fix: use aws eks get-token for kubectl auth

[schollii]

PR o'clock

Description

Fixes #957

Use aws eks get-token instead of aws iam authenticator

Checklist

• [n/a ] README.md has been updated after any changes to variables and outputs. See https://github.com/terraform-aws-modules/terraform-aws-eks/#doc-generation

[lisfo4ka]

Could you clarify, please, why is it required?

[daroga0002]

probably because:

> coalescelist([""], ["c", "d"])
[
  "",
]
>  

from line

terraform-aws-eks/locals.tf

Line 179 in 7785562

aws_authenticator_command_args = coalescelist(var.kubeconfig_aws_authenticator_command_args, local.default_kubeconfig_aws_auth_args)

[schollii]

actually coalesce works with both "" and null, BUT it is almost always preferable to use null than empty string to indicate "no value set".

[daroga0002]

actually coalesce works with both "" and null

yes but it will give different results (from terraform console):

> coalescelist([""], ["c", "d"])
[
  "",
]
> coalescelist([], ["c", "d"])
[
  "c",
  "d",
]

[daroga0002]

ahh, but here is just normal string

[schollii]

yes the function being discussed is coalesce not coalescelist

[lisfo4ka]

would you update kubeconfig_aws_authenticator_command default value as well?

[schollii]

Fixed

[lisfo4ka]

@antonbabenko @daroga0002 @schollii hi folks)
From my side, this change looks really good and useful. I suppose it shouldn't trigger more changes as kubeconfig file recreation which shouldn't be critical since terraform folder isn't the place to store it.

@schollii could you post terraform plan output, please. And if everyone is fine with it, let's merge this MR.

[schollii]

@schollii could you post terraform plan output, please...

@lisfo4ka, in what folder should I run this?

[lisfo4ka]

@lisfo4ka, in what folder should I run this?

I assume it can be any, e.g. examples/launch_templates

[antonbabenko]

Suggested change

	default = null
	default = "aws"

And remove coalesce() where this variable is used. Right?

[daroga0002]

@schollii do you will be able to change it and then I will make testing

[schollii]

@lisfo4ka ok will report back asap

[timblaktu]

Changes look good to me. This will be a big improvement. All external examples of first steps configuring kubectl to auth/connect to an EKS cluster use the aws eks update-kubeconfig approach, which uses the get-token approach, so aligning this Terraform module will prevent new users from being confused why they're so different (and prevent them from having to install aws-iam-authenticator.)

[bryantbiggs]

I think we should include this in a breaking change and drop all support for the legacy iam-authenticator approach - thoughts @daroga0002 ?

[daroga0002]

I tried to search what are benefits of using aws-iam-authenticator and I dont see any, maybe somebody from community will be able to put some arguments here.

From my side I think we can:

1. drop totally support for aws-iam-authenticator and remove any customization in our code
2. provide in outputs (I believ most or all are arleady done) values which can be used to build any form of Kube config (so thne if somebody will have own requirements can pass a template and fill them by outputs)

[schollii]

It's a good idea but I think it's taking this ticket beyond original scope, a separate ticket would be better so we can close this asap.

[Yasumoto]

Getting this over the finish line would be rad. When I was first getting started, trying to find this extra tool (and figure out if aws-iam-authenticator was actively recommended) was a bit of a road bump.

[daroga0002]

It's a good idea but I think it's taking this ticket beyond original scope, a separate ticket would be better so we can close this asap.

@schollii can you adjust comments #1590 (comment) and then we will merge it to v17.* version

Work about redesign we will cover in other PR for v18* milestone

[schollii]

@daroga0002 not sure what you mean, clicking that link in your post just gets me to the top of the PR

[daroga0002]

open comments from antonbabenko

[antonbabenko]

@daroga0002 I think we should have this one merged (after outstanding code changes got merged) and release a minor release in v17.

I am not knowledgeable enough to suggest dropping part of the functionality since it already works. I think we can reevaluate it as a part of the breaking changes we are going to have in v18 but not in this PR.

[daroga0002]

I am not knowledgeable enough to suggest dropping part of the functionality since it already works. I think we can reevaluate it as a part of the breaking changes we are going to have in v18 but not in this PR.

Yes this is what I am suggesting, now we simply extend to allow feature in v17 and in v18 we will drop legacy approach (as that will be bigger breaking change release so migration will be not so fast probably).

I will duplicate this PR and make fixes on my branch, test and open PR as I cannot edit this.

[lisfo4ka]

Folks, I'd really like to deliver this change to the v17, so I've created a new PR with proper testing. Please, take a look at #1699

[github-actions]

This PR has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this PR will be closed in 10 days

[github-actions]

This PR was automatically closed because of stale in 10 days

[antonbabenko]

This issue has been resolved in version 18.0.0 🎉

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.