Support EKS upgrade policy

Author: phuhung273

config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml

@@ -2982,6 +2982,16 @@ spec:
                 - iam-authenticator
                 - aws-cli
                 type: string
+              upgradePolicy:
+                description: |-
+                  The support policy to use for the cluster.
+                  Extended support allows you to remain on specific Kubernetes versions for longer.
+                  Clusters in extended support have higher costs.
+                  The default value is EXTENDED. Use STANDARD to disable extended support.
+                enum:
+                - EXTENDED
+                - STANDARD
+                type: string
               version:
                 description: |-
                   Version defines the desired Kubernetes version. If no version number

controlplane/eks/api/v1beta1/conversion.go

@@ -46,6 +46,7 @@ func (r *AWSManagedControlPlane) ConvertTo(dstRaw conversion.Hub) error {
 	dst.Spec.RolePermissionsBoundary = restored.Spec.RolePermissionsBoundary
 	dst.Status.Version = restored.Status.Version
 	dst.Spec.BootstrapSelfManagedAddons = restored.Spec.BootstrapSelfManagedAddons
+	dst.Spec.UpgradePolicy = restored.Spec.UpgradePolicy
 	return nil
 }
 

controlplane/eks/api/v1beta1/zz_generated.conversion.go

@@ -209,6 +209,14 @@ type AWSManagedControlPlaneSpec struct { //nolint: maligned
 
 	// KubeProxy defines managed attributes of the kube-proxy daemonset
 	KubeProxy KubeProxy `json:"kubeProxy,omitempty"`
+
+	// The support policy to use for the cluster.
+	// Extended support allows you to remain on specific Kubernetes versions for longer.
+	// Clusters in extended support have higher costs.
+	// The default value is EXTENDED. Use STANDARD to disable extended support.
+	// +kubebuilder:validation:Enum=EXTENDED;STANDARD
+	// +optional
+	UpgradePolicy *string `json:"upgradePolicy,omitempty"`
 }
 
 // KubeProxy specifies how the kube-proxy daemonset is managed.

controlplane/eks/api/v1beta2/awsmanagedcontrolplane_types.go

@@ -139,6 +139,10 @@ func (s *Service) reconcileCluster(ctx context.Context) error {
 		return errors.Wrap(err, "failed reconciling OIDC provider for cluster")
 	}
 
+	if err := s.reconcileClusterUpgradePolicy(cluster); err != nil {
+		return errors.Wrap(err, "failed reconciling cluster version")
+	}
+
 	return nil
 }
 
@@ -463,6 +467,15 @@ func (s *Service) createCluster(eksClusterName string) (*eks.Cluster, error) {
 		v := versionToEKS(specVersion)
 		eksVersion = &v
 	}
+
+	var upgradePolicy *eks.UpgradePolicyRequest
+
+	if s.scope.ControlPlane.Spec.UpgradePolicy != nil {
+		upgradePolicy = &eks.UpgradePolicyRequest{
+			SupportType: s.scope.ControlPlane.Spec.UpgradePolicy,
+		}
+	}
+
 	input := &eks.CreateClusterInput{
 		Name:                    aws.String(eksClusterName),
 		Version:                 eksVersion,
@@ -472,6 +485,7 @@ func (s *Service) createCluster(eksClusterName string) (*eks.Cluster, error) {
 		RoleArn:                 role.Arn,
 		Tags:                    tags,
 		KubernetesNetworkConfig: netConfig,
+		UpgradePolicy:           upgradePolicy,
 	}
 	// Only set BootstrapSelfManagedAddons if it's explicitly set to false in the spec
 	// Default is true, so we don't need to set it in that case
@@ -725,6 +739,63 @@ func (s *Service) reconcileClusterVersion(cluster *eks.Cluster) error {
 	return nil
 }
 
+func (s *Service) reconcileClusterUpgradePolicy(cluster *eks.Cluster) error {
+	s.Info("reconciling upgrade policy")
+
+	clusterUpgradePolicy := cluster.UpgradePolicy.SupportType
+
+	if s.scope.ControlPlane.Spec.UpgradePolicy == nil {
+		s.Debug("upgrade policy not given, no action")
+		return nil
+	}
+
+	if clusterUpgradePolicy == nil {
+		s.Debug("cannot get cluster upgrade policy, no action")
+		return nil
+	}
+
+	if *clusterUpgradePolicy == *s.scope.ControlPlane.Spec.UpgradePolicy {
+		s.Debug("upgrade policy unchanged, no action")
+		return nil
+	}
+
+	input := &eks.UpdateClusterConfigInput{
+		Name: aws.String(s.scope.KubernetesClusterName()),
+		UpgradePolicy: &eks.UpgradePolicyRequest{
+			SupportType: s.scope.ControlPlane.Spec.UpgradePolicy,
+		},
+	}
+
+	if err := wait.WaitForWithRetryable(wait.NewBackoff(), func() (bool, error) {
+		if _, err := s.EKSClient.UpdateClusterConfig(input); err != nil {
+			if aerr, ok := err.(awserr.Error); ok {
+				return false, aerr
+			}
+			return false, err
+		}
+
+		// Wait until status transitions to UPDATING because there's a short
+		// window after UpdateClusterConfig returns where the cluster
+		// status is ACTIVE and the update would be tried again
+		if err := s.EKSClient.WaitUntilClusterUpdating(
+			&eks.DescribeClusterInput{Name: aws.String(s.scope.KubernetesClusterName())},
+			request.WithWaiterLogger(&awslog{s.GetLogger()}),
+		); err != nil {
+			return false, err
+		}
+
+		conditions.MarkTrue(s.scope.ControlPlane, ekscontrolplanev1.EKSControlPlaneUpdatingCondition)
+		record.Eventf(s.scope.ControlPlane, "InitiatedUpdateEKSControlPlane", "Initiated update of EKS control plane %s to upgrade policy %s", s.scope.KubernetesClusterName(), s.scope.ControlPlane.Spec.UpgradePolicy)
+
+		return true, nil
+	}); err != nil {
+		record.Warnf(s.scope.ControlPlane, "FailedUpdateEKSControlPlane", "failed to update the EKS control plane: %v", err)
+		return errors.Wrapf(err, "failed to update EKS cluster")
+	}
+
+	return nil
+}
+
 func (s *Service) describeEKSCluster(eksClusterName string) (*eks.Cluster, error) {
 	input := &eks.DescribeClusterInput{
 		Name: aws.String(eksClusterName),

controlplane/eks/api/v1beta2/zz_generated.deepcopy.go

@@ -524,6 +524,7 @@ func TestCreateCluster(t *testing.T) {
 						RoleName:                   tc.role,
 						NetworkSpec:                infrav1.NetworkSpec{Subnets: tc.subnets},
 						BootstrapSelfManagedAddons: false,
+						UpgradePolicy:              aws.String(eks.SupportTypeStandard),
 					},
 				},
 			})
@@ -546,6 +547,9 @@ func TestCreateCluster(t *testing.T) {
 					Tags:                       tc.tags,
 					Version:                    version,
 					BootstrapSelfManagedAddons: aws.Bool(false),
+					UpgradePolicy: &eks.UpgradePolicyRequest{
+						SupportType: aws.String(eks.SupportTypeStandard),
+					},
 				}).Return(&eks.CreateClusterOutput{}, nil)
 			}
 			s := NewService(scope)
@@ -675,6 +679,107 @@ func TestReconcileEKSEncryptionConfig(t *testing.T) {
 	}
 }
 
+func TestReconcileEKSUpgradePolicy(t *testing.T) {
+	clusterName := "default.cluster"
+	tests := []struct {
+		name             string
+		oldUpgradePolicy *string
+		newUpgradePolicy *string
+		expect           func(m *mock_eksiface.MockEKSAPIMockRecorder)
+		expectError      bool
+	}{
+		{
+			name:             "no update necessary - no upgrade policy specified",
+			oldUpgradePolicy: aws.String(eks.SupportTypeStandard),
+			expect:           func(m *mock_eksiface.MockEKSAPIMockRecorder) {},
+			expectError:      false,
+		},
+		{
+			name:             "no update necessary - cannot get cluster upgrade policy",
+			newUpgradePolicy: aws.String(eks.SupportTypeStandard),
+			expect:           func(m *mock_eksiface.MockEKSAPIMockRecorder) {},
+			expectError:      false,
+		},
+		{
+			name:             "no update necessary - upgrade policy unchanged",
+			oldUpgradePolicy: aws.String(eks.SupportTypeStandard),
+			newUpgradePolicy: aws.String(eks.SupportTypeStandard),
+			expect:           func(m *mock_eksiface.MockEKSAPIMockRecorder) {},
+			expectError:      false,
+		},
+		{
+			name:             "needs update",
+			oldUpgradePolicy: aws.String(eks.SupportTypeStandard),
+			newUpgradePolicy: aws.String(eks.SupportTypeExtended),
+			expect: func(m *mock_eksiface.MockEKSAPIMockRecorder) {
+				m.WaitUntilClusterUpdating(
+					gomock.AssignableToTypeOf(&eks.DescribeClusterInput{}), gomock.Any(),
+				).Return(nil)
+				m.UpdateClusterConfig(gomock.AssignableToTypeOf(&eks.UpdateClusterConfigInput{})).Return(&eks.UpdateClusterConfigOutput{}, nil)
+			},
+			expectError: false,
+		},
+		{
+			name:             "api error",
+			oldUpgradePolicy: aws.String(eks.SupportTypeExtended),
+			newUpgradePolicy: aws.String(eks.SupportTypeStandard),
+			expect: func(m *mock_eksiface.MockEKSAPIMockRecorder) {
+				m.
+					UpdateClusterConfig(gomock.AssignableToTypeOf(&eks.UpdateClusterConfigInput{})).
+					Return(&eks.UpdateClusterConfigOutput{}, errors.New(""))
+			},
+			expectError: true,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			g := NewWithT(t)
+
+			mockControl := gomock.NewController(t)
+			defer mockControl.Finish()
+
+			eksMock := mock_eksiface.NewMockEKSAPI(mockControl)
+
+			scheme := runtime.NewScheme()
+			_ = infrav1.AddToScheme(scheme)
+			_ = ekscontrolplanev1.AddToScheme(scheme)
+			client := fake.NewClientBuilder().WithScheme(scheme).Build()
+			scope, err := scope.NewManagedControlPlaneScope(scope.ManagedControlPlaneScopeParams{
+				Client: client,
+				Cluster: &clusterv1.Cluster{
+					ObjectMeta: metav1.ObjectMeta{
+						Namespace: "ns",
+						Name:      clusterName,
+					},
+				},
+				ControlPlane: &ekscontrolplanev1.AWSManagedControlPlane{
+					Spec: ekscontrolplanev1.AWSManagedControlPlaneSpec{
+						Version:       aws.String("1.16"),
+						UpgradePolicy: tc.newUpgradePolicy,
+					},
+				},
+			})
+			g.Expect(err).To(BeNil())
+
+			tc.expect(eksMock.EXPECT())
+			s := NewService(scope)
+			s.EKSClient = eksMock
+
+			err = s.reconcileClusterUpgradePolicy(&eks.Cluster{
+				UpgradePolicy: &eks.UpgradePolicyResponse{
+					SupportType: tc.oldUpgradePolicy,
+				},
+			})
+			if tc.expectError {
+				g.Expect(err).To(HaveOccurred())
+				return
+			}
+			g.Expect(err).To(BeNil())
+		})
+	}
+}
+
 func TestCreateIPv6Cluster(t *testing.T) {
 	g := NewWithT(t)