-	CGO_ENABLED=0 GOARCH=${ARCH} go build -gcflags "${GCFLAGS}" -ldflags "${LDFLAGS} -extldflags '-static'" -o $(BIN_DIR)/manager .
+	CGO_ENABLED=0 GOARCH=${ARCH} go build -ldflags "${LDFLAGS} -extldflags '-static'" -o $(BIN_DIR)/manager .
 
 ##@ test:
 

config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml

@@ -67,21 +67,6 @@ spec:
             description: AWSManagedControlPlaneSpec defines the desired state of an
               Amazon EKS Cluster.
             properties:
-              accessConfig:
-                description: AccessConfig specifies the access configuration information
-                  for the cluster
-                properties:
-                  authenticationMode:
-                    default: CONFIG_MAP
-                    description: |-
-                      AuthenticationMode specifies the desired authentication mode for the cluster
-                      Defaults to CONFIG_MAP
-                    enum:
-                    - CONFIG_MAP
-                    - API
-                    - API_AND_CONFIG_MAP
-                    type: string
-                type: object
               additionalTags:
                 additionalProperties:
                   type: string
@@ -2265,15 +2250,22 @@ spec:
                   for the cluster
                 properties:
                   authenticationMode:
-                    default: CONFIG_MAP
+                    default: config_map
                     description: |-
                       AuthenticationMode specifies the desired authentication mode for the cluster
-                      Defaults to CONFIG_MAP
+                      Defaults to config_map
                     enum:
-                    - CONFIG_MAP
-                    - API
-                    - API_AND_CONFIG_MAP
+                    - config_map
+                    - api
+                    - api_and_config_map
                     type: string
+                  bootstrapClusterCreatorAdminPermissions:
+                    default: true
+                    description: |-
+                      BootstrapClusterCreatorAdminPermissions grants cluster admin permissions
+                      to the IAM identity creating the cluster. Only applied during creation,
+                      ignored when updating existing clusters. Defaults to true.
+                    type: boolean
                 type: object
               additionalTags:
                 additionalProperties:
@@ -3083,7 +3075,7 @@ spec:
                 type: object
               oidcIdentityProviderConfig:
                 description: |-
-                  OIDCIdentityProviderConfig is used to specify the oidc provider config
+                  IdentityProviderconfig is used to specify the oidc provider config
                   to be attached with this eks cluster
                 properties:
                   clientId:

config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanetemplates.yaml

@@ -53,6 +53,28 @@ spec:
                     description: AWSManagedControlPlaneSpec defines the desired state
                       of an Amazon EKS Cluster.
                     properties:
+                      accessConfig:
+                        description: AccessConfig specifies the access configuration
+                          information for the cluster
+                        properties:
+                          authenticationMode:
+                            default: config_map
+                            description: |-
+                              AuthenticationMode specifies the desired authentication mode for the cluster
+                              Defaults to config_map
+                            enum:
+                            - config_map
+                            - api
+                            - api_and_config_map
+                            type: string
+                          bootstrapClusterCreatorAdminPermissions:
+                            default: true
+                            description: |-
+                              BootstrapClusterCreatorAdminPermissions grants cluster admin permissions
+                              to the IAM identity creating the cluster. Only applied during creation,
+                              ignored when updating existing clusters. Defaults to true.
+                            type: boolean
+                        type: object
                       additionalTags:
                         additionalProperties:
                           type: string

controlplane/eks/api/v1beta1/awsmanagedcontrolplane_types.go

@@ -165,10 +165,6 @@ type AWSManagedControlPlaneSpec struct { //nolint: maligned
 	// +optional
 	OIDCIdentityProviderConfig *OIDCIdentityProviderConfig `json:"oidcIdentityProviderConfig,omitempty"`
 
-	// AccessConfig specifies the access configuration information for the cluster
-	// +optional
-	AccessConfig *AccessConfig `json:"accessConfig,omitempty"`
-
 	// DisableVPCCNI indicates that the Amazon VPC CNI should be disabled. With EKS clusters the
 	// Amazon VPC CNI is automatically installed into the cluster. For clusters where you want
 	// to use an alternate CNI this option provides a way to specify that the Amazon VPC CNI
@@ -216,15 +212,6 @@ type EndpointAccess struct {
 	Private *bool `json:"private,omitempty"`
 }
 
-// AccessConfig represents the access configuration information for the cluster
-type AccessConfig struct {
-	// AuthenticationMode specifies the desired authentication mode for the cluster
-	// Defaults to CONFIG_MAP
-	// +kubebuilder:default=CONFIG_MAP
-	// +kubebuilder:validation:Enum=CONFIG_MAP;API;API_AND_CONFIG_MAP
-	AuthenticationMode EKSAuthenticationMode `json:"authenticationMode,omitempty"`
-}
-
 // EncryptionConfig specifies the encryption configuration for the EKS clsuter.
 type EncryptionConfig struct {
 	// Provider specifies the ARN or alias of the CMK (in AWS KMS)

controlplane/eks/api/v1beta1/conversion.go

@@ -117,6 +117,7 @@ func (r *AWSManagedControlPlane) ConvertTo(dstRaw conversion.Hub) error {
 
 	dst.Spec.Partition = restored.Spec.Partition
 	dst.Spec.RestrictPrivateSubnets = restored.Spec.RestrictPrivateSubnets
+	dst.Spec.AccessConfig = restored.Spec.AccessConfig
 	dst.Spec.RolePath = restored.Spec.RolePath
 	dst.Spec.RolePermissionsBoundary = restored.Spec.RolePermissionsBoundary
 	dst.Status.Version = restored.Status.Version

controlplane/eks/api/v1beta1/types.go

@@ -79,21 +79,6 @@ var (
 	EKSTokenMethodAWSCli = EKSTokenMethod("aws-cli")
 )
 
-// EKSAuthenticationMode defines the authentication mode for the cluster
-type EKSAuthenticationMode string
-
-var (
-	// EKSAuthenticationModeConfigMap indicates that only `aws-auth` ConfigMap will be used for authentication
-	EKSAuthenticationModeConfigMap = EKSAuthenticationMode("CONFIG_MAP")
-
-	// EKSAuthenticationModeAPI indicates that only AWS Access Entries will be used for authentication
-	EKSAuthenticationModeAPI = EKSAuthenticationMode("API")
-
-	// EKSAuthenticationModeAPIAndConfigMap indicates that both `aws-auth` ConfigMap and AWS Access Entries will
-	// be used for authentication
-	EKSAuthenticationModeAPIAndConfigMap = EKSAuthenticationMode("API_AND_CONFIG_MAP")
-)
-
 var (
 	// DefaultEKSControlPlaneRole is the name of the default IAM role to use for the EKS control plane
 	// if no other role is supplied in the spec and if iam role creation is not enabled. The default