feat: support setting EKS AuthenticationMode

Author: adammw

config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml

@@ -2102,6 +2102,21 @@ spec:
             description: AWSManagedControlPlaneSpec defines the desired state of an
               Amazon EKS Cluster.
             properties:
+              accessConfig:
+                description: AccessConfig specifies the access configuration information
+                  for the cluster
+                properties:
+                  authenticationMode:
+                    default: CONFIG_MAP
+                    description: |-
+                      AuthenticationMode specifies the desired authentication mode for the cluster
+                      Defaults to CONFIG_MAP
+                    enum:
+                    - CONFIG_MAP
+                    - API
+                    - API_AND_CONFIG_MAP
+                    type: string
+                type: object
               additionalTags:
                 additionalProperties:
                   type: string
@@ -2825,7 +2840,7 @@ spec:
                 type: object
               oidcIdentityProviderConfig:
                 description: |-
-                  IdentityProviderconfig is used to specify the oidc provider config
+                  OIDCIdentityProviderConfig is used to specify the oidc provider config
                   to be attached with this eks cluster
                 properties:
                   clientId:

controlplane/eks/api/v1beta1/zz_generated.conversion.go

@@ -164,11 +164,15 @@ type AWSManagedControlPlaneSpec struct { //nolint: maligned
 	// +optional
 	Addons *[]Addon `json:"addons,omitempty"`
 
-	// IdentityProviderconfig is used to specify the oidc provider config
+	// OIDCIdentityProviderConfig is used to specify the oidc provider config
 	// to be attached with this eks cluster
 	// +optional
 	OIDCIdentityProviderConfig *OIDCIdentityProviderConfig `json:"oidcIdentityProviderConfig,omitempty"`
 
+	// AccessConfig specifies the access configuration information for the cluster
+	// +optional
+	AccessConfig *AccessConfig `json:"accessConfig,omitempty"`
+
 	// VpcCni is used to set configuration options for the VPC CNI plugin
 	// +optional
 	VpcCni VpcCni `json:"vpcCni,omitempty"`
@@ -219,6 +223,15 @@ type EndpointAccess struct {
 	Private *bool `json:"private,omitempty"`
 }
 
+// AccessConfig represents the access configuration information for the cluster
+type AccessConfig struct {
+	// AuthenticationMode specifies the desired authentication mode for the cluster
+	// Defaults to CONFIG_MAP
+	// +kubebuilder:default=CONFIG_MAP
+	// +kubebuilder:validation:Enum=CONFIG_MAP;API;API_AND_CONFIG_MAP
+	AuthenticationMode EKSAuthenticationMode `json:"authenticationMode,omitempty"`
+}
+
 // EncryptionConfig specifies the encryption configuration for the EKS clsuter.
 type EncryptionConfig struct {
 	// Provider specifies the ARN or alias of the CMK (in AWS KMS)

controlplane/eks/api/v1beta2/awsmanagedcontrolplane_types.go

@@ -79,6 +79,21 @@ var (
 	EKSTokenMethodAWSCli = EKSTokenMethod("aws-cli")
 )
 
+// EKSAuthenticationMode defines the authentication mode for the cluster
+type EKSAuthenticationMode string
+
+var (
+	// EKSAuthenticationModeConfigMap indicates that only `aws-auth` ConfigMap will be used for authentication
+	EKSAuthenticationModeConfigMap = EKSAuthenticationMode("CONFIG_MAP")
+
+	// EKSAuthenticationModeApi indicates that only AWS Access Entries will be used for authentication
+	EKSAuthenticationModeApi = EKSAuthenticationMode("API")
+
+	// EKSAuthenticationModeApiAndConfigMap indicates that both `aws-auth` ConfigMap and AWS Access Entries will
+	// be used for authentication
+	EKSAuthenticationModeApiAndConfigMap = EKSAuthenticationMode("API_AND_CONFIG_MAP")
+)
+
 var (
 	// DefaultEKSControlPlaneRole is the name of the default IAM role to use for the EKS control plane
 	// if no other role is supplied in the spec and if iam role creation is not enabled. The default

controlplane/eks/api/v1beta2/types.go

@@ -121,6 +121,10 @@ func (s *Service) reconcileCluster(ctx context.Context) error {
 		return errors.Wrap(err, "failed reconciling cluster config")
 	}
 
+	if err := s.reconcileAccessConfig(cluster.AccessConfig); err != nil {
+		return errors.Wrap(err, "failed reconciling access config")
+	}
+
 	if err := s.reconcileLogging(cluster.Logging); err != nil {
 		return errors.Wrap(err, "failed reconciling logging")
 	}
@@ -375,6 +379,13 @@ func (s *Service) createCluster(eksClusterName string) (*eks.Cluster, error) {
 		return nil, errors.Wrap(err, "couldn't create vpc config for cluster")
 	}
 
+	var accessConfig *eks.CreateAccessConfigRequest
+	if s.scope.ControlPlane.Spec.AccessConfig != nil && s.scope.ControlPlane.Spec.AccessConfig.AuthenticationMode != "" {
+		accessConfig = &eks.CreateAccessConfigRequest{
+			AuthenticationMode: aws.String(string(s.scope.ControlPlane.Spec.AccessConfig.AuthenticationMode)),
+		}
+	}
+
 	var netConfig *eks.KubernetesNetworkConfigRequest
 	if s.scope.VPC().IsIPv6Enabled() {
 		netConfig = &eks.KubernetesNetworkConfigRequest{
@@ -416,13 +427,18 @@ func (s *Service) createCluster(eksClusterName string) (*eks.Cluster, error) {
 		Name:                    aws.String(eksClusterName),
 		Version:                 eksVersion,
 		Logging:                 logging,
+		AccessConfig:            accessConfig,
 		EncryptionConfig:        encryptionConfigs,
 		ResourcesVpcConfig:      vpcConfig,
 		RoleArn:                 role.Arn,
 		Tags:                    tags,
 		KubernetesNetworkConfig: netConfig,
 	}
 
+	if err := input.Validate(); err != nil {
+		return nil, errors.Wrap(err, "created invalid CreateClusterInput")
+	}
+
 	var out *eks.CreateClusterOutput
 	if err := wait.WaitForWithRetryable(wait.NewBackoff(), func() (bool, error) {
 		if out, err = s.EKSClient.CreateCluster(input); err != nil {
@@ -501,6 +517,44 @@ func (s *Service) reconcileClusterConfig(cluster *eks.Cluster) error {
 	return nil
 }
 
+func (s *Service) reconcileAccessConfig(accessConfig *eks.AccessConfigResponse) error {
+	input := eks.UpdateClusterConfigInput{Name: aws.String(s.scope.KubernetesClusterName())}
+
+	if s.scope.ControlPlane.Spec.AccessConfig == nil || s.scope.ControlPlane.Spec.AccessConfig.AuthenticationMode == "" {
+		return nil
+	}
+
+	expectedAuthenticationMode := string(s.scope.ControlPlane.Spec.AccessConfig.AuthenticationMode)
+	if expectedAuthenticationMode != aws.StringValue(accessConfig.AuthenticationMode) {
+		input.AccessConfig = &eks.UpdateAccessConfigRequest{
+			AuthenticationMode: aws.String(expectedAuthenticationMode),
+		}
+	}
+
+	if input.AccessConfig != nil {
+		if err := input.Validate(); err != nil {
+			return errors.Wrap(err, "created invalid UpdateClusterConfigInput")
+		}
+
+		if err := wait.WaitForWithRetryable(wait.NewBackoff(), func() (bool, error) {
+			if _, err := s.EKSClient.UpdateClusterConfig(&input); err != nil {
+				if aerr, ok := err.(awserr.Error); ok {
+					return false, aerr
+				}
+				return false, err
+			}
+			conditions.MarkTrue(s.scope.ControlPlane, ekscontrolplanev1.EKSControlPlaneUpdatingCondition)
+			record.Eventf(s.scope.ControlPlane, "InitiatedUpdateEKSControlPlane", "Initiated auth config update for EKS control plane %s", s.scope.KubernetesClusterName())
+			return true, nil
+		}); err != nil {
+			record.Warnf(s.scope.ControlPlane, "FailedUpdateEKSControlPlane", "Failed to update EKS control plane auth config: %v", err)
+			return errors.Wrapf(err, "failed to update EKS cluster")
+		}
+	}
+
+	return nil
+}
+
 func (s *Service) reconcileLogging(logging *eks.Logging) error {
 	input := eks.UpdateClusterConfigInput{Name: aws.String(s.scope.KubernetesClusterName())}