Enforce authenticationMode:CONFIG_MAP on Outposts (#7699)

TiberiuGC · web-flow · commit 66d1a5efde1e · 2024-04-04T17:20:55.000Z
Make authenticationMode:CONFIG_MAP default on Outposts
diff --git a/pkg/apis/eksctl.io/v1alpha5/defaults.go b/pkg/apis/eksctl.io/v1alpha5/defaults.go
@@ -56,10 +56,10 @@ func SetClusterConfigDefaults(cfg *ClusterConfig) {
 
 	if cfg.AccessConfig == nil {
 		cfg.AccessConfig = &AccessConfig{
-			AuthenticationMode: ekstypes.AuthenticationModeApiAndConfigMap,
+			AuthenticationMode: getDefaultAuthenticationMode(cfg.IsControlPlaneOnOutposts()),
 		}
 	} else if cfg.AccessConfig.AuthenticationMode == "" {
-		cfg.AccessConfig.AuthenticationMode = ekstypes.AuthenticationModeApiAndConfigMap
+		cfg.AccessConfig.AuthenticationMode = getDefaultAuthenticationMode(cfg.IsControlPlaneOnOutposts())
 	}
 
 	if cfg.PrivateCluster == nil {
@@ -244,6 +244,13 @@ func getDefaultVolumeType(nodeGroupOnOutposts bool) string {
 	return DefaultNodeVolumeType
 }
 
+func getDefaultAuthenticationMode(nodeGroupOnOutposts bool) ekstypes.AuthenticationMode {
+	if nodeGroupOnOutposts {
+		return ekstypes.AuthenticationModeConfigMap
+	}
+	return ekstypes.AuthenticationModeApiAndConfigMap
+}
+
 func setContainerRuntimeDefault(ng *NodeGroup, clusterVersion string) {
 	if ng.ContainerRuntime != nil {
 		return
diff --git a/pkg/apis/eksctl.io/v1alpha5/defaults_test.go b/pkg/apis/eksctl.io/v1alpha5/defaults_test.go
@@ -4,6 +4,8 @@ import (
 	"github.com/aws/aws-sdk-go-v2/aws"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
+
+	ekstypes "github.com/aws/aws-sdk-go-v2/service/eks/types"
 )
 
 var _ = Describe("ClusterConfig validation", func() {
@@ -338,6 +340,29 @@ var _ = Describe("ClusterConfig validation", func() {
 
 	})
 
+	Context("Authentication Mode", func() {
+		var (
+			cfg *ClusterConfig
+		)
+
+		BeforeEach(func() {
+			cfg = NewClusterConfig()
+		})
+
+		It("should be set to API_AND_CONFIG_MAP by default", func() {
+			SetClusterConfigDefaults(cfg)
+			Expect(cfg.AccessConfig.AuthenticationMode).To(Equal(ekstypes.AuthenticationModeApiAndConfigMap))
+		})
+
+		It("should be set to CONFIG_MAP when control plane is on outposts", func() {
+			cfg.Outpost = &Outpost{
+				ControlPlaneOutpostARN: "arn:aws:outposts:us-west-2:1234:outpost/op-1234",
+			}
+			SetClusterConfigDefaults(cfg)
+			Expect(cfg.AccessConfig.AuthenticationMode).To(Equal(ekstypes.AuthenticationModeConfigMap))
+		})
+	})
+
 	Describe("ClusterConfig", func() {
 		var cfg *ClusterConfig
 
diff --git a/pkg/apis/eksctl.io/v1alpha5/outposts_validation_test.go b/pkg/apis/eksctl.io/v1alpha5/outposts_validation_test.go
@@ -6,6 +6,9 @@ import (
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 
+	"github.com/aws/aws-sdk-go-v2/aws"
+	ekstypes "github.com/aws/aws-sdk-go-v2/service/eks/types"
+
 	api "github.com/weaveworks/eksctl/pkg/apis/eksctl.io/v1alpha5"
 )
 
@@ -22,10 +25,29 @@ var _ = Describe("Outposts validation", func() {
 		clusterConfig.Outpost = &api.Outpost{
 			ControlPlaneOutpostARN: "arn:aws:outposts:us-west-2:1234:outpost/op-1234",
 		}
+		api.SetClusterConfigDefaults(clusterConfig)
 		oe.updateDefaultConfig(clusterConfig)
 		err := api.ValidateClusterConfig(clusterConfig)
 		Expect(err).To(MatchError(ContainSubstring(oe.expectedErr)))
 	},
+		Entry("Authentication Mode - API", outpostsEntry{
+			updateDefaultConfig: func(c *api.ClusterConfig) {
+				c.AccessConfig.AuthenticationMode = ekstypes.AuthenticationModeApi
+			},
+			expectedErr: fmt.Sprintf("accessConfig.AuthenticationMode must be set to %s on Outposts", ekstypes.AuthenticationModeConfigMap),
+		}),
+		Entry("Authentication mode - API_AND_CONFIG_MAP", outpostsEntry{
+			updateDefaultConfig: func(c *api.ClusterConfig) {
+				c.AccessConfig.AuthenticationMode = ekstypes.AuthenticationModeApiAndConfigMap
+			},
+			expectedErr: fmt.Sprintf("accessConfig.AuthenticationMode must be set to %s on Outposts", ekstypes.AuthenticationModeConfigMap),
+		}),
+		Entry("BootstrapClusterCreatorAdminPermissions - false", outpostsEntry{
+			updateDefaultConfig: func(c *api.ClusterConfig) {
+				c.AccessConfig.BootstrapClusterCreatorAdminPermissions = aws.Bool(false)
+			},
+			expectedErr: "accessConfig.BootstrapClusterCreatorAdminPermissions can't be set to false on Outposts",
+		}),
 		Entry("Addons", outpostsEntry{
 			updateDefaultConfig: func(c *api.ClusterConfig) {
 				c.Addons = []*api.Addon{
diff --git a/pkg/apis/eksctl.io/v1alpha5/validation.go b/pkg/apis/eksctl.io/v1alpha5/validation.go
@@ -162,6 +162,12 @@ func ValidateClusterConfig(cfg *ClusterConfig) error {
 			return err
 		}
 
+		if cfg.AccessConfig.AuthenticationMode != ekstypes.AuthenticationModeConfigMap {
+			return fmt.Errorf("accessConfig.AuthenticationMode must be set to %s on Outposts", ekstypes.AuthenticationModeConfigMap)
+		}
+		if IsDisabled(cfg.AccessConfig.BootstrapClusterCreatorAdminPermissions) {
+			return fmt.Errorf("accessConfig.BootstrapClusterCreatorAdminPermissions can't be set to false on Outposts")
+		}
 		if cfg.IPv6Enabled() {
 			return errors.New("IPv6 is not supported on Outposts")
 		}

Original file line number	Diff line number	Diff line change
`@@ -162,6 +162,12 @@ func ValidateClusterConfig(cfg *ClusterConfig) error {`
`162`	`162`	`return err`
`163`	`163`	`}`
`164`	`164`
	`165`	`+ if cfg.AccessConfig.AuthenticationMode != ekstypes.AuthenticationModeConfigMap {`
	`166`	`+ return fmt.Errorf("accessConfig.AuthenticationMode must be set to %s on Outposts", ekstypes.AuthenticationModeConfigMap)`
	`167`	`+ }`
	`168`	`+ if IsDisabled(cfg.AccessConfig.BootstrapClusterCreatorAdminPermissions) {`
	`169`	`+ return fmt.Errorf("accessConfig.BootstrapClusterCreatorAdminPermissions can't be set to false on Outposts")`
	`170`	`+ }`
`165`	`171`	`if cfg.IPv6Enabled() {`
`166`	`172`	`return errors.New("IPv6 is not supported on Outposts")`
`167`	`173`	`}`