IAM authenticator only on workload support

[pokearu]

Issue #2814

Description of changes:
Changes enable setting up aws-iam-authenticator on a workload cluster when its not configured on the management cluster.
We now prepend cluster name to the aws-iam-authenticator-ca that is needed on the bootstrap/management cluster before adding it on a workload cluster.

Testing:

eksctl-anywhere create cluster -f br-cluster-workload.yaml --kubeconfig ./br/br-eks-a-cluster.kubeconfig

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[codecov]

Codecov Report

Merging #3594 (bc39337) into main (96af489) will increase coverage by 0.43%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##             main    #3594      +/-   ##
==========================================
+ Coverage   65.61%   66.05%   +0.43%     
==========================================
  Files         358      359       +1     
  Lines       29118    29278     +160     
==========================================
+ Hits        19107    19340     +233     
+ Misses       8698     8627      -71     
+ Partials     1313     1311       -2     

Impacted Files	Coverage Δ
pkg/clusterapi/identity.go	100.00% <ø> (ø)
pkg/awsiamauth/awsiamauth.go	67.67% <100.00%> (+0.32%)	⬆️
pkg/clustermanager/cluster_manager.go	63.21% <100.00%> (+0.52%)	⬆️
pkg/workflows/create.go	64.55% <100.00%> (+3.46%)	⬆️
pkg/providers/tinkerbell/create.go	52.05% <0.00%> (-0.77%)	⬇️
pkg/providers/vsphere/validator.go	76.37% <0.00%> (-0.59%)	⬇️
pkg/providers/tinkerbell/validate.go	79.50% <0.00%> (-0.50%)	⬇️
pkg/task/task.go	88.05% <0.00%> (ø)
pkg/yamlutil/apiobject.go	100.00% <0.00%> (ø)
pkg/providers/tinkerbell/hardware/machine.go	75.00% <0.00%> (ø)
... and 16 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[ptrivedi]

are you able to cover these via a test?

[ptrivedi]

/approve

[abhinavmpandey08]

looks good!
small question: with this change, will all the clusters have a separate set of certs?
Also, how will that affect IAM auth on already existing clusters where all the workloads are using the same certs.

[abhinavmpandey08]

This is being called here as well as on line 141 below. Can you move this before if commandContext.BootstrapCluster != nil { check on line 101 and remove it on line 141?

[pokearu]

Actually I think that might not work? The call on line 141 actually uses the newly created KinD bootstrap cluster, and that reference is only available on 120. That is why I had to repeat the calls.

[pokearu]

looks good! small question: with this change, will all the clusters have a separate set of certs? Also, how will that affect IAM auth on already existing clusters where all the workloads are using the same certs.

So basically the secret was only used when writing the cert files, so technically even though we referenced the same secret before, each cluster had separate files on their CP nodes host.
Now if a user upgrades a cluster with the old IAM, the KCP would get updated to reference the new secrets and roll the nodes. The new node would have an iam-auth that reads from the new certs.

[ptrivedi]

/lgtm

[abhinavmpandey08]

/approve
/lgtm
/woof
/meow

[eks-distro-bot]

@abhinavmpandey08:

In response to this:

/approve
/lgtm
/woof
/meow

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[eks-distro-bot]

@abhinavmpandey08:

In response to this:

/approve
/lgtm
/woof
/meow

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[eks-distro-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: abhinavmpandey08, ptrivedi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [abhinavmpandey08,ptrivedi]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[pokearu]

/override eks-anywhere-e2e-presubmit
/override eks-anywhere-mocks-presubmits

[eks-distro-bot]

@pokearu: Overrode contexts on behalf of pokearu: eks-anywhere-e2e-presubmit, eks-anywhere-mocks-presubmits

In response to this:

/override eks-anywhere-e2e-presubmit
/override eks-anywhere-mocks-presubmits

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.