initial commit for the fix

aws · Aug 29, 2024 · a77250e · a77250e
1 parent 959d71c
commit a77250e
Show file tree

Hide file tree

Showing 3 changed files with 112 additions and 4 deletions.
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.alb-controller-authapi.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.alb-controller-authapi.ts
@@ -0,0 +1,37 @@
+// ALB controller with EKS cluster that supports API mode only
+import {
+  App, Stack, StackProps,
+  aws_ec2 as ec2,
+} from 'aws-cdk-lib';
+import * as eks from 'aws-cdk-lib/aws-eks';
+import { getClusterVersionConfig } from './integ-tests-kubernetes-version';
+import { IntegTest } from '@aws-cdk/integ-tests-alpha'
+
+class EksClusterStack extends Stack {
+  constructor(scope: App, id: string, props?: StackProps) {
+    super(scope, id, props);
+
+    const vpc = new ec2.Vpc(this, 'Vpc', { maxAzs: 2, natGateways: 1, restrictDefaultSecurityGroup: false });
+
+    const cluster = new eks.Cluster(this, 'Cluster', {
+      vpc,
+      ...getClusterVersionConfig(this, eks.KubernetesVersion.V1_30),
+      defaultCapacity: 2,
+      authenticationMode: eks.AuthenticationMode.API,
+    });
+
+    // create the controller
+    eks.AlbController.create(this, {
+      cluster,
+      version: eks.AlbControllerVersion.V2_6_2,
+    });
+  }
+}
+
+const app = new App();
+
+const stack = new EksClusterStack(app, 'integ-eks-stack');
+
+new IntegTest(app, 'integtest', {
+  testCases: [stack],
+});
diff --git a/packages/aws-cdk-lib/aws-eks/lib/alb-controller.ts b/packages/aws-cdk-lib/aws-eks/lib/alb-controller.ts
@@ -1,7 +1,7 @@
 import * as fs from 'fs';
 import * as path from 'path';
 import { Construct } from 'constructs';
-import { Cluster } from './cluster';
+import { Cluster, AuthenticationMode } from './cluster';
 import { HelmChart } from './helm-chart';
 import { ServiceAccount } from './service-account';
 import * as iam from '../../aws-iam';
@@ -329,7 +329,10 @@ export class AlbController extends Construct {
     // the controller relies on permissions deployed using these resources.
     chart.node.addDependency(serviceAccount);
     chart.node.addDependency(props.cluster.openIdConnectProvider);
-    chart.node.addDependency(props.cluster.awsAuth);
+    if (props.cluster.authenticationMode != AuthenticationMode.API) {
+      // ensure the dependency only when ConfigMap is supported
+      chart.node.addDependency(props.cluster.awsAuth);
+    }
   }
 
   private rewritePolicyResources(resources: string | string[] | undefined): string | string[] | undefined {

diff --git a/packages/aws-cdk-lib/aws-eks/test/alb-controller.test.ts b/packages/aws-cdk-lib/aws-eks/test/alb-controller.test.ts
@@ -1,9 +1,9 @@
 import * as fs from 'fs';
 import * as path from 'path';
 import { testFixture } from './util';
-import { Template } from '../../assertions';
+import { Template, Match } from '../../assertions';
 import * as iam from '../../aws-iam';
-import { Cluster, KubernetesVersion, AlbController, AlbControllerVersion, HelmChart } from '../lib';
+import { Cluster, KubernetesVersion, AlbController, AlbControllerVersion, HelmChart, KubernetesManifest, AuthenticationMode } from '../lib';
 
 test('all vended policies are valid', () => {
   const addOnsDir = path.join(__dirname, '..', 'lib', 'addons');
@@ -118,3 +118,71 @@ test('correct helm chart version is set for selected alb controller version', ()
     },
   });
 });
+
+test('will not create AwsAuth when the authenticationMode is API', () => {
+  const { stack } = testFixture();
+
+  const cluster = new Cluster(stack, 'Cluster', {
+    version: KubernetesVersion.V1_27,
+    authenticationMode: AuthenticationMode.API,
+  });
+
+  AlbController.create(stack, {
+    cluster,
+    version: AlbControllerVersion.V2_6_2,
+  });
+
+  Template.fromStack(stack).hasResourceProperties(KubernetesManifest.RESOURCE_TYPE, Match.not({
+    Manifest: {
+      'Fn::Join': [
+        '',
+        [
+          '[{"apiVersion":"v1","kind":"ConfigMap","metadata":{"name":"aws-auth","namespace":"kube-system","labels":{"aws.cdk.eks/prune-c82ececabf77e03e3590f2ebe02adba8641d1b3e76":""}},"data":{"mapRoles":"[{\\"rolearn\\":\\"',
+          {
+            'Fn::GetAtt': [
+              'ClusterNodegroupDefaultCapacityNodeGroupRole55953B04',
+              'Arn',
+            ],
+          },
+          '\\",\\"username\\":\\"system:node:{{EC2PrivateDNSName}}\\",\\"groups\\":[\\"system:bootstrappers\\",\\"system:nodes\\"]}]","mapUsers":"[]","mapAccounts":"[]"}}]',
+        ],
+      ],
+    },
+  }));
+});
+
+test.each([
+  AuthenticationMode.API_AND_CONFIG_MAP,
+  AuthenticationMode.CONFIG_MAP,
+  undefined,
+])('will create AwsAuth when the authenticationMode is %p', (authenticationMode) => {
+  const { stack } = testFixture();
+
+  const cluster = new Cluster(stack, 'Cluster', {
+    version: KubernetesVersion.V1_27,
+    authenticationMode,
+  });
+
+  AlbController.create(stack, {
+    cluster,
+    version: AlbControllerVersion.V2_6_2,
+  });
+
+  Template.fromStack(stack).hasResourceProperties(KubernetesManifest.RESOURCE_TYPE, {
+    Manifest: {
+      'Fn::Join': [
+        '',
+        [
+          '[{"apiVersion":"v1","kind":"ConfigMap","metadata":{"name":"aws-auth","namespace":"kube-system","labels":{"aws.cdk.eks/prune-c82ececabf77e03e3590f2ebe02adba8641d1b3e76":""}},"data":{"mapRoles":"[{\\"rolearn\\":\\"',
+          {
+            'Fn::GetAtt': [
+              'ClusterNodegroupDefaultCapacityNodeGroupRole55953B04',
+              'Arn',
+            ],
+          },
+          '\\",\\"username\\":\\"system:node:{{EC2PrivateDNSName}}\\",\\"groups\\":[\\"system:bootstrappers\\",\\"system:nodes\\"]}]","mapUsers":"[]","mapAccounts":"[]"}}]',
+        ],
+      ],
+    },
+  });
+});