Support EKS upgrade policy

Author: phuhung273

config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml

@@ -3196,6 +3196,17 @@ spec:
                 - iam-authenticator
                 - aws-cli
                 type: string
+              upgradePolicy:
+                description: |-
+                  The support policy to use for the cluster.
+                  Extended support indicates that the cluster will not be automatically upgraded
+                  when it leaves the standard support period, and will enter extended support.
+                  Clusters in extended support have higher costs.
+                  The default value is extended. Use standard to disable extended support.
+                enum:
+                - extended
+                - standard
+                type: string
               version:
                 description: |-
                   Version defines the desired Kubernetes version. If no version number

controlplane/eks/api/v1beta1/conversion.go

@@ -121,6 +121,7 @@ func (r *AWSManagedControlPlane) ConvertTo(dstRaw conversion.Hub) error {
 	dst.Spec.RolePermissionsBoundary = restored.Spec.RolePermissionsBoundary
 	dst.Status.Version = restored.Status.Version
 	dst.Spec.BootstrapSelfManagedAddons = restored.Spec.BootstrapSelfManagedAddons
+	dst.Spec.UpgradePolicy = restored.Spec.UpgradePolicy
 	return nil
 }
 

controlplane/eks/api/v1beta1/zz_generated.conversion.go

@@ -208,6 +208,15 @@ type AWSManagedControlPlaneSpec struct { //nolint: maligned
 
 	// KubeProxy defines managed attributes of the kube-proxy daemonset
 	KubeProxy KubeProxy `json:"kubeProxy,omitempty"`
+
+	// The support policy to use for the cluster.
+	// Extended support indicates that the cluster will not be automatically upgraded
+	// when it leaves the standard support period, and will enter extended support.
+	// Clusters in extended support have higher costs.
+	// The default value is extended. Use standard to disable extended support.
+	// +kubebuilder:validation:Enum=extended;standard
+	// +optional
+	UpgradePolicy *UpgradePolicy `json:"upgradePolicy,omitempty"`
 }
 
 // KubeProxy specifies how the kube-proxy daemonset is managed.

controlplane/eks/api/v1beta2/awsmanagedcontrolplane_types.go

@@ -220,6 +220,24 @@ type AddonIssue struct {
 	ResourceIDs []string `json:"resourceIds,omitempty"`
 }
 
+// UpgradePolicy defines the support policy to use for the cluster.
+type UpgradePolicy string
+
+var (
+	// UpgradePolicyExtended indicates that the cluster will not be automatically upgraded
+	// when it leaves the standard support period, and will enter extended support.
+	// Clusters in extended support have higher costs.
+	UpgradePolicyExtended = UpgradePolicy("extended")
+
+	// UpgradePolicyStandard indicates that the cluster will be automatically upgraded
+	// when it leaves the standard support period.
+	UpgradePolicyStandard = UpgradePolicy("standard")
+)
+
+func (e UpgradePolicy) String() string {
+	return string(e)
+}
+
 const (
 	// SecurityGroupCluster is the security group for communication between EKS
 	// control plane and managed node groups.

controlplane/eks/api/v1beta2/types.go

@@ -14,6 +14,9 @@ clusterctl generate cluster capi-eks-quickstart --flavor eks-managedmachinepool
 
 NOTE: When creating an EKS cluster only the **MAJOR.MINOR** of the `-kubernetes-version` is taken into consideration.
 
+By default, EKS cluster uses:
+- EXTENDED support. See more info about [cluster upgrade policy](https://docs.aws.amazon.com/eks/latest/userguide/view-upgrade-policy.html)
+
 ## Kubeconfig
 
 When creating an EKS cluster 2 kubeconfigs are generated and stored as secrets in the management cluster. This is different to when you create a non-managed cluster using the AWS provider.

controlplane/eks/api/v1beta2/zz_generated.deepcopy.go

@@ -278,3 +278,11 @@ func AddonConflictResolutionFromSDK(conflict ekstypes.ResolveConflicts) *string
 	}
 	return aws.String(string(ekscontrolplanev1.AddonResolutionOverwrite))
 }
+
+// SupportTypeToSDK converts CAPA upgrade support policy types to SDK types.
+func SupportTypeToSDK(input ekscontrolplanev1.UpgradePolicy) ekstypes.SupportType {
+	if input == ekscontrolplanev1.UpgradePolicyStandard {
+		return ekstypes.SupportTypeStandard
+	}
+	return ekstypes.SupportTypeExtended
+}

docs/book/src/topics/eks/creating-a-cluster.md

@@ -20,6 +20,7 @@ import (
 	"context"
 	"fmt"
 	"net"
+	"strings"
 	"time"
 
 	"github.com/aws/aws-sdk-go-v2/aws"
@@ -35,6 +36,7 @@ import (
 	infrav1 "sigs.k8s.io/cluster-api-provider-aws/v2/api/v1beta2"
 	ekscontrolplanev1 "sigs.k8s.io/cluster-api-provider-aws/v2/controlplane/eks/api/v1beta2"
 	"sigs.k8s.io/cluster-api-provider-aws/v2/pkg/cloud/awserrors"
+	"sigs.k8s.io/cluster-api-provider-aws/v2/pkg/cloud/converters"
 	"sigs.k8s.io/cluster-api-provider-aws/v2/pkg/cloud/services/wait"
 	"sigs.k8s.io/cluster-api-provider-aws/v2/pkg/internal/cidr"
 	"sigs.k8s.io/cluster-api-provider-aws/v2/pkg/internal/cmp"
@@ -460,6 +462,14 @@ func (s *Service) createCluster(ctx context.Context, eksClusterName string) (*ek
 		eksVersion = &v
 	}
 
+	var upgradePolicy *ekstypes.UpgradePolicyRequest
+
+	if s.scope.ControlPlane.Spec.UpgradePolicy != nil {
+		upgradePolicy = &ekstypes.UpgradePolicyRequest{
+			SupportType: converters.SupportTypeToSDK(*s.scope.ControlPlane.Spec.UpgradePolicy),
+		}
+	}
+
 	bootstrapAddon := s.scope.BootstrapSelfManagedAddons()
 	input := &eks.CreateClusterInput{
 		Name:                       aws.String(eksClusterName),
@@ -471,6 +481,7 @@ func (s *Service) createCluster(ctx context.Context, eksClusterName string) (*ek
 		Tags:                       tags,
 		KubernetesNetworkConfig:    netConfig,
 		BootstrapSelfManagedAddons: bootstrapAddon,
+		UpgradePolicy:              upgradePolicy,
 	}
 
 	var out *eks.CreateClusterOutput
@@ -526,6 +537,12 @@ func (s *Service) reconcileClusterConfig(ctx context.Context, cluster *ekstypes.
 		input.ResourcesVpcConfig = updateVpcConfig
 	}
 
+	updateUpgradePolicy := s.reconcileUpgradePolicy(cluster.UpgradePolicy)
+	if updateUpgradePolicy != nil {
+		needsUpdate = true
+		input.UpgradePolicy = updateUpgradePolicy
+	}
+
 	if needsUpdate {
 		if err := wait.WaitForWithRetryable(wait.NewBackoff(), func() (bool, error) {
 			if _, err := s.EKSClient.UpdateClusterConfig(ctx, input); err != nil {
@@ -719,6 +736,31 @@ func (s *Service) reconcileClusterVersion(ctx context.Context, cluster *ekstypes
 	return nil
 }
 
+func (s *Service) reconcileUpgradePolicy(upgradePolicy *ekstypes.UpgradePolicyResponse) *ekstypes.UpgradePolicyRequest {
+	s.Info("reconciling upgrade policy")
+
+	if upgradePolicy == nil {
+		s.Debug("cannot get cluster upgrade policy, no action")
+		return nil
+	}
+
+	clusterUpgradePolicy := upgradePolicy.SupportType
+
+	if s.scope.ControlPlane.Spec.UpgradePolicy == nil {
+		s.Debug("upgrade policy not given, no action")
+		return nil
+	}
+
+	if strings.ToLower(string(clusterUpgradePolicy)) == s.scope.ControlPlane.Spec.UpgradePolicy.String() {
+		s.Debug("upgrade policy unchanged, no action")
+		return nil
+	}
+
+	return &ekstypes.UpgradePolicyRequest{
+		SupportType: converters.SupportTypeToSDK(*s.scope.ControlPlane.Spec.UpgradePolicy),
+	}
+}
+
 func (s *Service) describeEKSCluster(ctx context.Context, eksClusterName string) (*ekstypes.Cluster, error) {
 	input := &eks.DescribeClusterInput{
 		Name: aws.String(eksClusterName),

pkg/cloud/converters/eks.go

@@ -535,6 +535,7 @@ func TestCreateCluster(t *testing.T) {
 						RoleName:                   tc.role,
 						NetworkSpec:                infrav1.NetworkSpec{Subnets: tc.subnets},
 						BootstrapSelfManagedAddons: false,
+						UpgradePolicy:              &ekscontrolplanev1.UpgradePolicyStandard,
 					},
 				},
 			})
@@ -557,6 +558,9 @@ func TestCreateCluster(t *testing.T) {
 					Tags:                       tc.tags,
 					Version:                    version,
 					BootstrapSelfManagedAddons: aws.Bool(false),
+					UpgradePolicy: &ekstypes.UpgradePolicyRequest{
+						SupportType: ekstypes.SupportTypeStandard,
+					},
 				}).Return(&eks.CreateClusterOutput{}, nil)
 			}
 			s := NewService(scope)
@@ -688,6 +692,91 @@ func TestReconcileEKSEncryptionConfig(t *testing.T) {
 	}
 }
 
+func TestReconcileUpgradePolicy(t *testing.T) {
+	clusterName := "default.cluster"
+	tests := []struct {
+		name             string
+		oldUpgradePolicy *ekstypes.UpgradePolicyResponse
+		newUpgradePolicy *ekscontrolplanev1.UpgradePolicy
+		expect           *ekstypes.UpgradePolicyRequest
+		expectError      bool
+	}{
+		{
+			name: "no update necessary - no upgrade policy specified",
+			oldUpgradePolicy: &ekstypes.UpgradePolicyResponse{
+				SupportType: ekstypes.SupportTypeStandard,
+			},
+			expect:      nil,
+			expectError: false,
+		},
+		{
+			name:             "no update necessary - cannot get cluster upgrade policy",
+			newUpgradePolicy: &ekscontrolplanev1.UpgradePolicyStandard,
+			expect:           nil,
+			expectError:      false,
+		},
+		{
+			name: "no update necessary - upgrade policy unchanged",
+			oldUpgradePolicy: &ekstypes.UpgradePolicyResponse{
+				SupportType: ekstypes.SupportTypeStandard,
+			},
+			newUpgradePolicy: &ekscontrolplanev1.UpgradePolicyStandard,
+			expect:           nil,
+			expectError:      false,
+		},
+		{
+			name: "needs update",
+			oldUpgradePolicy: &ekstypes.UpgradePolicyResponse{
+				SupportType: ekstypes.SupportTypeStandard,
+			},
+			newUpgradePolicy: &ekscontrolplanev1.UpgradePolicyExtended,
+			expect: &ekstypes.UpgradePolicyRequest{
+				SupportType: ekstypes.SupportTypeExtended,
+			},
+			expectError: false,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			g := NewWithT(t)
+
+			mockControl := gomock.NewController(t)
+			defer mockControl.Finish()
+
+			scheme := runtime.NewScheme()
+			_ = infrav1.AddToScheme(scheme)
+			_ = ekscontrolplanev1.AddToScheme(scheme)
+			client := fake.NewClientBuilder().WithScheme(scheme).Build()
+			scope, err := scope.NewManagedControlPlaneScope(scope.ManagedControlPlaneScopeParams{
+				Client: client,
+				Cluster: &clusterv1.Cluster{
+					ObjectMeta: metav1.ObjectMeta{
+						Namespace: "ns",
+						Name:      clusterName,
+					},
+				},
+				ControlPlane: &ekscontrolplanev1.AWSManagedControlPlane{
+					Spec: ekscontrolplanev1.AWSManagedControlPlaneSpec{
+						Version:       aws.String("1.16"),
+						UpgradePolicy: tc.newUpgradePolicy,
+					},
+				},
+			})
+			g.Expect(err).To(BeNil())
+
+			s := NewService(scope)
+
+			upgradePolicyRequest := s.reconcileUpgradePolicy(tc.oldUpgradePolicy)
+			if tc.expectError {
+				g.Expect(err).To(HaveOccurred())
+				return
+			}
+			g.Expect(upgradePolicyRequest).To(Equal(tc.expect))
+		})
+	}
+}
+
 func TestCreateIPv6Cluster(t *testing.T) {
 	g := NewWithT(t)