Add cluster details to the sts through headers

[kmala]

What type of PR is this?

/kind feature

What this PR does / why we need it:

This PR would add additional headers passing the clusters arn and cx account id when making calls to sts and making calls using an assumed roles.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

- Add cluster details as headers to STS when assuming a role to make requests.
- Add validation for role ARN passed in cloud config

[k8s-ci-robot]

This issue is currently awaiting triage.

If cloud-provider-aws contributors determine this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-ci-robot]

Hi @kmala. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[dims]

/ok-to-test

[wongma7]

/ok-to-test

[dims]

/assign @nckturner

[cartermckinnon]

Couple nits, nothing major.

/lgtm

[kmala]

/retest

[k8s-ci-robot]

@kmala: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-cloud-provider-aws-e2e-kubetest2	14a13ad	link	false	/test pull-cloud-provider-aws-e2e-kubetest2

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[kmala]

/retest

[nckturner]

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cartermckinnon, nckturner

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [nckturner]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[xrstf]

Just as a heads up: So far we were (mis)using the AWS CCM and configured it using a cloud-config that looked like this:

[global]
Zone="eu-west-1x"
VPC="vpc-0b91611f9eac0a67e"
SubnetID=""
RouteTableID="rtb-0440fe43a1d83a5d6"
RoleARN="kubernetes-my-cluster-control-plane"
KubernetesClusterID="my-cluster"
DisableSecurityGroupIngress=false
ElbSecurityGroup=""

Even though the field was clearly named RoleARN, it also accepted a non-ARN value. This PR here however "broke" that (accidental?) compatibility, forcing us to change our code a bit. Which is fine, but the AWS CCM also documents that the CloudConfig should not change in a backwards-incompatible way.

So maybe this "break" would be worth highlighting in the release notes.

[kmala]

Even though the field was clearly named RoleARN, it also accepted a non-ARN value. This PR here however "broke" that (accidental?) compatibility, forcing us to change our code a bit. Which is fine, but the AWS CCM also documents that the CloudConfig should not change in a backwards-incompatible way.

There is no validation before this PR but it wouldn't have worked right?

So maybe this "break" would be worth highlighting in the release notes.

Yes, added to the release notes.

[xrstf]

It worked just fine with a broken ARN value in the RoleARN field. Just not anymore with the 0.29.x AWS CCM releases.

Yes, added to the release notes.

Thanks, but where can I find the release notes for 0.29? I cannot see a GitHub release and https://github.com/kubernetes/cloud-provider-aws/blob/master/docs/CHANGELOG.md stopped at 1.22. Just so in the future I know where to look :-)