Add e2e tests for access config bootstrap cluster admin permissions

Author: joshfrench

test/e2e/data/e2e_eks_conf.yaml

@@ -118,6 +118,8 @@ providers:
         targetName: "cluster-template-eks-control-plane-bare-eks.yaml"
       - sourcePath: "./eks/cluster-template-eks-auth-api-and-config-map.yaml"
         targetName: "cluster-template-eks-auth-api-and-config-map.yaml"
+      - sourcePath: "./eks/cluster-template-eks-auth-bootstrap-disabled.yaml"
+        targetName: "cluster-template-eks-auth-bootstrap-disabled.yaml"
       - sourcePath: "./infrastructure-aws/withclusterclass/kustomize_sources/eks-clusterclass/clusterclass-eks-e2e.yaml"
       - sourcePath: "./infrastructure-aws/withclusterclass/generated/cluster-template-eks-clusterclass.yaml"
 

test/e2e/data/eks/cluster-template-eks-auth-bootstrap-disabled.yaml

@@ -0,0 +1,37 @@
+---
+apiVersion: cluster.x-k8s.io/v1beta1
+kind: Cluster
+metadata:
+  name: "${CLUSTER_NAME}"
+spec:
+  clusterNetwork:
+    pods:
+      cidrBlocks: ["192.168.0.0/16"]
+  infrastructureRef:
+    kind: AWSManagedCluster
+    apiVersion: infrastructure.cluster.x-k8s.io/v1beta2
+    name: "${CLUSTER_NAME}"
+  controlPlaneRef:
+    kind: AWSManagedControlPlane
+    apiVersion: controlplane.cluster.x-k8s.io/v1beta2
+    name: "${CLUSTER_NAME}-control-plane"
+---
+kind: AWSManagedCluster
+apiVersion: infrastructure.cluster.x-k8s.io/v1beta2
+metadata:
+  name: "${CLUSTER_NAME}"
+spec: {}
+---
+kind: AWSManagedControlPlane
+apiVersion: controlplane.cluster.x-k8s.io/v1beta2
+metadata:
+  name: "${CLUSTER_NAME}-control-plane"
+spec:
+  region: "${AWS_REGION}"
+  sshKeyName: "${AWS_SSH_KEY_NAME}"
+  version: "${KUBERNETES_VERSION}"
+  accessConfig:
+    bootstrapClusterCreatorAdminPermissions: false
+  identityRef:
+    kind: AWSClusterStaticIdentity
+    name: e2e-account

test/e2e/suites/managed/eks_auth_test.go

@@ -77,6 +77,9 @@ var _ = ginkgo.Describe("[managed] [auth] EKS authentication mode tests", func()
 		ginkgo.By("verifying cluster has the correct authentication mode")
 		verifyClusterAuthenticationMode(ctx, eksClusterName, ekstypes.AuthenticationModeApiAndConfigMap, e2eCtx.BootstrapUserAWSSessionV2)
 
+		ginkgo.By("verifying cluster has default bootstrap permissions")
+		verifyClusterBootstrapPermissions(ctx, eksClusterName, true, e2eCtx.BootstrapUserAWSSessionV2)
+
 		ginkgo.By("attempting to downgrade from api_and_config_map to config_map should fail")
 		controlPlaneName := fmt.Sprintf("%s-control-plane", clusterName)
 		controlPlane := &ekscontrolplanev1.AWSManagedControlPlane{}
@@ -130,5 +133,56 @@ var _ = ginkgo.Describe("[managed] [auth] EKS authentication mode tests", func()
 			ArtifactFolder:       e2eCtx.Settings.ArtifactFolder,
 		}, e2eCtx.E2EConfig.GetIntervals("", "wait-delete-cluster")...)
 	})
-})
 
+	shared.ConditionalIt(runGeneralTests, "should create a cluster with bootstrapClusterCreatorAdminPermissions disabled", func() {
+		ginkgo.By("should have a valid test configuration")
+		Expect(e2eCtx.Environment.BootstrapClusterProxy).ToNot(BeNil(), "Invalid argument. BootstrapClusterProxy can't be nil")
+		Expect(e2eCtx.E2EConfig).ToNot(BeNil(), "Invalid argument. e2eConfig can't be nil when calling bootstrap spec")
+		Expect(e2eCtx.E2EConfig.Variables).To(HaveKey(shared.KubernetesVersion))
+
+		ctx = context.TODO()
+		namespace = shared.SetupSpecNamespace(ctx, "bootstrap", e2eCtx)
+		clusterName = fmt.Sprintf("bootstrap-%s", util.RandomString(6))
+		eksClusterName := getEKSClusterName(namespace.Name, clusterName)
+
+		ginkgo.By("should create an EKS control plane with bootstrapClusterCreatorAdminPermissions disabled")
+		ManagedClusterSpec(ctx, func() ManagedClusterSpecInput {
+			return ManagedClusterSpecInput{
+				E2EConfig:                e2eCtx.E2EConfig,
+				ConfigClusterFn:          defaultConfigCluster,
+				BootstrapClusterProxy:    e2eCtx.Environment.BootstrapClusterProxy,
+				AWSSession:               e2eCtx.BootstrapUserAWSSession,
+				AWSSessionV2:             e2eCtx.BootstrapUserAWSSessionV2,
+				Namespace:                namespace,
+				ClusterName:              clusterName,
+				Flavour:                  EKSAuthBootstrapDisabledFlavor,
+				ControlPlaneMachineCount: 1,
+				WorkerMachineCount:       0,
+			}
+		})
+
+		ginkgo.By("EKS cluster should be active")
+		verifyClusterActiveAndOwned(ctx, eksClusterName, e2eCtx.BootstrapUserAWSSessionV2)
+
+		ginkgo.By("verifying cluster has bootstrap permissions disabled")
+		verifyClusterBootstrapPermissions(ctx, eksClusterName, false, e2eCtx.BootstrapUserAWSSessionV2)
+
+		cluster := framework.GetClusterByName(ctx, framework.GetClusterByNameInput{
+			Getter:    e2eCtx.Environment.BootstrapClusterProxy.GetClient(),
+			Namespace: namespace.Name,
+			Name:      clusterName,
+		})
+		Expect(cluster).NotTo(BeNil(), "couldn't find CAPI cluster")
+
+		framework.DeleteCluster(ctx, framework.DeleteClusterInput{
+			Deleter: e2eCtx.Environment.BootstrapClusterProxy.GetClient(),
+			Cluster: cluster,
+		})
+		framework.WaitForClusterDeleted(ctx, framework.WaitForClusterDeletedInput{
+			ClusterProxy:         e2eCtx.Environment.BootstrapClusterProxy,
+			Cluster:              cluster,
+			ClusterctlConfigPath: e2eCtx.Environment.ClusterctlConfigPath,
+			ArtifactFolder:       e2eCtx.Settings.ArtifactFolder,
+		}, e2eCtx.E2EConfig.GetIntervals("", "wait-delete-cluster")...)
+	})
+})

test/e2e/suites/managed/helpers.go

@@ -51,6 +51,7 @@ const (
 	EKSControlPlaneOnlyLegacyFlavor                   = "eks-control-plane-only-legacy"
 	EKSClusterClassFlavor                             = "eks-clusterclass"
 	EKSAuthAPIAndConfigMapFlavor                      = "eks-auth-api-and-config-map"
+	EKSAuthBootstrapDisabledFlavor                    = "eks-auth-bootstrap-disabled"
 )
 
 const (
@@ -122,6 +123,22 @@ func verifyClusterAuthenticationMode(ctx context.Context, eksClusterName string,
 		fmt.Sprintf("expecting authentication mode to be %s, got %s", expectedAuthMode, cluster.AccessConfig.AuthenticationMode))
 }
 
+func verifyClusterBootstrapPermissions(ctx context.Context, eksClusterName string, expectedBootstrapPermissions bool, sess *aws.Config) {
+	var (
+		cluster *ekstypes.Cluster
+		err     error
+	)
+	Eventually(func() error {
+		cluster, err = getEKSCluster(ctx, eksClusterName, sess)
+		return err
+	}, clientRequestTimeout, clientRequestCheckInterval).Should(Succeed(), fmt.Sprintf("eventually failed trying to get EKS Cluster %q", eksClusterName))
+
+	Expect(cluster.AccessConfig).ToNot(BeNil(), "expecting AccessConfig to be set on the cluster")
+	Expect(cluster.AccessConfig.BootstrapClusterCreatorAdminPermissions).ToNot(BeNil(), "expecting BootstrapClusterCreatorAdminPermissions to be set")
+	Expect(*cluster.AccessConfig.BootstrapClusterCreatorAdminPermissions).To(Equal(expectedBootstrapPermissions),
+		fmt.Sprintf("expecting bootstrap cluster creator admin permissions to be %t, got %t", expectedBootstrapPermissions, *cluster.AccessConfig.BootstrapClusterCreatorAdminPermissions))
+}
+
 func getEKSClusterAddon(ctx context.Context, eksClusterName, addonName string, sess *aws.Config) (*ekstypes.Addon, error) {
 	eksClient := eks.NewFromConfig(*sess)