Revert "Revert "Removing dependency on Authenticator binary" (#446)"

[toabctl]

This reintroduces the switch to use "aws eks get-token" instead of the
aws-iam-authenticator. The reason (see [0]) why that switch got
reverted was, that eksctl wasn't able to handle the situation where
aws-iam-authenticator was not there. But that changed (see [1] and
[2]) so switching to aws-cli for getting a token should be good now.

This reverts commit d6e021b.

[0] #446
[1] eksctl-io/eksctl#788
[2] eksctl-io/eksctl#993

[toabctl]

@abeer91 @M00nF1sh could you have a look please given that you did the commit and review for the revert?

[toabctl]

Friendly ping, @abeer91 @M00nF1sh

[toabctl]

anybody else who could have a look here?

[toabctl]

friendly ping ... what's the problem with looking into this?

[M00nF1sh]

/lgtm

@toabctl thanks for contributing and sorry for the late response. The pings just get buried in hundreds of emails :(.
I'll ping our worker AMI team internally to make the final decision.

[toabctl]

@M00nF1sh another friendly ping after some more month....

[toabctl]

@M00nF1sh friendly ping. it's now half a year. can you please review this?

[M00nF1sh]

@toabctl hmm, just pinged peers in nodes team to review this PR.
seems this is a breaking change on for certain eksctl versions, i'll let ppl from nodes teams to comment on this

[mmerkes]

Sorry this PR has been languishing. Overall, I like the change. However, there is one blocker. For K8s version 1.24, client.authentication.k8s.io/v1alpha1 is no longer supported, so we now have a dependency on this AWS CLI change. The AmazonLinux yum repos are using an old AWS CLI version, which doesn't include that change. They're working on upgrading the CLI soon, and when it's available, our AMIs will automatically pull it in and we can go forward with this change.

If you can update this PR with client.authentication.k8s.io/v1beta1, we'll revisit this as soon as the AWS CLI is updated and try to merge this.

@cartermckinnon We on the same page here?

[mmerkes]

Actually, I'll update the API version as part of this issue, so you'll just need to rebase after that.

[toabctl]

Actually, I'll update the API version as part of this issue, so you'll just need to rebase after that.

ack

[mmerkes]

We've been discussing this internally. The blocker has been that the awscli version in the yum repos is fairly out of date, and while we're working on installing the awscli via another method in this PR, it's not an option in all regions. We have limited control over the availability of the awscli, but we do have control over the authenticator availability as we publish those binaries. For that reason, I don't think we're going to go this direction. This issue could be resolved soon, but we'd be in the same boat if the API updated again. We like the simplification and reduced dependencies here, but we may still need to provide the authenticator here if other customers possibly depend on that.

I'm going to close this for now. If there's advantages for doing this other than the simplification, let me know and we can reconsider.