Migrate eks discovery to aws sdk v2

[creack]

Closes #49129

Removes all usage of sdk v1 for EKS.

[rosstimothy]

Is this intended to only ever be for retrieving AWS clients? If so should this be renamed to reflect that.

[tigrato]

I vote for the same

[rosstimothy]

#50561 was merged earlier today

[GavinFrazar]

might be worth mentioning #50809 as well, though I'm not sure it applies here - you can just call awsconfig.GetConfig, which is not cached, instead of using awsconfig.Cache.

[tigrato]

can you use maps.Clone/Copy now?

[tigrato]

I vote for the same

[tigrato]

If our goal is to expose on those two interfaces, why not referring them directly?
This is mostly internal packages and I don't see them being expanded in the future

[creack]

it is easier to have them split as one is implemented by sts.Client the other by eks.Client, used in different places.

[tigrato]

we need this merged otherwise we will introduce the same bug #50074 again

[GavinFrazar]

it's not going through cache in this case, since the ClientGetter is calling the uncached awsconfig.GetConfig free function:

func (*awsClientsGetter) getAWSConfig(ctx context.Context, region string, opts ...awsconfig.OptionsFn) (aws.Config, error) {
	cfg, err := awsconfig.GetConfig(ctx, region, opts...)
	return cfg, trace.Wrap(err)
}

I think the expiry time returned from GenAWSEKSToken should be taken from the underlying aws.Credentials expiry instead of the 14 minute const, but just skipping the cache works too

[tigrato]

if this is a private structure w/out any way of building it, does it make sense for the field to public?

[tigrato]

now that this package was converted to sdkv2, we can make unify

teleport/lib/integrations/awsoidc/eks_enroll_clusters.go

Lines 341 to 372 in d37da51

	func presignCallerIdentityURL(ctx context.Context, stsClient *sts.Client, clusterName string) (string, error) {
	presignClient := sts.NewPresignClient(stsClient)
	// This function adds required headers for accessing an EKS cluster to the presigned URL.
	// Header "x-k8s-aws-id" specifies EKS cluster name and header "X-Amz-Expires" is just required for compatibility reasons.
	addEKSHeaders := func(ctx context.Context, in middleware.BuildInput, next middleware.BuildHandler) (
	out middleware.BuildOutput, metadata middleware.Metadata, err error,
	) {
	req, ok := in.Request.(*smithyhttp.Request)
	if !ok {
	return out, metadata, fmt.Errorf("unknown transport type %T", req)
	}
	req.Header.Add(awsHeaderClusterName, clusterName)
	// 60 is put for compatibility reasons, in reality it is ignored and real expiration time is 15 minutes.
	req.Header.Add(awsHeaderExpires, "60")
	return next.HandleBuild(ctx, in)
	}
	presigned, err := presignClient.PresignGetCallerIdentity(ctx, &sts.GetCallerIdentityInput{}, func(options *sts.PresignOptions) {
	options.ClientOptions = append(options.ClientOptions,
	sts.WithAPIOptions(func(stack *middleware.Stack) error {
	return stack.Build.Add(middleware.BuildMiddlewareFunc("AddEKSHeaders", addEKSHeaders), 0)
	}))
	})
	if err != nil {
	return "", trace.Wrap(err, "failed to presign caller identity")
	}
	return presigned.URL, nil
	}

to use this function

[tigrato]

They are essentially doing the same thing

[creack]

maybe better in a separate PR as the integration one requires a full blown sts Client, which would be difficult to test. Added a TODO.

[tigrato]

IF we reserve FetchersClients for AWS, it should be more clear about it.
We should probably also split the cloud clients as well

[creack]

This is the idea indeed, EC2 and SSM have been split out from cloud clients already, this extracts out completely EKS and partially STS. I'll rename to be more explicit about AWS.

[GavinFrazar]

I recommend just making these into simple functions that take an aws.Config and return the relevant interface, and using the awsconfig.Provider along side them instead.

Then in tests you just set Config.AWSConfigProvider to &mocks.AWSConfigProvider{} to mock out the config loading

It's a little more tedious/ceremony because you end up doing this:

awsCfg, err := foo.getAWSConfig(...options...)
if err != nil {
 ...
}
barClt := foo.GetBarClient(awsCfg)

But the benefit is that you always test the options passed to getAWSConfig, and each client can be mocked separately as a trivial function rather than trying to fake config loading in each mock client provider.

I nitpick on this because the sdk v1 cloud clients code was structured like you've done so here and I've found that tests end up faking more than they should, e.g not checking the credentials source at all.

[creack]

I followed #48950 model 😅 we probably should align everything. Should it be done upfront here though, or in a separate PR?