diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.alb-controller-authapi.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.alb-controller-authapi.ts new file mode 100644 index 0000000000000..33891a74b3b8b --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.alb-controller-authapi.ts @@ -0,0 +1,37 @@ +// ALB controller with EKS cluster that supports API mode only +import { + App, Stack, StackProps, + aws_ec2 as ec2, +} from 'aws-cdk-lib'; +import * as eks from 'aws-cdk-lib/aws-eks'; +import { getClusterVersionConfig } from './integ-tests-kubernetes-version'; +import { IntegTest } from '@aws-cdk/integ-tests-alpha' + +class EksClusterStack extends Stack { + constructor(scope: App, id: string, props?: StackProps) { + super(scope, id, props); + + const vpc = new ec2.Vpc(this, 'Vpc', { maxAzs: 2, natGateways: 1, restrictDefaultSecurityGroup: false }); + + const cluster = new eks.Cluster(this, 'Cluster', { + vpc, + ...getClusterVersionConfig(this, eks.KubernetesVersion.V1_30), + defaultCapacity: 2, + authenticationMode: eks.AuthenticationMode.API, + }); + + // create the controller + eks.AlbController.create(this, { + cluster, + version: eks.AlbControllerVersion.V2_6_2, + }); + } +} + +const app = new App(); + +const stack = new EksClusterStack(app, 'integ-eks-stack'); + +new IntegTest(app, 'integtest', { + testCases: [stack], +}); \ No newline at end of file diff --git a/packages/aws-cdk-lib/aws-eks/lib/alb-controller.ts b/packages/aws-cdk-lib/aws-eks/lib/alb-controller.ts index 5dfe0ab11dbcf..8c2d4b2298026 100644 --- a/packages/aws-cdk-lib/aws-eks/lib/alb-controller.ts +++ b/packages/aws-cdk-lib/aws-eks/lib/alb-controller.ts @@ -1,7 +1,7 @@ import * as fs from 'fs'; import * as path from 'path'; import { Construct } from 'constructs'; -import { Cluster } from './cluster'; +import { Cluster, AuthenticationMode } from './cluster'; import { HelmChart } from './helm-chart'; import { ServiceAccount } from './service-account'; import * as iam from '../../aws-iam'; @@ -329,7 +329,10 @@ export class AlbController extends Construct { // the controller relies on permissions deployed using these resources. chart.node.addDependency(serviceAccount); chart.node.addDependency(props.cluster.openIdConnectProvider); - chart.node.addDependency(props.cluster.awsAuth); + if (props.cluster.authenticationMode != AuthenticationMode.API) { + // ensure the dependency only when ConfigMap is supported + chart.node.addDependency(props.cluster.awsAuth); + } } private rewritePolicyResources(resources: string | string[] | undefined): string | string[] | undefined { diff --git a/packages/aws-cdk-lib/aws-eks/test/alb-controller.test.ts b/packages/aws-cdk-lib/aws-eks/test/alb-controller.test.ts index 3459b772eb8f7..060f2d9d0e6d0 100644 --- a/packages/aws-cdk-lib/aws-eks/test/alb-controller.test.ts +++ b/packages/aws-cdk-lib/aws-eks/test/alb-controller.test.ts @@ -1,9 +1,9 @@ import * as fs from 'fs'; import * as path from 'path'; import { testFixture } from './util'; -import { Template } from '../../assertions'; +import { Template, Match } from '../../assertions'; import * as iam from '../../aws-iam'; -import { Cluster, KubernetesVersion, AlbController, AlbControllerVersion, HelmChart } from '../lib'; +import { Cluster, KubernetesVersion, AlbController, AlbControllerVersion, HelmChart, KubernetesManifest, AuthenticationMode } from '../lib'; test('all vended policies are valid', () => { const addOnsDir = path.join(__dirname, '..', 'lib', 'addons'); @@ -118,3 +118,71 @@ test('correct helm chart version is set for selected alb controller version', () }, }); }); + +test('will not create AwsAuth when the authenticationMode is API', () => { + const { stack } = testFixture(); + + const cluster = new Cluster(stack, 'Cluster', { + version: KubernetesVersion.V1_27, + authenticationMode: AuthenticationMode.API, + }); + + AlbController.create(stack, { + cluster, + version: AlbControllerVersion.V2_6_2, + }); + + Template.fromStack(stack).hasResourceProperties(KubernetesManifest.RESOURCE_TYPE, Match.not({ + Manifest: { + 'Fn::Join': [ + '', + [ + '[{"apiVersion":"v1","kind":"ConfigMap","metadata":{"name":"aws-auth","namespace":"kube-system","labels":{"aws.cdk.eks/prune-c82ececabf77e03e3590f2ebe02adba8641d1b3e76":""}},"data":{"mapRoles":"[{\\"rolearn\\":\\"', + { + 'Fn::GetAtt': [ + 'ClusterNodegroupDefaultCapacityNodeGroupRole55953B04', + 'Arn', + ], + }, + '\\",\\"username\\":\\"system:node:{{EC2PrivateDNSName}}\\",\\"groups\\":[\\"system:bootstrappers\\",\\"system:nodes\\"]}]","mapUsers":"[]","mapAccounts":"[]"}}]', + ], + ], + }, + })); +}); + +test.each([ + AuthenticationMode.API_AND_CONFIG_MAP, + AuthenticationMode.CONFIG_MAP, + undefined, +])('will create AwsAuth when the authenticationMode is %p', (authenticationMode) => { + const { stack } = testFixture(); + + const cluster = new Cluster(stack, 'Cluster', { + version: KubernetesVersion.V1_27, + authenticationMode, + }); + + AlbController.create(stack, { + cluster, + version: AlbControllerVersion.V2_6_2, + }); + + Template.fromStack(stack).hasResourceProperties(KubernetesManifest.RESOURCE_TYPE, { + Manifest: { + 'Fn::Join': [ + '', + [ + '[{"apiVersion":"v1","kind":"ConfigMap","metadata":{"name":"aws-auth","namespace":"kube-system","labels":{"aws.cdk.eks/prune-c82ececabf77e03e3590f2ebe02adba8641d1b3e76":""}},"data":{"mapRoles":"[{\\"rolearn\\":\\"', + { + 'Fn::GetAtt': [ + 'ClusterNodegroupDefaultCapacityNodeGroupRole55953B04', + 'Arn', + ], + }, + '\\",\\"username\\":\\"system:node:{{EC2PrivateDNSName}}\\",\\"groups\\":[\\"system:bootstrappers\\",\\"system:nodes\\"]}]","mapUsers":"[]","mapAccounts":"[]"}}]', + ], + ], + }, + }); +}); \ No newline at end of file