Support EKS upgrade policy

Author: phuhung273

config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml

@@ -3136,6 +3136,17 @@ spec:
                 - iam-authenticator
                 - aws-cli
                 type: string
+              upgradePolicy:
+                description: |-
+                  The support policy to use for the cluster.
+                  Extended support indicates that the cluster will not be automatically upgraded
+                  when it leaves the standard support period, and will enter extended support.
+                  Clusters in extended support have higher costs.
+                  The default value is extended. Use standard to disable extended support.
+                enum:
+                - extended
+                - standard
+                type: string
               version:
                 description: |-
                   Version defines the desired Kubernetes version. If no version number

controlplane/eks/api/v1beta1/conversion.go

@@ -46,6 +46,7 @@ func (r *AWSManagedControlPlane) ConvertTo(dstRaw conversion.Hub) error {
 	dst.Spec.RolePermissionsBoundary = restored.Spec.RolePermissionsBoundary
 	dst.Status.Version = restored.Status.Version
 	dst.Spec.BootstrapSelfManagedAddons = restored.Spec.BootstrapSelfManagedAddons
+	dst.Spec.UpgradePolicy = restored.Spec.UpgradePolicy
 	return nil
 }
 

controlplane/eks/api/v1beta1/zz_generated.conversion.go

@@ -209,6 +209,15 @@ type AWSManagedControlPlaneSpec struct { //nolint: maligned
 
 	// KubeProxy defines managed attributes of the kube-proxy daemonset
 	KubeProxy KubeProxy `json:"kubeProxy,omitempty"`
+
+	// The support policy to use for the cluster.
+	// Extended support indicates that the cluster will not be automatically upgraded
+	// when it leaves the standard support period, and will enter extended support.
+	// Clusters in extended support have higher costs.
+	// The default value is extended. Use standard to disable extended support.
+	// +kubebuilder:validation:Enum=extended;standard
+	// +optional
+	UpgradePolicy *UpgradePolicy `json:"upgradePolicy,omitempty"`
 }
 
 // KubeProxy specifies how the kube-proxy daemonset is managed.

controlplane/eks/api/v1beta2/awsmanagedcontrolplane_types.go

@@ -212,6 +212,24 @@ type AddonIssue struct {
 	ResourceIDs []string `json:"resourceIds,omitempty"`
 }
 
+// UpgradePolicy defines the support policy to use for the cluster.
+type UpgradePolicy string
+
+var (
+	// UpgradePolicyExtended indicates that the cluster will not be automatically upgraded
+	// when it leaves the standard support period, and will enter extended support.
+	// Clusters in extended support have higher costs.
+	UpgradePolicyExtended = UpgradePolicy("extended")
+
+	// UpgradePolicyStandard indicates that the cluster will be automatically upgraded
+	// when it leaves the standard support period.
+	UpgradePolicyStandard = UpgradePolicy("standard")
+)
+
+func (e UpgradePolicy) String() string {
+	return string(e)
+}
+
 const (
 	// SecurityGroupCluster is the security group for communication between EKS
 	// control plane and managed node groups.

controlplane/eks/api/v1beta2/types.go

@@ -20,6 +20,7 @@ import (
 	"context"
 	"fmt"
 	"net"
+	"strings"
 	"time"
 
 	"github.com/aws/aws-sdk-go/aws"
@@ -463,6 +464,15 @@ func (s *Service) createCluster(eksClusterName string) (*eks.Cluster, error) {
 		v := versionToEKS(specVersion)
 		eksVersion = &v
 	}
+
+	var upgradePolicy *eks.UpgradePolicyRequest
+
+	if s.scope.ControlPlane.Spec.UpgradePolicy != nil {
+		upgradePolicy = &eks.UpgradePolicyRequest{
+			SupportType: aws.String(s.scope.ControlPlane.Spec.UpgradePolicy.String()),
+		}
+	}
+
 	input := &eks.CreateClusterInput{
 		Name:                    aws.String(eksClusterName),
 		Version:                 eksVersion,
@@ -472,6 +482,7 @@ func (s *Service) createCluster(eksClusterName string) (*eks.Cluster, error) {
 		RoleArn:                 role.Arn,
 		Tags:                    tags,
 		KubernetesNetworkConfig: netConfig,
+		UpgradePolicy:           upgradePolicy,
 	}
 	// Only set BootstrapSelfManagedAddons if it's explicitly set to false in the spec
 	// Default is true, so we don't need to set it in that case
@@ -535,6 +546,12 @@ func (s *Service) reconcileClusterConfig(cluster *eks.Cluster) error {
 		input.ResourcesVpcConfig = updateVpcConfig
 	}
 
+	updateUpgradePolicy := s.reconcileUpgradePolicy(cluster.UpgradePolicy)
+	if updateUpgradePolicy != nil {
+		needsUpdate = true
+		input.UpgradePolicy = updateUpgradePolicy
+	}
+
 	if needsUpdate {
 		if err := input.Validate(); err != nil {
 			return errors.Wrap(err, "created invalid UpdateClusterConfigInput")
@@ -725,6 +742,31 @@ func (s *Service) reconcileClusterVersion(cluster *eks.Cluster) error {
 	return nil
 }
 
+func (s *Service) reconcileUpgradePolicy(upgradePolicy *eks.UpgradePolicyResponse) *eks.UpgradePolicyRequest {
+	s.Info("reconciling upgrade policy")
+
+	clusterUpgradePolicy := upgradePolicy.SupportType
+
+	if s.scope.ControlPlane.Spec.UpgradePolicy == nil {
+		s.Debug("upgrade policy not given, no action")
+		return nil
+	}
+
+	if clusterUpgradePolicy == nil {
+		s.Debug("cannot get cluster upgrade policy, no action")
+		return nil
+	}
+
+	if strings.ToLower(*clusterUpgradePolicy) == s.scope.ControlPlane.Spec.UpgradePolicy.String() {
+		s.Debug("upgrade policy unchanged, no action")
+		return nil
+	}
+
+	return &eks.UpgradePolicyRequest{
+		SupportType: convertUpgradePolicy(*s.scope.ControlPlane.Spec.UpgradePolicy),
+	}
+}
+
 func (s *Service) describeEKSCluster(eksClusterName string) (*eks.Cluster, error) {
 	input := &eks.DescribeClusterInput{
 		Name: aws.String(eksClusterName),
@@ -854,3 +896,10 @@ func getKeyArn(encryptionConfig *eks.EncryptionConfig) string {
 	}
 	return ""
 }
+
+func convertUpgradePolicy(input ekscontrolplanev1.UpgradePolicy) *string {
+	if input == ekscontrolplanev1.UpgradePolicyStandard {
+		return aws.String(eks.SupportTypeStandard)
+	}
+	return aws.String(eks.SupportTypeExtended)
+}

controlplane/eks/api/v1beta2/zz_generated.deepcopy.go

@@ -524,6 +524,7 @@ func TestCreateCluster(t *testing.T) {
 						RoleName:                   tc.role,
 						NetworkSpec:                infrav1.NetworkSpec{Subnets: tc.subnets},
 						BootstrapSelfManagedAddons: false,
+						UpgradePolicy:              &ekscontrolplanev1.UpgradePolicyStandard,
 					},
 				},
 			})
@@ -546,6 +547,9 @@ func TestCreateCluster(t *testing.T) {
 					Tags:                       tc.tags,
 					Version:                    version,
 					BootstrapSelfManagedAddons: aws.Bool(false),
+					UpgradePolicy: &eks.UpgradePolicyRequest{
+						SupportType: aws.String(eks.SupportTypeStandard),
+					},
 				}).Return(&eks.CreateClusterOutput{}, nil)
 			}
 			s := NewService(scope)
@@ -675,6 +679,87 @@ func TestReconcileEKSEncryptionConfig(t *testing.T) {
 	}
 }
 
+func TestReconcileUpgradePolicy(t *testing.T) {
+	clusterName := "default.cluster"
+	tests := []struct {
+		name             string
+		oldUpgradePolicy *string
+		newUpgradePolicy *ekscontrolplanev1.UpgradePolicy
+		expect           *eks.UpgradePolicyRequest
+		expectError      bool
+	}{
+		{
+			name:             "no update necessary - no upgrade policy specified",
+			oldUpgradePolicy: aws.String(eks.SupportTypeStandard),
+			expect:           nil,
+			expectError:      false,
+		},
+		{
+			name:             "no update necessary - cannot get cluster upgrade policy",
+			newUpgradePolicy: &ekscontrolplanev1.UpgradePolicyStandard,
+			expect:           nil,
+			expectError:      false,
+		},
+		{
+			name:             "no update necessary - upgrade policy unchanged",
+			oldUpgradePolicy: aws.String(eks.SupportTypeStandard),
+			newUpgradePolicy: &ekscontrolplanev1.UpgradePolicyStandard,
+			expect:           nil,
+			expectError:      false,
+		},
+		{
+			name:             "needs update",
+			oldUpgradePolicy: aws.String(eks.SupportTypeStandard),
+			newUpgradePolicy: &ekscontrolplanev1.UpgradePolicyExtended,
+			expect: &eks.UpgradePolicyRequest{
+				SupportType: aws.String(eks.SupportTypeExtended),
+			},
+			expectError: false,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			g := NewWithT(t)
+
+			mockControl := gomock.NewController(t)
+			defer mockControl.Finish()
+
+			scheme := runtime.NewScheme()
+			_ = infrav1.AddToScheme(scheme)
+			_ = ekscontrolplanev1.AddToScheme(scheme)
+			client := fake.NewClientBuilder().WithScheme(scheme).Build()
+			scope, err := scope.NewManagedControlPlaneScope(scope.ManagedControlPlaneScopeParams{
+				Client: client,
+				Cluster: &clusterv1.Cluster{
+					ObjectMeta: metav1.ObjectMeta{
+						Namespace: "ns",
+						Name:      clusterName,
+					},
+				},
+				ControlPlane: &ekscontrolplanev1.AWSManagedControlPlane{
+					Spec: ekscontrolplanev1.AWSManagedControlPlaneSpec{
+						Version:       aws.String("1.16"),
+						UpgradePolicy: tc.newUpgradePolicy,
+					},
+				},
+			})
+			g.Expect(err).To(BeNil())
+
+			s := NewService(scope)
+
+			upgradePolicyRequest := s.reconcileUpgradePolicy(&eks.UpgradePolicyResponse{
+				SupportType: tc.oldUpgradePolicy,
+			})
+			if tc.expectError {
+				g.Expect(err).To(HaveOccurred())
+				return
+			}
+			g.Expect(upgradePolicyRequest).To(Equal(tc.expect))
+		})
+	}
+}
+
 func TestCreateIPv6Cluster(t *testing.T) {
 	g := NewWithT(t)