Merge pull request #9478 from zalando-incubator/dev-to-alpha

dev to alpha

Author: katyanna

cluster/config-defaults.yaml

@@ -1270,6 +1270,8 @@ eks_zalando_iam_aws_proxy_hpa_max_replicas: "10"
 eks_zalando_iam_aws_proxy_hpa_cpu_target: "80"
 eks_zalando_iam_aws_proxy_hpa_memory_target: "80"
 eks_okta_identity_provider: "true"
+eks_legacy_cluster_local_id: "kube-1"
+eks_oidc_issuer_url: "https://"
 eks_fis_support_enabled: "false"
 eks_fis_namespaces: "default"
 

cluster/manifests/deployment-service/01-config.yaml

@@ -13,17 +13,35 @@ data:
   create-namespaces: "true"
   aws-available: "true"
   worker-role-arn: "arn:aws:iam::{{accountID .Cluster.InfrastructureAccount}}:role/{{.Cluster.LocalID}}-worker"
-  {{ $oidc_issuer := "" }}
 {{- if eq .Cluster.Provider "zalando-eks" }}
-  {{ $oidc_issuer = index (split .Cluster.ConfigItems.eks_oidc_issuer_url "//") 1 }}
+  {{ $oidc_issuer_aws := printf "%s.%s" .Cluster.ConfigItems.eks_legacy_cluster_local_id .Values.hosted_zone }}
+  {{ $oidc_issuer_eks := index (split .Cluster.ConfigItems.eks_oidc_issuer_url "//") 1 }}
+  {{ $oidc_provider_arn_aws := printf "arn:aws:iam::%s:oidc-provider/%s" (accountID .Cluster.InfrastructureAccount) $oidc_issuer_aws }}
+  {{ $oidc_provider_arn_eks := printf "arn:aws:iam::%s:oidc-provider/%s" (accountID .Cluster.InfrastructureAccount) $oidc_issuer_eks }}
+  {{ $oidc_subject_key_aws := printf "%s:sub" $oidc_issuer_aws }}
+  {{ $oidc_subject_key_eks := printf "%s:sub" $oidc_issuer_eks }}
+  oidc-provider-arn: "{{$oidc_provider_arn_eks}}"
+  oidc-subject-key: "{{$oidc_subject_key_eks}}"
+  {{- if ne .Cluster.ConfigItems.eks_legacy_cluster_local_id "" }}
+  oidc-trust-relationship-template: '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Federated":"{{$oidc_provider_arn_aws}}"},"Action":"sts:AssumeRoleWithWebIdentity","Condition":{"StringLike":{"{{$oidc_subject_key_aws}}":"system:serviceaccount:${SERVICE_ACCOUNT}"}}},{"Effect":"Allow","Principal":{"Federated":"{{$oidc_provider_arn_eks}}"},"Action":"sts:AssumeRoleWithWebIdentity","Condition":{"StringLike":{"{{$oidc_subject_key_eks}}":"system:serviceaccount:${SERVICE_ACCOUNT}"}}}]}'
+  {{- else }}
+  oidc-trust-relationship-template: '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Federated":"{{$oidc_provider_arn_eks}}"},"Action":"sts:AssumeRoleWithWebIdentity","Condition":{"StringLike":{"{{$oidc_subject_key_eks}}":"system:serviceaccount:${SERVICE_ACCOUNT}"}}}]}'
+  {{- end }}
 {{- else }}
-  {{ $oidc_issuer = printf "%s.%s" .Cluster.LocalID .Values.hosted_zone }}
+  {{ $oidc_issuer_aws := printf "%s.%s" .Cluster.LocalID .Values.hosted_zone }}
+  {{ $oidc_issuer_eks := index (split .Cluster.ConfigItems.eks_oidc_issuer_url "//") 1 }}
+  {{ $oidc_provider_arn_aws := printf "arn:aws:iam::%s:oidc-provider/%s" (accountID .Cluster.InfrastructureAccount) $oidc_issuer_aws }}
+  {{ $oidc_provider_arn_eks := printf "arn:aws:iam::%s:oidc-provider/%s" (accountID .Cluster.InfrastructureAccount) $oidc_issuer_eks }}
+  {{ $oidc_subject_key_aws := printf "%s:sub" $oidc_issuer_aws }}
+  {{ $oidc_subject_key_eks := printf "%s:sub" $oidc_issuer_eks }}
+  oidc-provider-arn: "{{$oidc_provider_arn_aws}}"
+  oidc-subject-key: "{{$oidc_subject_key_aws}}"
+  {{- if ne $oidc_issuer_eks "" }}
+  oidc-trust-relationship-template: '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Federated":"{{$oidc_provider_arn_aws}}"},"Action":"sts:AssumeRoleWithWebIdentity","Condition":{"StringLike":{"{{$oidc_subject_key_aws}}":"system:serviceaccount:${SERVICE_ACCOUNT}"}}},{"Effect":"Allow","Principal":{"Federated":"{{$oidc_provider_arn_eks}}"},"Action":"sts:AssumeRoleWithWebIdentity","Condition":{"StringLike":{"{{$oidc_subject_key_eks}}":"system:serviceaccount:${SERVICE_ACCOUNT}"}}}]}'
+  {{- else }}
+  oidc-trust-relationship-template: '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Federated":"{{$oidc_provider_arn_aws}}"},"Action":"sts:AssumeRoleWithWebIdentity","Condition":{"StringLike":{"{{$oidc_subject_key_aws}}":"system:serviceaccount:${SERVICE_ACCOUNT}"}}}]}'
+  {{- end }}
 {{- end }}
-  {{ $oidc_provider_arn := printf "arn:aws:iam::%s:oidc-provider/%s" (accountID .Cluster.InfrastructureAccount) $oidc_issuer }}
-  {{ $oidc_subject_key := printf "%s:sub" $oidc_issuer }}
-  oidc-provider-arn: "{{$oidc_provider_arn}}"
-  oidc-subject-key: "{{$oidc_subject_key}}"
-  oidc-trust-relationship-template: '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Federated":"{{$oidc_provider_arn}}"},"Action":"sts:AssumeRoleWithWebIdentity","Condition":{"StringLike":{"{{$oidc_subject_key}}":"system:serviceaccount:${SERVICE_ACCOUNT}"}}}]}'
   s3-bucket-name: "zalando-deployment-service-{{accountID .Cluster.InfrastructureAccount}}-{{.Cluster.LocalID}}"
   status-service-url: "https://depl-status-{{.Cluster.Alias}}.{{.Values.hosted_zone}}"
   status-service-url-local: "http://deployment-status-service.ingress.cluster.local."

test/e2e/cluster_config.sh

@@ -46,6 +46,7 @@ clusters:
     okta_auth_client_id: "kubernetes.cluster.teapot-e2e"
     teapot_admission_controller_validate_pod_images_soft_fail_namespaces: "^kube-system$"
     eks_okta_identity_provider: "false" # disabled to speed up EKS cluster creation for e2e.
+    eks_legacy_cluster_local_id: "e2e-${CDP_BUILD_VERSION}-aws"
     skipper_open_policy_agent_enabled: "${SKIPPER_OPA_ENABLED}"
     skipper_open_policy_agent_styra_token: "${STYRA_TOKEN}"
     skipper_open_policy_agent_bucket_arn: "${SKIPPER_OPA_BUCKET_ARN}"