Remove dependency on STS v1 by removing the need to use aws-iam-authe…

…nticator for token generation (eksctl-io#5016)

* Removing STS

* Deleted the wrapper as it is no longer needed

* Created an Interface for the Presign function

* Extracted the generator and wrote a proper interface and mocks for the presign call

* Postfilled a unit test

* Added custom endpoint resolution

* Put back the endpoint mapping malaka

* Extract header function

* Adjusted to review and removed whitelisted header

.golangci.yml

@@ -1,5 +1,7 @@
 # options for analysis running
 run:
+  go: '1.18'
+
   # default concurrency is a available CPU number
   concurrency: 4
 

pkg/apis/eksctl.io/v1alpha5/types.go

@@ -2,31 +2,31 @@ package v1alpha5
 
 import (
 	"bytes"
+	"context"
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"strings"
 	"time"
 
-	"github.com/weaveworks/eksctl/pkg/awsapi"
-
-	"github.com/aws/aws-sdk-go/service/cloudwatchlogs/cloudwatchlogsiface"
-
+	v4 "github.com/aws/aws-sdk-go-v2/aws/signer/v4"
+	stsv2 "github.com/aws/aws-sdk-go-v2/service/sts"
 	"github.com/aws/aws-sdk-go/aws/client"
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/autoscaling/autoscalingiface"
 	"github.com/aws/aws-sdk-go/service/cloudformation/cloudformationiface"
 	"github.com/aws/aws-sdk-go/service/cloudtrail/cloudtrailiface"
+	"github.com/aws/aws-sdk-go/service/cloudwatchlogs/cloudwatchlogsiface"
 	"github.com/aws/aws-sdk-go/service/ec2/ec2iface"
 	"github.com/aws/aws-sdk-go/service/eks"
 	"github.com/aws/aws-sdk-go/service/eks/eksiface"
 	"github.com/aws/aws-sdk-go/service/iam/iamiface"
-	"github.com/aws/aws-sdk-go/service/sts/stsiface"
 	"github.com/pkg/errors"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 
+	"github.com/weaveworks/eksctl/pkg/awsapi"
 	"github.com/weaveworks/eksctl/pkg/utils/taints"
 )
 
@@ -653,7 +653,6 @@ type ClusterProvider interface {
 	ASG() autoscalingiface.AutoScalingAPI
 	EKS() eksiface.EKSAPI
 	EC2() ec2iface.EC2API
-	STS() stsiface.STSAPI
 	SSM() awsapi.SSM
 	IAM() iamiface.IAMAPI
 	CloudTrail() cloudtrailiface.CloudTrailAPI
@@ -664,9 +663,18 @@ type ClusterProvider interface {
 	ConfigProvider() client.ConfigProvider
 	Session() *session.Session
 
-	STSV2() awsapi.STS
 	ELB() awsapi.ELB
 	ELBV2() awsapi.ELBV2
+	STSV2() awsapi.STS
+	STSV2Presign() STSPresigner
+}
+
+// STSPresigner defines the method to pre-sign GetCallerIdentity requests to add a proper header required by EKS for
+// authentication from the outside.
+//go:generate go run github.com/maxbrunsfeld/counterfeiter/v6 -generate
+//counterfeiter:generate -o fakes/fake_sts_presigner.go . STSPresigner
+type STSPresigner interface {
+	PresignGetCallerIdentity(ctx context.Context, params *stsv2.GetCallerIdentityInput, optFns ...func(*stsv2.PresignOptions)) (*v4.PresignedHTTPRequest, error)
 }
 
 // ProviderConfig holds global parameters for all interactions with AWS APIs

pkg/connector/connector.go

@@ -45,6 +45,7 @@ type EKSConnector struct {
 type provider interface {
 	EKS() eksiface.EKSAPI
 	STSV2() awsapi.STS
+	STSV2Presign() api.STSPresigner
 	IAM() iamiface.IAMAPI
 	Region() string
 }

pkg/credentials/filecache.go

@@ -2,17 +2,16 @@ package credentials
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"os"
 	"path/filepath"
 	"sync"
 	"time"
 
-	"github.com/spf13/afero"
-
 	"github.com/aws/aws-sdk-go/aws/credentials"
 	"github.com/kris-nova/logger"
-	"github.com/pkg/errors"
+	"github.com/spf13/afero"
 	"gopkg.in/yaml.v2"
 )
 

pkg/credentials/filecache_v2.go

@@ -5,13 +5,10 @@ import (
 	"fmt"
 	"sync"
 
-	"github.com/spf13/afero"
-
-	"github.com/kris-nova/logger"
-
-	"github.com/aws/aws-sdk-go/aws/credentials"
-
 	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go/aws/credentials"
+	"github.com/kris-nova/logger"
+	"github.com/spf13/afero"
 )
 
 // FileCacheV2 is a file-based credentials cache for AWS credentials that can expire,

pkg/credentials/filecache_v2_test.go

@@ -6,22 +6,16 @@ import (
 	"path"
 	"time"
 
-	"github.com/pkg/errors"
-
-	awscredentials "github.com/aws/aws-sdk-go/aws/credentials"
-	"gopkg.in/yaml.v2"
-
-	"github.com/weaveworks/eksctl/pkg/credentials"
-
-	. "github.com/onsi/gomega"
-
 	"github.com/aws/aws-sdk-go-v2/aws"
-
+	awscredentials "github.com/aws/aws-sdk-go/aws/credentials"
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/ginkgo/extensions/table"
-
+	. "github.com/onsi/gomega"
+	"github.com/pkg/errors"
 	"github.com/spf13/afero"
+	"gopkg.in/yaml.v2"
 
+	"github.com/weaveworks/eksctl/pkg/credentials"
 	"github.com/weaveworks/eksctl/pkg/credentials/fakes"
 )
 

pkg/eks/api.go

@@ -7,15 +7,7 @@ import (
 	"os"
 	"time"
 
-	"github.com/gofrs/flock"
-	"github.com/spf13/afero"
-
-	"github.com/aws/aws-sdk-go/service/cloudwatchlogs"
-
-	"github.com/aws/aws-sdk-go/service/cloudwatchlogs/cloudwatchlogsiface"
-
 	stsv2 "github.com/aws/aws-sdk-go-v2/service/sts"
-
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/client"
 	"github.com/aws/aws-sdk-go/aws/credentials"
@@ -29,16 +21,18 @@ import (
 	"github.com/aws/aws-sdk-go/service/cloudformation/cloudformationiface"
 	"github.com/aws/aws-sdk-go/service/cloudtrail"
 	"github.com/aws/aws-sdk-go/service/cloudtrail/cloudtrailiface"
+	"github.com/aws/aws-sdk-go/service/cloudwatchlogs"
+	"github.com/aws/aws-sdk-go/service/cloudwatchlogs/cloudwatchlogsiface"
 	"github.com/aws/aws-sdk-go/service/ec2"
 	"github.com/aws/aws-sdk-go/service/ec2/ec2iface"
 	awseks "github.com/aws/aws-sdk-go/service/eks"
 	"github.com/aws/aws-sdk-go/service/eks/eksiface"
 	"github.com/aws/aws-sdk-go/service/iam"
 	"github.com/aws/aws-sdk-go/service/iam/iamiface"
-	"github.com/aws/aws-sdk-go/service/sts"
-	"github.com/aws/aws-sdk-go/service/sts/stsiface"
+	"github.com/gofrs/flock"
 	"github.com/kris-nova/logger"
 	"github.com/pkg/errors"
+	"github.com/spf13/afero"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/client-go/kubernetes/scheme"
 	"sigs.k8s.io/yaml"
@@ -80,7 +74,6 @@ type ProviderServices struct {
 	asg  autoscalingiface.AutoScalingAPI
 	eks  eksiface.EKSAPI
 	ec2  ec2iface.EC2API
-	sts  stsiface.STSAPI
 	iam  iamiface.IAMAPI
 
 	cloudtrail     cloudtrailiface.CloudTrailAPI
@@ -111,9 +104,6 @@ func (p ProviderServices) EKS() eksiface.EKSAPI { return p.eks }
 // EC2 returns a representation of the EC2 API
 func (p ProviderServices) EC2() ec2iface.EC2API { return p.ec2 }
 
-// STS returns a representation of the STS API
-func (p ProviderServices) STS() stsiface.STSAPI { return p.sts }
-
 // IAM returns a representation of the IAM API
 func (p ProviderServices) IAM() iamiface.IAMAPI { return p.iam }
 
@@ -193,15 +183,6 @@ func New(spec *api.ProviderConfig, clusterSpec *api.ClusterConfig) (*ClusterProv
 	provider.cfn = cloudformation.New(s)
 	provider.eks = awseks.New(s)
 	provider.ec2 = ec2.New(s)
-	provider.sts = sts.New(s,
-		// STS retrier has to be disabled, as it's not very helpful
-		// (see https://github.com/weaveworks/eksctl/issues/705)
-		request.WithRetryer(s.Config.Copy(),
-			&client.DefaultRetryer{
-				NumMaxRetries: 1,
-			},
-		),
-	)
 	provider.iam = iam.New(s)
 	provider.cloudtrail = cloudtrail.New(s)
 	provider.cloudwatchlogs = cloudwatchlogs.New(s)
@@ -210,6 +191,7 @@ func New(spec *api.ProviderConfig, clusterSpec *api.ClusterConfig) (*ClusterProv
 	if err != nil {
 		return nil, err
 	}
+
 	provider.ServicesV2 = &ServicesV2{
 		config: cfg,
 	}
@@ -230,12 +212,6 @@ func New(spec *api.ProviderConfig, clusterSpec *api.ClusterConfig) (*ClusterProv
 	if endpoint, ok := os.LookupEnv("AWS_EC2_ENDPOINT"); ok {
 		logger.Debug("Setting EC2 endpoint to %s", endpoint)
 		provider.ec2 = ec2.New(s, s.Config.Copy().WithEndpoint(endpoint))
-
-	}
-
-	if endpoint, ok := os.LookupEnv("AWS_STS_ENDPOINT"); ok {
-		logger.Debug("Setting STS endpoint to %s", endpoint)
-		provider.sts = sts.New(s, s.Config.Copy().WithEndpoint(endpoint))
 	}
 	if endpoint, ok := os.LookupEnv("AWS_IAM_ENDPOINT"); ok {
 		logger.Debug("Setting IAM endpoint to %s", endpoint)

pkg/eks/apiv2.go

@@ -6,11 +6,10 @@ import (
 	"os"
 	"time"
 
-	"github.com/gofrs/flock"
-	"github.com/spf13/afero"
-
-	"github.com/weaveworks/eksctl/pkg/credentials"
-
+	"github.com/aws/aws-sdk-go-v2/aws"
+	middlewarev2 "github.com/aws/aws-sdk-go-v2/aws/middleware"
+	"github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/credentials/stscreds"
 	"github.com/aws/aws-sdk-go-v2/service/cloudformation"
 	"github.com/aws/aws-sdk-go-v2/service/cloudtrail"
 	"github.com/aws/aws-sdk-go-v2/service/ec2"
@@ -19,16 +18,13 @@ import (
 	"github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2"
 	"github.com/aws/aws-sdk-go-v2/service/iam"
 	"github.com/aws/aws-sdk-go-v2/service/sts"
-
-	"github.com/aws/aws-sdk-go-v2/aws"
-	middlewarev2 "github.com/aws/aws-sdk-go-v2/aws/middleware"
-	"github.com/aws/aws-sdk-go-v2/config"
-	"github.com/aws/aws-sdk-go-v2/credentials/stscreds"
 	"github.com/aws/smithy-go/middleware"
-
+	"github.com/gofrs/flock"
 	"github.com/kris-nova/logger"
+	"github.com/spf13/afero"
 
 	api "github.com/weaveworks/eksctl/pkg/apis/eksctl.io/v1alpha5"
+	"github.com/weaveworks/eksctl/pkg/credentials"
 	"github.com/weaveworks/eksctl/pkg/version"
 )