fix(sdk-extension-aws): replace deprecated aws-auth ConfigMap check with JWT iss claim detection in AwsEksResourceDetector

[alimx07]

Description

Fixes AwsEksResourceDetector on EKS clusters using the Access Entries API, where the aws-auth ConfigMap no longer exists.

Previously _is_eks() made an HTTP request to the Kubernetes API to check for the aws-auth ConfigMap in the kube-system namespace. This request returns 404 on modern clusters that use the Access Entries API, causing detection to fail even when running on EKS.

The fix decodes the pod service-account JWT locally and checks whether the iss claim matches the EKS OIDC issuer pattern (oidc.eks.*). No network call is needed, the token is already present at the standard Kubernetes service-account path.

Type of change

• Bug fix (non-breaking change which fixes an issue)

How Has This Been Tested?

• Unit tests added covering:
  • EKS OIDC issuer in JWT iss claim → platform detected as aws_eks
  • Non-EKS issuer in JWT iss claim → returns empty resource
• All existing AwsEksResourceDetectorTest tests continue to pass (5/5)
• Manually verified on a live EKS 1.35 cluster with both IRSA and non-IRSA pods

Does This PR Require a Core Repo Change?

• No.

Checklist:

• Followed the style guidelines of this project
• Changelogs have been updated
• Unit tests have been added
• Documentation has been updated

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: alimx07 / name: https://github.com/alimx07 (544ce09, 5d2c207, 8cae40c, 9487fb3, dd19c23)
• ✅ login: MikeGoldsmith / name: Mike Goldsmith (5cdd173, 87b6cd1, b8c0e1a)

[MikeGoldsmith]

Overall looks good - thanks @alimx07. I've left some suggestions we should address before accepting.

[alimx07]

@MikeGoldsmith @xrmx

Thanks for the review. I’ve added the suggested changes. let me know if there’s anything else you’d like me to adjust.

[MikeGoldsmith]

Looks good. I'd still like to see a test for invalid JWTs, eg incorrect number of parts (!= 3) or an invalid base64 encoding.

[alimx07]

Looks good. I'd still like to see a test for invalid JWTs, eg incorrect number of parts (!= 3) or an invalid base64 encoding.

@MikeGoldsmith Done, I have added two tests simulating wrong parts count and invalid json payload.

[MikeGoldsmith]

Thanks @alimx07

[alimx07]

Hi @MikeGoldsmith, just checking, I noticed the PR is still marked as Reviewed PRs that need fixes in the PR digest, not approved. Is there anything still pending or needs to be addressed on my side?

[MikeGoldsmith]

Hi @MikeGoldsmith, just checking, I noticed the PR is still marked as Reviewed PRs that need fixes in the PR digest, not approved. Is there anything still pending or needs to be addressed on my side?

Ah, no - just the automation didn't move it. I'll do it now 👍🏻