feat(aws-eks): add annotations and labels to service accounts (#19609)

I have added two optional props for the serviceaccount: * annotations * labels at the moment, both aren't accessible. It's possible to create kubernetes patches for this, but the same time it's only a small change to enable both options in a backward compatible way. fixes #19607 ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: no ### New Features * I have added an unit test for the extended properties *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · Apr 26, 2022 · 82aec9d · 82aec9d
1 parent 6787376
commit 82aec9d
Show file tree

Hide file tree

Showing 9 changed files with 513 additions and 137 deletions.
diff --git a/packages/@aws-cdk/aws-eks/README.md b/packages/@aws-cdk/aws-eks/README.md
@@ -903,6 +903,21 @@ new CfnOutput(this, 'ServiceAccountIamRole', { value: serviceAccount.role.roleAr
 Note that using `serviceAccount.serviceAccountName` above **does not** translate into a resource dependency.
 This is why an explicit dependency is needed. See <https://github.com/aws/aws-cdk/issues/9910> for more details.
 
+It is possible to pass annotations and labels to the service account.
+
+```ts
+declare const cluster: eks.Cluster;
+// add service account with annotations and labels
+const serviceAccount = cluster.addServiceAccount('MyServiceAccount', {
+  annotations: {
+    'eks.amazonaws.com/sts-regional-endpoints': 'false',
+  },
+  labels: {
+    'some-label': 'with-some-value',
+  },
+});
+```
+
 You can also add service accounts to existing clusters.
 To do so, pass the `openIdConnectProvider` property when you import the cluster into the application.
 

diff --git a/packages/@aws-cdk/aws-eks/lib/service-account.ts b/packages/@aws-cdk/aws-eks/lib/service-account.ts
@@ -29,6 +29,20 @@ export interface ServiceAccountOptions {
    * @default "default"
    */
   readonly namespace?: string;
+
+  /**
+   * Additional annotations of the service account.
+   *
+   * @default - no additional annotations
+   */
+  readonly annotations?: {[key:string]: string};
+
+  /**
+   * Additional labels of the service account.
+   *
+   * @default - no additional labels
+   */
+  readonly labels?: {[key:string]: string};
 }
 
 /**
@@ -113,9 +127,11 @@ export class ServiceAccount extends CoreConstruct implements IPrincipal {
           namespace: this.serviceAccountNamespace,
           labels: {
             'app.kubernetes.io/name': this.serviceAccountName,
+            ...props.labels,
           },
           annotations: {
             'eks.amazonaws.com/role-arn': this.role.roleArn,
+            ...props.annotations,
           },
         },
       }],

diff --git a/...s/@aws-cdk/aws-eks/test/eks-cluster.integ.snapshot/aws-cdk-eks-cluster-test.template.json b/...s/@aws-cdk/aws-eks/test/eks-cluster.integ.snapshot/aws-cdk-eks-cluster-test.template.json
@@ -3169,6 +3169,123 @@
    "UpdateReplacePolicy": "Delete",
    "DeletionPolicy": "Delete"
   },
+  "ClusterMyExtendedServiceAccountConditionJsonF780F28A": {
+   "Type": "Custom::AWSCDKCfnJson",
+   "Properties": {
+    "ServiceToken": {
+     "Fn::GetAtt": [
+      "AWSCDKCfnUtilsProviderCustomResourceProviderHandlerCF82AA57",
+      "Arn"
+     ]
+    },
+    "Value": {
+     "Fn::Join": [
+      "",
+      [
+       "{\"",
+       {
+        "Fn::Select": [
+         1,
+         {
+          "Fn::Split": [
+           ":oidc-provider/",
+           {
+            "Ref": "ClusterOpenIdConnectProviderE7EB0530"
+           }
+          ]
+         }
+        ]
+       },
+       ":aud\":\"sts.amazonaws.com\",\"",
+       {
+        "Fn::Select": [
+         1,
+         {
+          "Fn::Split": [
+           ":oidc-provider/",
+           {
+            "Ref": "ClusterOpenIdConnectProviderE7EB0530"
+           }
+          ]
+         }
+        ]
+       },
+       ":sub\":\"system:serviceaccount:default:awscdkeksclustertestclustermyextendedserviceaccounte1ac12ae\"}"
+      ]
+     ]
+    }
+   },
+   "UpdateReplacePolicy": "Delete",
+   "DeletionPolicy": "Delete"
+  },
+  "ClusterMyExtendedServiceAccountRole064047AA": {
+   "Type": "AWS::IAM::Role",
+   "Properties": {
+    "AssumeRolePolicyDocument": {
+     "Statement": [
+      {
+       "Action": "sts:AssumeRoleWithWebIdentity",
+       "Condition": {
+        "StringEquals": {
+         "Fn::GetAtt": [
+          "ClusterMyExtendedServiceAccountConditionJsonF780F28A",
+          "Value"
+         ]
+        }
+       },
+       "Effect": "Allow",
+       "Principal": {
+        "Federated": {
+         "Ref": "ClusterOpenIdConnectProviderE7EB0530"
+        }
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    }
+   }
+  },
+  "ClusterMyExtendedServiceAccountmanifestMyExtendedServiceAccountServiceAccountResource90162712": {
+   "Type": "Custom::AWSCDK-EKS-KubernetesResource",
+   "Properties": {
+    "ServiceToken": {
+     "Fn::GetAtt": [
+      "awscdkawseksKubectlProviderNestedStackawscdkawseksKubectlProviderNestedStackResourceA7AEBA6B",
+      "Outputs.awscdkeksclustertestawscdkawseksKubectlProviderframeworkonEventC681B49AArn"
+     ]
+    },
+    "Manifest": {
+     "Fn::Join": [
+      "",
+      [
+       "[{\"apiVersion\":\"v1\",\"kind\":\"ServiceAccount\",\"metadata\":{\"name\":\"awscdkeksclustertestclustermyextendedserviceaccounte1ac12ae\",\"namespace\":\"default\",\"labels\":{\"aws.cdk.eks/prune-c8794052a8684d4683f84b33861d88bc4524fe40a4\":\"\",\"app.kubernetes.io/name\":\"awscdkeksclustertestclustermyextendedserviceaccounte1ac12ae\",\"some-label\":\"with-some-value\"},\"annotations\":{\"eks.amazonaws.com/role-arn\":\"",
+       {
+        "Fn::GetAtt": [
+         "ClusterMyExtendedServiceAccountRole064047AA",
+         "Arn"
+        ]
+       },
+       "\",\"eks.amazonaws.com/sts-regional-endpoints\":\"false\"}}}]"
+      ]
+     ]
+    },
+    "ClusterName": {
+     "Ref": "Cluster9EE0221C"
+    },
+    "RoleArn": {
+     "Fn::GetAtt": [
+      "ClusterCreationRole360249B6",
+      "Arn"
+     ]
+    },
+    "PruneLabel": "aws.cdk.eks/prune-c8794052a8684d4683f84b33861d88bc4524fe40a4"
+   },
+   "DependsOn": [
+    "ClusterKubectlReadyBarrier200052AF"
+   ],
+   "UpdateReplacePolicy": "Delete",
+   "DeletionPolicy": "Delete"
+  },
   "awscdkawseksClusterResourceProviderNestedStackawscdkawseksClusterResourceProviderNestedStackResource9827C454": {
    "Type": "AWS::CloudFormation::Stack",
    "Properties": {
@@ -3182,7 +3299,7 @@
        },
        "/",
        {
-        "Ref": "AssetParametersea4150cc2723f9fec69c9ba0c3ec4c8c5fe6f46ca1b9b7e60840fc65db4fea8dS3Bucket8C46C646"
+        "Ref": "AssetParameters91f8755870f504ae642e221f6da2fbeb064aa2e77da4db41c8204d4a477820a2S3BucketD8DE40A2"
        },
        "/",
        {
@@ -3192,7 +3309,7 @@
           "Fn::Split": [
            "||",
            {
-            "Ref": "AssetParametersea4150cc2723f9fec69c9ba0c3ec4c8c5fe6f46ca1b9b7e60840fc65db4fea8dS3VersionKey056EDDA8"
+            "Ref": "AssetParameters91f8755870f504ae642e221f6da2fbeb064aa2e77da4db41c8204d4a477820a2S3VersionKey56F85494"
            }
           ]
          }
@@ -3205,7 +3322,7 @@
           "Fn::Split": [
            "||",
            {
-            "Ref": "AssetParametersea4150cc2723f9fec69c9ba0c3ec4c8c5fe6f46ca1b9b7e60840fc65db4fea8dS3VersionKey056EDDA8"
+            "Ref": "AssetParameters91f8755870f504ae642e221f6da2fbeb064aa2e77da4db41c8204d4a477820a2S3VersionKey56F85494"
            }
           ]
          }
@@ -3257,7 +3374,7 @@
        },
        "/",
        {
-        "Ref": "AssetParametersbff088c569c330c279e54fe0e98fc4226648b5b86454bb2ad9491b2ca6befdd2S3Bucket02334476"
+        "Ref": "AssetParametersbd8c31619d7a041234290aeca57f70c3e60bf4783dbf50624b41353a0e7672feS3Bucket6E7361AC"
        },
        "/",
        {
@@ -3267,7 +3384,7 @@
           "Fn::Split": [
            "||",
            {
-            "Ref": "AssetParametersbff088c569c330c279e54fe0e98fc4226648b5b86454bb2ad9491b2ca6befdd2S3VersionKey4DD620E2"
+            "Ref": "AssetParametersbd8c31619d7a041234290aeca57f70c3e60bf4783dbf50624b41353a0e7672feS3VersionKey6448B02B"
            }
           ]
          }
@@ -3280,7 +3397,7 @@
           "Fn::Split": [
            "||",
            {
-            "Ref": "AssetParametersbff088c569c330c279e54fe0e98fc4226648b5b86454bb2ad9491b2ca6befdd2S3VersionKey4DD620E2"
+            "Ref": "AssetParametersbd8c31619d7a041234290aeca57f70c3e60bf4783dbf50624b41353a0e7672feS3VersionKey6448B02B"
            }
           ]
          }
@@ -3323,11 +3440,11 @@
        "ClusterSecurityGroupId"
       ]
      },
-     "referencetoawscdkeksclustertestAssetParameters01e9cf93416a1f67b17dad851459445bdaaafcc2f3ab4390c03984fd57b2f476S3Bucket81FF031ERef": {
-      "Ref": "AssetParameters01e9cf93416a1f67b17dad851459445bdaaafcc2f3ab4390c03984fd57b2f476S3BucketC0D91AC4"
+     "referencetoawscdkeksclustertestAssetParametersdb6b1b1d10ac786ce3eb5f326510da62c14c0e4477065964c4cdf7a54439f131S3BucketF401902DRef": {
+      "Ref": "AssetParametersdb6b1b1d10ac786ce3eb5f326510da62c14c0e4477065964c4cdf7a54439f131S3BucketB5BDD0CD"
      },
-     "referencetoawscdkeksclustertestAssetParameters01e9cf93416a1f67b17dad851459445bdaaafcc2f3ab4390c03984fd57b2f476S3VersionKeyA669A4EBRef": {
-      "Ref": "AssetParameters01e9cf93416a1f67b17dad851459445bdaaafcc2f3ab4390c03984fd57b2f476S3VersionKey26CFD1B0"
+     "referencetoawscdkeksclustertestAssetParametersdb6b1b1d10ac786ce3eb5f326510da62c14c0e4477065964c4cdf7a54439f131S3VersionKey4C2DA8A7Ref": {
+      "Ref": "AssetParametersdb6b1b1d10ac786ce3eb5f326510da62c14c0e4477065964c4cdf7a54439f131S3VersionKey31B1BA95"
      },
      "referencetoawscdkeksclustertestAssetParametersc6964dbf0c556ec82ce09622e99ad6f6d4e488cdaac0ef9e8492e078ec61ffedS3Bucket1C5C92D4Ref": {
       "Ref": "AssetParametersc6964dbf0c556ec82ce09622e99ad6f6d4e488cdaac0ef9e8492e078ec61ffedS3Bucket83B8778F"
@@ -3712,17 +3829,17 @@
    "Type": "String",
    "Description": "Artifact hash for asset \"07a1c6a504be72dba3e9bc5b12cc2b5b0e83ea5c6ba10a4128da5c2180f3f963\""
   },
-  "AssetParameters01e9cf93416a1f67b17dad851459445bdaaafcc2f3ab4390c03984fd57b2f476S3BucketC0D91AC4": {
+  "AssetParametersdb6b1b1d10ac786ce3eb5f326510da62c14c0e4477065964c4cdf7a54439f131S3BucketB5BDD0CD": {
    "Type": "String",
-   "Description": "S3 bucket for asset \"01e9cf93416a1f67b17dad851459445bdaaafcc2f3ab4390c03984fd57b2f476\""
+   "Description": "S3 bucket for asset \"db6b1b1d10ac786ce3eb5f326510da62c14c0e4477065964c4cdf7a54439f131\""
   },
-  "AssetParameters01e9cf93416a1f67b17dad851459445bdaaafcc2f3ab4390c03984fd57b2f476S3VersionKey26CFD1B0": {
+  "AssetParametersdb6b1b1d10ac786ce3eb5f326510da62c14c0e4477065964c4cdf7a54439f131S3VersionKey31B1BA95": {
    "Type": "String",
-   "Description": "S3 key for asset version \"01e9cf93416a1f67b17dad851459445bdaaafcc2f3ab4390c03984fd57b2f476\""
+   "Description": "S3 key for asset version \"db6b1b1d10ac786ce3eb5f326510da62c14c0e4477065964c4cdf7a54439f131\""
   },
-  "AssetParameters01e9cf93416a1f67b17dad851459445bdaaafcc2f3ab4390c03984fd57b2f476ArtifactHash0FB7E57C": {
+  "AssetParametersdb6b1b1d10ac786ce3eb5f326510da62c14c0e4477065964c4cdf7a54439f131ArtifactHash51AE2352": {
    "Type": "String",
-   "Description": "Artifact hash for asset \"01e9cf93416a1f67b17dad851459445bdaaafcc2f3ab4390c03984fd57b2f476\""
+   "Description": "Artifact hash for asset \"db6b1b1d10ac786ce3eb5f326510da62c14c0e4477065964c4cdf7a54439f131\""
   },
   "AssetParametersc6964dbf0c556ec82ce09622e99ad6f6d4e488cdaac0ef9e8492e078ec61ffedS3Bucket83B8778F": {
    "Type": "String",
@@ -3772,29 +3889,29 @@
    "Type": "String",
    "Description": "Artifact hash for asset \"f850d967c52a5f64e6436dc84abdde4d86197f2a0871f5ab27c79647a91d0bf4\""
   },
-  "AssetParametersea4150cc2723f9fec69c9ba0c3ec4c8c5fe6f46ca1b9b7e60840fc65db4fea8dS3Bucket8C46C646": {
+  "AssetParameters91f8755870f504ae642e221f6da2fbeb064aa2e77da4db41c8204d4a477820a2S3BucketD8DE40A2": {
    "Type": "String",
-   "Description": "S3 bucket for asset \"ea4150cc2723f9fec69c9ba0c3ec4c8c5fe6f46ca1b9b7e60840fc65db4fea8d\""
+   "Description": "S3 bucket for asset \"91f8755870f504ae642e221f6da2fbeb064aa2e77da4db41c8204d4a477820a2\""
   },
-  "AssetParametersea4150cc2723f9fec69c9ba0c3ec4c8c5fe6f46ca1b9b7e60840fc65db4fea8dS3VersionKey056EDDA8": {
+  "AssetParameters91f8755870f504ae642e221f6da2fbeb064aa2e77da4db41c8204d4a477820a2S3VersionKey56F85494": {
    "Type": "String",
-   "Description": "S3 key for asset version \"ea4150cc2723f9fec69c9ba0c3ec4c8c5fe6f46ca1b9b7e60840fc65db4fea8d\""
+   "Description": "S3 key for asset version \"91f8755870f504ae642e221f6da2fbeb064aa2e77da4db41c8204d4a477820a2\""
   },
-  "AssetParametersea4150cc2723f9fec69c9ba0c3ec4c8c5fe6f46ca1b9b7e60840fc65db4fea8dArtifactHashCC9BD51B": {
+  "AssetParameters91f8755870f504ae642e221f6da2fbeb064aa2e77da4db41c8204d4a477820a2ArtifactHash1C092305": {
    "Type": "String",
-   "Description": "Artifact hash for asset \"ea4150cc2723f9fec69c9ba0c3ec4c8c5fe6f46ca1b9b7e60840fc65db4fea8d\""
+   "Description": "Artifact hash for asset \"91f8755870f504ae642e221f6da2fbeb064aa2e77da4db41c8204d4a477820a2\""
   },
-  "AssetParametersbff088c569c330c279e54fe0e98fc4226648b5b86454bb2ad9491b2ca6befdd2S3Bucket02334476": {
+  "AssetParametersbd8c31619d7a041234290aeca57f70c3e60bf4783dbf50624b41353a0e7672feS3Bucket6E7361AC": {
    "Type": "String",
-   "Description": "S3 bucket for asset \"bff088c569c330c279e54fe0e98fc4226648b5b86454bb2ad9491b2ca6befdd2\""
+   "Description": "S3 bucket for asset \"bd8c31619d7a041234290aeca57f70c3e60bf4783dbf50624b41353a0e7672fe\""
   },
-  "AssetParametersbff088c569c330c279e54fe0e98fc4226648b5b86454bb2ad9491b2ca6befdd2S3VersionKey4DD620E2": {
+  "AssetParametersbd8c31619d7a041234290aeca57f70c3e60bf4783dbf50624b41353a0e7672feS3VersionKey6448B02B": {
    "Type": "String",
-   "Description": "S3 key for asset version \"bff088c569c330c279e54fe0e98fc4226648b5b86454bb2ad9491b2ca6befdd2\""
+   "Description": "S3 key for asset version \"bd8c31619d7a041234290aeca57f70c3e60bf4783dbf50624b41353a0e7672fe\""
   },
-  "AssetParametersbff088c569c330c279e54fe0e98fc4226648b5b86454bb2ad9491b2ca6befdd2ArtifactHashCAA18A23": {
+  "AssetParametersbd8c31619d7a041234290aeca57f70c3e60bf4783dbf50624b41353a0e7672feArtifactHash9F07E531": {
    "Type": "String",
-   "Description": "Artifact hash for asset \"bff088c569c330c279e54fe0e98fc4226648b5b86454bb2ad9491b2ca6befdd2\""
+   "Description": "Artifact hash for asset \"bd8c31619d7a041234290aeca57f70c3e60bf4783dbf50624b41353a0e7672fe\""
   },
   "SsmParameterValueawsserviceeksoptimizedami121amazonlinux2recommendedimageidC96584B6F00A464EAD1953AFF4B05118Parameter": {
    "Type": "AWS::SSM::Parameter::Value<String>",

diff --git a/...shot/awscdkeksclustertestawscdkawseksClusterResourceProvider5F388D1A.nested.template.json b/...shot/awscdkeksclustertestawscdkawseksClusterResourceProvider5F388D1A.nested.template.json
@@ -146,6 +146,11 @@
      ]
     },
     "Description": "onEvent handler for EKS cluster resource provider",
+    "Environment": {
+     "Variables": {
+      "AWS_STS_REGIONAL_ENDPOINTS": "regional"
+     }
+    },
     "Handler": "index.onEvent",
     "Layers": [
      {
@@ -262,6 +267,11 @@
      ]
     },
     "Description": "isComplete handler for EKS cluster resource provider",
+    "Environment": {
+     "Variables": {
+      "AWS_STS_REGIONAL_ENDPOINTS": "regional"
+     }
+    },
     "Handler": "index.isComplete",
     "Layers": [
      {

diff --git a/...teg.snapshot/awscdkeksclustertestawscdkawseksKubectlProviderE05943BF.nested.template.json b/...teg.snapshot/awscdkeksclustertestawscdkawseksKubectlProviderE05943BF.nested.template.json
@@ -212,7 +212,7 @@
    "Properties": {
     "Content": {
      "S3Bucket": {
-      "Ref": "referencetoawscdkeksclustertestAssetParameters01e9cf93416a1f67b17dad851459445bdaaafcc2f3ab4390c03984fd57b2f476S3Bucket81FF031ERef"
+      "Ref": "referencetoawscdkeksclustertestAssetParametersdb6b1b1d10ac786ce3eb5f326510da62c14c0e4477065964c4cdf7a54439f131S3BucketF401902DRef"
      },
      "S3Key": {
       "Fn::Join": [
@@ -225,7 +225,7 @@
            "Fn::Split": [
             "||",
             {
-             "Ref": "referencetoawscdkeksclustertestAssetParameters01e9cf93416a1f67b17dad851459445bdaaafcc2f3ab4390c03984fd57b2f476S3VersionKeyA669A4EBRef"
+             "Ref": "referencetoawscdkeksclustertestAssetParametersdb6b1b1d10ac786ce3eb5f326510da62c14c0e4477065964c4cdf7a54439f131S3VersionKey4C2DA8A7Ref"
             }
            ]
           }
@@ -238,7 +238,7 @@
            "Fn::Split": [
             "||",
             {
-             "Ref": "referencetoawscdkeksclustertestAssetParameters01e9cf93416a1f67b17dad851459445bdaaafcc2f3ab4390c03984fd57b2f476S3VersionKeyA669A4EBRef"
+             "Ref": "referencetoawscdkeksclustertestAssetParametersdb6b1b1d10ac786ce3eb5f326510da62c14c0e4477065964c4cdf7a54439f131S3VersionKey4C2DA8A7Ref"
             }
            ]
           }
@@ -498,10 +498,10 @@
   "referencetoawscdkeksclustertestClusterD76DFF87ClusterSecurityGroupId": {
    "Type": "String"
   },
-  "referencetoawscdkeksclustertestAssetParameters01e9cf93416a1f67b17dad851459445bdaaafcc2f3ab4390c03984fd57b2f476S3Bucket81FF031ERef": {
+  "referencetoawscdkeksclustertestAssetParametersdb6b1b1d10ac786ce3eb5f326510da62c14c0e4477065964c4cdf7a54439f131S3BucketF401902DRef": {
    "Type": "String"
   },
-  "referencetoawscdkeksclustertestAssetParameters01e9cf93416a1f67b17dad851459445bdaaafcc2f3ab4390c03984fd57b2f476S3VersionKeyA669A4EBRef": {
+  "referencetoawscdkeksclustertestAssetParametersdb6b1b1d10ac786ce3eb5f326510da62c14c0e4477065964c4cdf7a54439f131S3VersionKey4C2DA8A7Ref": {
    "Type": "String"
   },
   "referencetoawscdkeksclustertestAssetParametersc6964dbf0c556ec82ce09622e99ad6f6d4e488cdaac0ef9e8492e078ec61ffedS3Bucket1C5C92D4Ref": {