Preflight upgrade validations for pod disruption budgets

cmd/eksctl-anywhere/cmd/createcluster.go

@@ -119,7 +119,8 @@ func (cc *createClusterOptions) createCluster(cmd *cobra.Command, _ []string) er
 		WithGitOpsFlux(clusterSpec.Cluster, clusterSpec.FluxConfig, cliConfig).
 		WithWriter().
 		WithEksdInstaller().
-		WithPackageInstaller(clusterSpec, cc.installPackages, cc.managementKubeconfig)
+		WithPackageInstaller(clusterSpec, cc.installPackages, cc.managementKubeconfig).
+		WithValidatorClients()
 
 	if cc.timeoutOptions.noTimeouts {
 		factory.WithNoTimeouts()
@@ -142,7 +143,7 @@ func (cc *createClusterOptions) createCluster(cmd *cobra.Command, _ []string) er
 	)
 
 	validationOpts := &validations.Opts{
-		Kubectl: deps.Kubectl,
+		Kubectl: deps.UnAuthKubectlClient,
 		Spec:    clusterSpec,
 		WorkloadCluster: &types.Cluster{
 			Name:           clusterSpec.Cluster.Name,

cmd/eksctl-anywhere/cmd/upgradecluster.go

@@ -23,6 +23,7 @@ type upgradeClusterOptions struct {
 	forceClean            bool
 	hardwareCSVPath       string
 	tinkerbellBootstrapIP string
+	skipValidations       []string
 }
 
 var uc = &upgradeClusterOptions{}
@@ -48,6 +49,7 @@ func init() {
 	applyTinkerbellHardwareFlag(upgradeClusterCmd.Flags(), &uc.hardwareCSVPath)
 	upgradeClusterCmd.Flags().StringVarP(&uc.wConfig, "w-config", "w", "", "Kubeconfig file to use when upgrading a workload cluster")
 	upgradeClusterCmd.Flags().BoolVar(&uc.forceClean, "force-cleanup", false, "Force deletion of previously created bootstrap cluster")
+	upgradeClusterCmd.Flags().StringArrayVar(&uc.skipValidations, "skip-validations", []string{}, "Bypass upgrade validations by name. Valid arguments you can pass are --skip-validations=pod-disruption")
 
 	if err := upgradeClusterCmd.MarkFlagRequired("filename"); err != nil {
 		log.Fatalf("Error marking flag as required: %v", err)
@@ -107,7 +109,8 @@ func (uc *upgradeClusterOptions) upgradeCluster(cmd *cobra.Command) error {
 		WithCAPIManager().
 		WithEksdUpgrader().
 		WithEksdInstaller().
-		WithKubectl()
+		WithKubectl().
+		WithValidatorClients()
 
 	if uc.timeoutOptions.noTimeouts {
 		factory.WithNoTimeouts()
@@ -144,13 +147,20 @@ func (uc *upgradeClusterOptions) upgradeCluster(cmd *cobra.Command) error {
 	}
 
 	validationOpts := &validations.Opts{
-		Kubectl:           deps.Kubectl,
+		Kubectl:           deps.UnAuthKubectlClient,
 		Spec:              clusterSpec,
 		WorkloadCluster:   workloadCluster,
 		ManagementCluster: managementCluster,
 		Provider:          deps.Provider,
 		CliConfig:         cliConfig,
 	}
+
+	if len(uc.skipValidations) != 0 {
+		validationOpts.SkippedValidations, err = upgradevalidations.ValidateSkippableUpgradeValidation(uc.skipValidations)
+		if err != nil {
+			return err
+		}
+	}
 	upgradeValidations := upgradevalidations.New(validationOpts)
 
 	err = upgradeCluster.Run(ctx, clusterSpec, managementCluster, workloadCluster, upgradeValidations, uc.forceClean)

cmd/eksctl-anywhere/cmd/validatecreatecluster.go

@@ -75,6 +75,8 @@ func (valOpt *validateOptions) validateCreateCluster(cmd *cobra.Command, _ []str
 		WithKubectl().
 		WithProvider(valOpt.fileName, clusterSpec.Cluster, false, valOpt.hardwareCSVPath, true, valOpt.tinkerbellBootstrapIP).
 		WithGitOpsFlux(clusterSpec.Cluster, clusterSpec.FluxConfig, cliConfig).
+		WithUnAuthKubeClient().
+		WithValidatorClients().
 		Build(ctx)
 	if err != nil {
 		cleanupDirectory(tmpPath)
@@ -83,7 +85,7 @@ func (valOpt *validateOptions) validateCreateCluster(cmd *cobra.Command, _ []str
 	defer close(ctx, deps)
 
 	validationOpts := &validations.Opts{
-		Kubectl: deps.Kubectl,
+		Kubectl: deps.UnAuthKubectlClient,
 		Spec:    clusterSpec,
 		WorkloadCluster: &types.Cluster{
 			Name:           clusterSpec.Cluster.Name,

pkg/dependencies/factory.go

@@ -103,6 +103,13 @@ type Dependencies struct {
 	NutanixValidator            *nutanix.Validator
 	SnowValidator               *snow.Validator
 	IPValidator                 *validator.IPValidator
+	UnAuthKubectlClient         KubeClients
+}
+
+// KubeClients defines super struct that exposes all behavior.
+type KubeClients struct {
+	*executables.Kubectl
+	*kubernetes.UnAuthClient
 }
 
 func (d *Dependencies) Close(ctx context.Context) error {
@@ -1073,6 +1080,22 @@ func (f *Factory) WithKubeProxyCLIUpgrader() *Factory {
 	return f
 }
 
+// WithValidatorClients builds KubeClients.
+func (f *Factory) WithValidatorClients() *Factory {
+	f.WithKubectl().WithUnAuthKubeClient()
+
+	f.buildSteps = append(f.buildSteps, func(ctx context.Context) error {
+		f.dependencies.UnAuthKubectlClient = KubeClients{
+			Kubectl:      f.dependencies.Kubectl,
+			UnAuthClient: f.dependencies.UnAuthKubeClient,
+		}
+
+		return nil
+	})
+
+	return f
+}
+
 // WithLogger setups a logger to be injected in constructors. It uses the logger
 // package level logger.
 func (f *Factory) WithLogger() *Factory {

pkg/dependencies/factory_test.go

@@ -214,6 +214,7 @@ func TestFactoryBuildWithMultipleDependencies(t *testing.T) {
 		WithCiliumTemplater().
 		WithIPValidator().
 		WithKubeProxyCLIUpgrader().
+		WithValidatorClients().
 		Build(context.Background())
 
 	tt.Expect(err).To(BeNil())
@@ -235,6 +236,7 @@ func TestFactoryBuildWithMultipleDependencies(t *testing.T) {
 	tt.Expect(deps.CiliumTemplater).NotTo(BeNil())
 	tt.Expect(deps.IPValidator).NotTo(BeNil())
 	tt.Expect(deps.KubeProxyCLIUpgrader).NotTo(BeNil())
+	tt.Expect(deps.UnAuthKubectlClient).NotTo(BeNil())
 }
 
 func TestFactoryBuildWithProxyConfiguration(t *testing.T) {

pkg/providers/vsphere/workers_test.go

@@ -240,7 +240,6 @@ func TestWorkersSpecRegistryMirrorConfiguration(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-
 			spec.Cluster.Spec.RegistryMirrorConfiguration = tt.mirrorConfig
 			workers, err := vsphere.WorkersSpec(ctx, logger, client, spec)
 			g.Expect(err).NotTo(HaveOccurred())

pkg/validations/createvalidations/cluster_test.go

@@ -12,13 +12,20 @@ import (
 
 	"github.com/aws/eks-anywhere/internal/test"
 	"github.com/aws/eks-anywhere/pkg/api/v1alpha1"
+	"github.com/aws/eks-anywhere/pkg/clients/kubernetes"
 	"github.com/aws/eks-anywhere/pkg/constants"
+	"github.com/aws/eks-anywhere/pkg/executables"
 	"github.com/aws/eks-anywhere/pkg/validations"
 	"github.com/aws/eks-anywhere/pkg/validations/createvalidations"
 )
 
 const testclustername string = "testcluster"
 
+type UnAuthKubectlClient struct {
+	*executables.Kubectl
+	*kubernetes.UnAuthClient
+}
+
 func TestValidateClusterPresent(t *testing.T) {
 	tests := []struct {
 		name               string
@@ -44,12 +51,13 @@ func TestValidateClusterPresent(t *testing.T) {
 	}
 
 	k, ctx, cluster, e := validations.NewKubectl(t)
+	uk := kubernetes.NewUnAuthClient(k)
 	cluster.Name = testclustername
 	for _, tc := range tests {
 		t.Run(tc.name, func(tt *testing.T) {
 			fileContent := test.ReadFile(t, tc.getClusterResponse)
 			e.EXPECT().Execute(ctx, []string{"get", capiClustersResourceType, "-o", "json", "--kubeconfig", cluster.KubeconfigFile, "--namespace", constants.EksaSystemNamespace}).Return(*bytes.NewBufferString(fileContent), nil)
-			err := createvalidations.ValidateClusterNameIsUnique(ctx, k, cluster, testclustername)
+			err := createvalidations.ValidateClusterNameIsUnique(ctx, UnAuthKubectlClient{k, uk}, cluster, testclustername)
 			if !reflect.DeepEqual(err, tc.wantErr) {
 				t.Errorf("%v got = %v, \nwant %v", tc.name, err, tc.wantErr)
 			}
@@ -93,12 +101,13 @@ func TestValidateManagementClusterCRDs(t *testing.T) {
 	}
 
 	k, ctx, cluster, e := validations.NewKubectl(t)
+	uk := kubernetes.NewUnAuthClient(k)
 	cluster.Name = testclustername
 	for _, tc := range tests {
 		t.Run(tc.name, func(tt *testing.T) {
 			e.EXPECT().Execute(ctx, []string{"get", "customresourcedefinition", capiClustersResourceType, "--kubeconfig", cluster.KubeconfigFile}).Return(bytes.Buffer{}, tc.errGetClusterCRD).Times(tc.errGetClusterCRDCount)
 			e.EXPECT().Execute(ctx, []string{"get", "customresourcedefinition", eksaClusterResourceType, "--kubeconfig", cluster.KubeconfigFile}).Return(bytes.Buffer{}, tc.errGetEKSAClusterCRD).Times(tc.errGetEKSAClusterCRDCount)
-			err := createvalidations.ValidateManagementCluster(ctx, k, cluster)
+			err := createvalidations.ValidateManagementCluster(ctx, UnAuthKubectlClient{k, uk}, cluster)
 			if tc.wantErr {
 				assert.Error(tt, err, "expected ValidateManagementCluster to return an error", "test", tc.name)
 			} else {

pkg/validations/createvalidations/identityproviders_test.go

@@ -9,6 +9,7 @@ import (
 
 	"github.com/aws/eks-anywhere/internal/test"
 	"github.com/aws/eks-anywhere/pkg/api/v1alpha1"
+	"github.com/aws/eks-anywhere/pkg/clients/kubernetes"
 	"github.com/aws/eks-anywhere/pkg/cluster"
 	"github.com/aws/eks-anywhere/pkg/validations"
 	"github.com/aws/eks-anywhere/pkg/validations/createvalidations"
@@ -62,6 +63,7 @@ func TestValidateIdendityProviderForWorkloadClusters(t *testing.T) {
 		s.OIDCConfig = defaultOIDC
 	})
 	k, ctx, cluster, e := validations.NewKubectl(t)
+	uk := kubernetes.NewUnAuthClient(k)
 	cluster.Name = testclustername
 	for _, tc := range tests {
 		t.Run(tc.name, func(tt *testing.T) {
@@ -73,7 +75,7 @@ func TestValidateIdendityProviderForWorkloadClusters(t *testing.T) {
 					"--field-selector=metadata.name=oidc-config-test",
 				}).Return(*bytes.NewBufferString(fileContent), nil)
 
-			err := createvalidations.ValidateIdentityProviderNameIsUnique(ctx, k, cluster, clusterSpec)
+			err := createvalidations.ValidateIdentityProviderNameIsUnique(ctx, UnAuthKubectlClient{k, uk}, cluster, clusterSpec)
 			if !reflect.DeepEqual(err, tc.wantErr) {
 				t.Errorf("%v got = %v, \nwant %v", tc.name, err, tc.wantErr)
 			}
@@ -123,6 +125,7 @@ func TestValidateIdentityProviderForSelfManagedCluster(t *testing.T) {
 		s.Cluster.SetSelfManaged()
 	})
 	k, ctx, cluster, e := validations.NewKubectl(t)
+	uk := kubernetes.NewUnAuthClient(k)
 	cluster.Name = testclustername
 	for _, tc := range tests {
 		t.Run(tc.name, func(tt *testing.T) {
@@ -133,7 +136,7 @@ func TestValidateIdentityProviderForSelfManagedCluster(t *testing.T) {
 					"--field-selector=metadata.name=oidc-config-test",
 				}).Times(0)
 
-			err := createvalidations.ValidateIdentityProviderNameIsUnique(ctx, k, cluster, clusterSpec)
+			err := createvalidations.ValidateIdentityProviderNameIsUnique(ctx, UnAuthKubectlClient{k, uk}, cluster, clusterSpec)
 			if !reflect.DeepEqual(err, tc.wantErr) {
 				t.Errorf("%v got = %v, \nwant %v", tc.name, err, tc.wantErr)
 			}

pkg/validations/createvalidations/preflightvalidations.go

@@ -32,7 +32,7 @@ func (v *CreateValidations) PreflightValidations(ctx context.Context) []validati
 			return &validations.ValidationResult{
 				Name:        "validate certificate for registry mirror",
 				Remediation: fmt.Sprintf("provide a valid certificate for you registry endpoint using %s env var", anywherev1.RegistryMirrorCAKey),
-				Err:         validations.ValidateCertForRegistryMirror(v.Opts.Spec, v.Opts.TlsValidator),
+				Err:         validations.ValidateCertForRegistryMirror(v.Opts.Spec, v.Opts.TLSValidator),
 			}
 		},
 		func() *validations.ValidationResult {

pkg/validations/kubectl.go

@@ -8,13 +8,15 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 
 	"github.com/aws/eks-anywhere/pkg/api/v1alpha1"
+	"github.com/aws/eks-anywhere/pkg/clients/kubernetes"
 	"github.com/aws/eks-anywhere/pkg/executables"
 	mockexecutables "github.com/aws/eks-anywhere/pkg/executables/mocks"
 	"github.com/aws/eks-anywhere/pkg/types"
 	releasev1alpha1 "github.com/aws/eks-anywhere/release/api/v1alpha1"
 )
 
 type KubectlClient interface {
+	List(ctx context.Context, kubeconfig string, list kubernetes.ObjectList) error
 	ValidateControlPlaneNodes(ctx context.Context, cluster *types.Cluster, clusterName string) error
 	ValidateWorkerNodes(ctx context.Context, clusterName string, kubeconfig string) error
 	ValidateNodes(ctx context.Context, kubeconfig string) error

pkg/validations/upgradevalidations/cluster_test.go

@@ -11,6 +11,7 @@ import (
 
 	"github.com/aws/eks-anywhere/internal/test"
 	"github.com/aws/eks-anywhere/pkg/api/v1alpha1"
+	"github.com/aws/eks-anywhere/pkg/clients/kubernetes"
 	"github.com/aws/eks-anywhere/pkg/constants"
 	"github.com/aws/eks-anywhere/pkg/validations"
 	"github.com/aws/eks-anywhere/pkg/validations/upgradevalidations"
@@ -43,12 +44,14 @@ func TestValidateClusterPresent(t *testing.T) {
 	}
 
 	k, ctx, cluster, e := validations.NewKubectl(t)
+	uk := kubernetes.NewUnAuthClient(k)
+
 	cluster.Name = testclustername
 	for _, tc := range tests {
 		t.Run(tc.name, func(tt *testing.T) {
 			fileContent := test.ReadFile(t, tc.getClusterResponse)
 			e.EXPECT().Execute(ctx, []string{"get", capiClustersResourceType, "-o", "json", "--kubeconfig", cluster.KubeconfigFile, "--namespace", constants.EksaSystemNamespace}).Return(*bytes.NewBufferString(fileContent), nil)
-			err := upgradevalidations.ValidateClusterObjectExists(ctx, k, cluster)
+			err := upgradevalidations.ValidateClusterObjectExists(ctx, UnAuthKubectlClient{k, uk}, cluster)
 			if !reflect.DeepEqual(err, tc.wantErr) {
 				t.Errorf("%v got = %v, \nwant %v", tc.name, err, tc.wantErr)
 			}

pkg/validations/upgradevalidations/poddisruptionbudgets.go

@@ -0,0 +1,29 @@
+package upgradevalidations
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/pkg/errors"
+	policy "k8s.io/api/policy/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+
+	"github.com/aws/eks-anywhere/pkg/types"
+	"github.com/aws/eks-anywhere/pkg/validations"
+)
+
+// ValidatePodDisruptionBudgets returns an error if any pdbs are detected on a cluster.
+func ValidatePodDisruptionBudgets(ctx context.Context, k validations.KubectlClient, cluster *types.Cluster) error {
+	podDisruptionBudgets := &policy.PodDisruptionBudgetList{}
+	if err := k.List(ctx, cluster.KubeconfigFile, podDisruptionBudgets); err != nil {
+		if !apierrors.IsNotFound(err) {
+			return errors.Wrap(err, "listing cluster pod disruption budgets for upgrade")
+		}
+	}
+
+	if len(podDisruptionBudgets.Items) != 0 {
+		return fmt.Errorf("one or more pod disruption budgets were detected on the cluster. Use the --skip-validations=%s flag if you wish to skip the validations for pod disruption budgets and proceed with the upgrade operation", PDB)
+	}
+
+	return nil
+}