Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(eks): allow associating external oidc provider with cluster #26950

Closed
wants to merge 2 commits into from
Closed

feat(eks): allow associating external oidc provider with cluster #26950

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e0e47f5
feat(aws-eks): Create method to associate an external oidc provider with
Advill Aug 30, 2023
0b2eeca
fix(eks): update README to include example of attaching provider to c…
Advill Sep 6, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions packages/aws-cdk-lib/aws-eks/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1116,6 +1116,9 @@ const cluster = eks.Cluster.fromClusterAttributes(this, 'MyCluster', {
kubectlRoleArn: 'arn:aws:iam::123456:role/service-role/k8sservicerole',
});

// you can also associate a provider created outside the CDK with an existing cluster
const provider3 = cluster.associateOpenIdConnectProvider('arn:aws:iam::123456:oidc-provider/oidc.eks.eu-west-1.amazonaws.com/id/AB123456ABC')

const serviceAccount = cluster.addServiceAccount('MyServiceAccount');

const bucket = new s3.Bucket(this, 'Bucket');
Expand Down
14 changes: 14 additions & 0 deletions packages/aws-cdk-lib/aws-eks/lib/cluster.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1869,6 +1869,20 @@ export class Cluster extends ClusterBase {
});
}

/**
* Manually associate an `OpenIdConnectProvider` resource to this cluster. Skips the lazy
* allocation of an OpenIdConnectProvider.
*
* @param arn the arn of the OIDC provider
*/
public associateOpenIdConnectProvider(arn: string): iam.IOpenIdConnectProvider {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This would need to accept a IOpenIdConnectProvider. not an ARN.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For sure, I was pretty new to the CDK and my exact use case when I first made this PR. Still finishing up some more important work but once I finish I'm going to clean this up and finish off the parts the PR is missing.

if (this._openIdConnectProvider) {
throw new Error('Cluster already has an OIDC provider associated.');
}
this._openIdConnectProvider = OpenIdConnectProvider.fromOpenIdConnectProviderArn(this, 'OpenIdConnectProvider', arn);
return this._openIdConnectProvider;
}

/**
* Internal API used by `FargateProfile` to keep inventory of Fargate profiles associated with
* this cluster, for the sake of ensuring the profiles are created sequentially.
Expand Down
17 changes: 17 additions & 0 deletions packages/aws-cdk-lib/aws-eks/test/cluster.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2173,6 +2173,23 @@ describe('cluster', () => {
},
});
});

test('associating an openIdConnectProvider with a cluster after creation', () => {
// GIVEN
const { stack } = testFixtureNoVpc();
const cluster = new eks.Cluster(stack, 'Cluster', { defaultCapacity: 0, version: CLUSTER_VERSION, prune: false });

// WHEN
const provider = cluster.associateOpenIdConnectProvider('arn:aws:iam::1111111:oidc-provider/oid-already-associated-to-cluster');
const albController = new eks.AlbController(stack, 'albController', {
cluster: cluster,
version: eks.AlbControllerVersion.V2_4_1,
});

// THEN
expect(provider).toEqual(cluster.openIdConnectProvider);
});

test('inference instances are supported', () => {
// GIVEN
const { stack } = testFixtureNoVpc();
Expand Down
Loading