Allow configurable backend modes for aws-iam-authenticator

[WarpRat]

This is a small configuration change to allow configuring a custom list of backend modes for aws-iam-authenticator (#9468) The available options are MountedFile, EKSConfigMap, or CRD. Any number of these can be selected in order of preference in a comma separated list. The default is still MountedFile.

[k8s-ci-robot]

Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA.

It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.

---

• If you've already signed a CLA, it's possible we don't have your GitHub username or you're using a different email address. Check your existing CLA data and verify that your email is set on your git commits.
• If you signed the CLA as a corporation, please sign in with your organization's credentials at https://identity.linuxfoundation.org/projects/cncf to be authorized.
• If you have done the above and are still having issues with the CLA being reported as unsigned, please log a ticket with the Linux Foundation Helpdesk: https://support.linuxfoundation.org/
• Should you encounter any issues with the Linux Foundation Helpdesk, send a message to the backup e-mail support address at: login-issues@jira.linuxfoundation.org

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[k8s-ci-robot]

Welcome @WarpRat!

It looks like this is your first PR to kubernetes/kops 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/kops has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @WarpRat. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[WarpRat]

I signed it

[rifelpet]

/ok-to-test

you'll need to run make apimachinery crds too

[hakman]

@fred-vogt could you take a look at this? Thanks!

[fred-vogt]

@hakman, @WarpRat - will do.

[fred-vogt]

@WarpRat, @hakman - had to update my KOPS custom build instructions to work for a Mac.

Good news - got builds / uploads working from my Mac

Test plan:

• default - should result in previous behavior (MountedFile)
• custom - try some combos of CRD,EKSConfigMap,MountedFile

[hakman]

No worries. Thanks! :)

[fred-vogt]

@WarpRat, @hakman - I did the first test - it doesn't work.

Looks like aws-iam-authenticator isn't working in v1.19.0-alpha.1 - unrelated to this PR.

kubectl:

error: You must be logged in to the server (Unauthorized)

$ aws-iam-authenticator token -i <cluster-name>  # works

kube-api-server:

Unable to authenticate the request due to an error: [
  invalid bearer token, 
  Post https://127.0.0.1:21362/authenticate?timeout=30s: 
    x509: cannot validate certificate for 127.0.0.1 because it doesn't contain any IP SANs
]

backend-mode is being passed

...
  containers:
  - args:
    - server
    - --config=/etc/aws-iam-authenticator/config.yaml
    - --state-dir=/var/aws-iam-authenticator
    - --kubeconfig-pregenerated=true
    - --backend-mode=MountedFile
...

[fred-vogt]

Filed a separate issue:

• v1.19.0-alpha.1 - aws authenticator not working "x509: cannot validate certificate ... it doesn't contain any IP SANs" #9524

[rifelpet]

I think there are a couple changes we should make here:

1. The image should be upgraded to 0.5.1. --backend-mode was introduced in 0.5.0 and this manifest is still on 0.4.0. We can probably just pull the changes from Update AWS IAM Authenticator to 0.5.0 #8423 and Switch AWS IAM Authenticator to use non-scratch image #8555 back in as well as bump to 0.5.1 (they were reverted in Revert AWS IAM Authenticator upgrade to 0.5.0 on master #8670 ) but its worth double checking the recommended manifest in 0.5.1 to pick up any other changes.
2. Since we allow a configurable image, it's possible for someone to pin it to a <0.5.0 version in which case upgrading to this version of kops will add the --backend-mode flag which will cause their setup to break. I think we can avoid that by having the default behavior be no --backend-mode argument rather than --backend-mode=MountedFile

The cert issue might be related to @johngmyers's recent cert issuance refactoring. I wish we had automated test coverage for this feature but the prerequisite AWS setup is nontrivial for our prow jobs. It's probably worth upgrading to 0.5.1 first before we continue with any cert troubleshooting though.

[rdrgmnzs]

+1 what @rifelpet said, if someone has the --backend-mode flag set with a version of the authenticator < 0.5.0 it'll just cause the authentication to fail with unknown flag: --backend-mode

[WarpRat]

Thanks for pointing me in the right direction on those tests @rifelpet

I also noticed that we were going to hit this issue with the cluster-id if a user didn't have a mounted file as one of the backend options, since normally the user defines that in config.yaml:

kops/docs/authentication.md

Lines 72 to 76 in 24ff70e

	data:
	config.yaml: |
	# a unique-per-cluster identifier to prevent replay attacks
	# (good choices are a random token or a domain name that will be unique to your cluster)
	clusterID: my-dev-cluster.example.com

I added the same conditional around mounting that config file to remove the config cli flag and set the cluster-id to the master's public API DNS address.

[rifelpet]

We have two version of the the addon manifest (two template files) one for k8s 1.10+ and one for k8s 1.12+. Given that we only updated the 1.12+ manifest to authenticator 0.5.1: eae3fd8#diff-49ab9104184d27772708fb0ecd00e0aa we dont need to add BackendMode functionality to the 1.10+ manifest, so we can probably remove all the changes to this file.

[rifelpet]

Looks good overall, a few documentation nits and youll need to rerun ./hack/updated-expected.sh since some of the outputs changed due to the recent 1.19 alpha release.

/assign @rdrgmnzs
in case you have any additional feedback.

[rdrgmnzs]

Just reviewed, I think you guys covered everything. LGTM for landing once the expected test results are fixed.

[WarpRat]

/retest

[rifelpet]

/lgtm
/approve

thanks for sticking with it! looking forward to using these new fields

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rifelpet, WarpRat

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [rifelpet]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[rifelpet]

/test pull-kops-e2e-cni-kuberouter