fix: enable EKS EOL via endoflife.date and fix aurora-postgresql mapping

- Unblock EKS from ProductsWithNonStandardSchema — endoflife.date data
  works correctly (eol=end of standard support, extendedSupport=true EOL)
- Fix aurora-postgresql mapping to amazon-aurora-postgresql (was wrong)
- Remove aurora-mysql mapping (no endoflife.date product exists; needs AWS API)
- Handle k8s- version prefix in policy version matching
- EKS: 41.9% compliance (65 GREEN, 90 RED), 0 UNKNOWN
- ElastiCache: 94.1% compliance

Amp-Thread-ID: https://ampcode.com/threads/T-019d92b6-b80d-731a-8a83-64e6442ae52c
Co-authored-by: Amp <amp@ampcode.com>

Author: bakayolo

pkg/eol/endoflife/provider.go

@@ -23,30 +23,31 @@ import (
 // and MUST use dedicated providers (e.g., EKSEOLProvider) instead of this generic provider.
 // These products are listed here but blocked by ProductsWithNonStandardSchema below.
 var ProductMapping = map[string]string{
-	// EKS entries are mapped but BLOCKED by ProductsWithNonStandardSchema
-	// because EKS uses non-standard schema where cycle.EOL means "end of standard support"
-	// not "true end of life". Use pkg/eol/aws.EKSEOLProvider instead.
 	"kubernetes": "amazon-eks",
 	"k8s":        "amazon-eks",
 	"eks":        "amazon-eks",
 
 	"postgres":           "amazon-rds-postgresql",
 	"postgresql":         "amazon-rds-postgresql",
 	"mysql":              "amazon-rds-mysql",
-	"aurora-mysql":       "amazon-rds-mysql",
-	"aurora-postgresql":  "amazon-rds-postgresql",
+	"aurora-postgresql":  "amazon-aurora-postgresql",
 	"redis":              "amazon-elasticache-redis",
 	"elasticache-redis":  "amazon-elasticache-redis",
 	"valkey":             "valkey",
 	"elasticache-valkey": "valkey",
+	// Note: aurora-mysql is NOT mapped because endoflife.date has no
+	// amazon-aurora-mysql product. Aurora MySQL uses its own 3.x versioning
+	// that doesn't match amazon-rds-mysql cycles (8.0, 5.7). Needs AWS RDS API.
 }
 
 // ProductsWithNonStandardSchema lists products that MUST NOT use this generic provider
 // because they use non-standard field semantics on endoflife.date.
 // The provider will return an error if these products are requested.
-var ProductsWithNonStandardSchema = []string{
-	"amazon-eks", // cycle.EOL = end of standard support (NOT true EOL!)
-}
+//
+// Note on EKS: endoflife.date's "eol" field for EKS means end of standard support
+// (not true EOL), and "extendedSupport" is the true EOL. This is handled correctly
+// by convertCycle which maps eol→EOLDate and extendedSupport→ExtendedSupportEnd.
+var ProductsWithNonStandardSchema = []string{}
 
 const (
 	providerName = "endoflife-date-api"

pkg/eol/endoflife/provider_test.go

@@ -2,7 +2,6 @@ package endoflife
 
 import (
 	"context"
-	"strings"
 	"testing"
 	"time"
 
@@ -329,35 +328,37 @@ func TestProvider_Engines(t *testing.T) {
 	}
 }
 
-func TestProvider_BlocksNonStandardSchema(t *testing.T) {
-	// EKS/kubernetes should be blocked because it uses non-standard endoflife.date schema
-	// where cycle.EOL means "end of standard support" NOT "true EOL"
+func TestProvider_EKS(t *testing.T) {
 	mockClient := &MockClient{
 		GetProductCyclesFunc: func(ctx context.Context, product string) ([]*ProductCycle, error) {
-			// This should never be called because the guard should reject it first
-			t.Error("GetProductCycles should not be called for blocked products")
-			return nil, nil
+			if product != "amazon-eks" {
+				t.Errorf("Expected product amazon-eks, got %s", product)
+			}
+			return []*ProductCycle{
+				{
+					Cycle:           "1.32",
+					ReleaseDate:     "2024-11-19",
+					EOL:             "2026-12-19",
+					ExtendedSupport: "2027-12-19",
+				},
+			}, nil
 		},
 	}
 
 	provider := NewProvider(mockClient, 1*time.Hour)
 
-	// Test that all EKS-related engine names are blocked
-	blockedEngines := []string{"kubernetes", "k8s", "eks"}
-	for _, engine := range blockedEngines {
+	engines := []string{"kubernetes", "k8s", "eks"}
+	for _, engine := range engines {
 		t.Run(engine, func(t *testing.T) {
-			_, err := provider.ListAllVersions(context.Background(), engine)
-			if err == nil {
-				t.Errorf("Expected error for %s (non-standard schema), got nil", engine)
+			versions, err := provider.ListAllVersions(context.Background(), engine)
+			if err != nil {
+				t.Fatalf("Unexpected error for %s: %v", engine, err)
 			}
-			if err != nil && !strings.Contains(err.Error(), "non-standard") {
-				t.Errorf("Error should mention 'non-standard schema', got: %v", err)
+			if len(versions) != 1 {
+				t.Fatalf("Expected 1 version, got %d", len(versions))
 			}
-
-			// GetVersionLifecycle should also be blocked
-			_, err = provider.GetVersionLifecycle(context.Background(), engine, "1.35")
-			if err == nil {
-				t.Errorf("Expected error for %s in GetVersionLifecycle, got nil", engine)
+			if versions[0].Version != "1.32" {
+				t.Errorf("Expected version 1.32, got %s", versions[0].Version)
 			}
 		})
 	}

pkg/policy/default.go

@@ -248,12 +248,20 @@ func (p *DefaultPolicy) getYellowRecommendation(resource *types.Resource, lifecy
 
 // versionMatches checks if a resource version matches a lifecycle version.
 // endoflife.date uses major.minor cycles (e.g., "8.0") while resources may have
-// full versions (e.g., "8.0.35").
+// full versions (e.g., "8.0.35") or prefixed versions (e.g., "k8s-1.33").
 func versionMatches(lifecycleVersion, resourceVersion string) bool {
 	if lifecycleVersion == resourceVersion {
 		return true
 	}
-	return strings.HasPrefix(resourceVersion, lifecycleVersion+".")
+	// Strip common prefixes for comparison
+	normalized := resourceVersion
+	for _, prefix := range []string{"k8s-", "kubernetes-"} {
+		normalized = strings.TrimPrefix(normalized, prefix)
+	}
+	if lifecycleVersion == normalized {
+		return true
+	}
+	return strings.HasPrefix(normalized, lifecycleVersion+".")
 }
 
 // getSuggestedVersion returns a suggested version based on engine type