Add custom authenticator support

[melnikalex]

Issue #, if available:

N/A

Description of changes:

Adding the ability to customize the server-side aws-iam-authenticator image as well as an example yaml for the deployment. There were a few issues encountered with the toolchain, so I addressed those as well.

Testing:

Deployed kit changes:

make codegen && make apply

Created cluster and validated backend modes were updated (notice MountedFile and EKSConfigMap mappers)

k logs alex-test-2-authenticator-fp98p
time="2022-09-14T17:05:19Z" level=info msg="starting mapper \"MountedFile\""
time="2022-09-14T17:05:19Z" level=info msg="starting mapper \"EKSConfigMap\""
time="2022-09-14T17:05:19Z" level=info msg="mapping IAM role" groups="[system:bootstrappers system:nodes]" role="arn:aws:iam::593790058435:role/KitDPRole-alex-test-2" username="system:node:{{EC2PrivateDNSName}}"
time="2022-09-14T17:05:19Z" level=info msg="mapping IAM Account" accountID=<REDACTED>
time="2022-09-14T17:05:19Z" level=info msg="loaded existing keypair" certPath=/var/aws-iam-authenticator/state/cert.pem keyPath=/var/aws-iam-authenticator/state/key.pem
time="2022-09-14T17:05:19Z" level=info msg="loaded existing keypair" certPath=/var/aws-iam-authenticator/state/cert.pem keyPath=/var/aws-iam-authenticator/state/key.pem
time="2022-09-14T17:05:19Z" level=info msg="writing webhook kubeconfig file" kubeconfigPath=/var/aws-iam-authenticator/kubeconfig/kubeconfig.yaml
time="2022-09-14T17:05:19Z" level=info msg="listening on [::]:21362"
time="2022-09-14T17:05:19Z" level=info msg="reconfigure your apiserver with `--authentication-token-webhook-config-file=/var/aws-iam-authenticator/kubeconfig/kubeconfig.yaml` to enable (assuming default hostPath mounts)"
time="2022-09-14T17:05:19Z" level=info msg="Starting the h.ec2Provider.startEc2DescribeBatchProcessing "

Created the aws-auth configmap in the guest cluster and validated access changes.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[melnikalex]

I got this error with the newest version of the go linter:

pkg/errors/errors.go:46:36: SA1019: netErr.Temporary has been deprecated since Go 1.18 because it shouldn't be used: Temporary errors are not well-defined. Most "temporary" errors are timeouts, and the few exceptions are surprising. Do not use this method. (staticcheck)
        return errors.As(err, &netErr) && netErr.Temporary() && netErr.Timeout()
                                          ^

[prateekgogia]

We have tested this example spec right?

[melnikalex]

Yes. Forgot to rename auth-stage2.yaml back to custom-authenticator.yaml after though. I'll update it.

[prateekgogia]

LGTM!

[hakuna-matatah]

Nice job Alex!

[hakuna-matatah]

I don't think this apiserver is leveraging this custom authenticator iiuc, right ?
Default token file flag points to a different location here - than what is described in line 24, unless I'm missing something here.

[melnikalex]

No it's just very confusing. There are 3 kubeconfigish flags for the authenticator:

• --kubeconfig -> this is configuring one direction communication from authenticator to kube-apiserver
• --generate-kubeconfig -> this is configuring communication from kube-apiserver to authenticator (this is the token file passed here.
• --kubeconfig-pregenerated -> a boolean flag if we don't want the --kubeconfig flag to generate a new kubeconfig.

I'll add a comment elaborating on this in the yaml.