chore: bump chart versions & fix s3 csi addon (awslabs#304)

Co-authored-by: Derek Graeber <[email protected]>
dgraeber · Dec 17, 2024 · e1e7e09 · e1e7e09
1 parent b2f8d6b
commit e1e7e09
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 40 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -13,10 +13,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - add prometheus and prometheus-workspaces endpoints
 
 ### **Changed**
+- fix s3 csi driver addon in `eks` module
+- update charts versions in `1.29.yaml`
 - adding override support for charts in the EKS module
 
 ### **Removed**
 
+
 =======
 
 =======

diff --git a/data/eks_dockerimage-replication/versions/1.29.yaml b/data/eks_dockerimage-replication/versions/1.29.yaml
@@ -10,7 +10,7 @@ charts:
   calico:
     version: 3.25.1
   cert_manager:
-    version: v1.15.0
+    version: v1.16.2
   cluster_autoscaler:
     version: 9.27.0
     replication:
@@ -32,18 +32,18 @@ charts:
     version: 1.9.0
   grafana:
     # skip: true
-    version: 6.52.4
+    version: 8.6.1
   kured:
     version: 4.4.2
   kyverno:
     version: 2.7.2
   kyverno_policy_reporter:
-    version: v2.18.0
+    version: v2.24.2
   metrics_server:
     version: 3.9.0
   prometheus_stack:
     # skip: true
-    version: 45.8.1
+    version: 66.2.2
   secrets_manager_csi_driver:
     version: 1.3.2
 additional_images:

diff --git a/modules/compute/eks/stack.py b/modules/compute/eks/stack.py
@@ -907,52 +907,55 @@ def _create_s3_csi_addon(self, eks_cluster, project_name, mountpoint_buckets):
             arns = [f"arn:{self._partition}:s3:::{project_name}*"]
             arns_with_paths = [f"arn:{self._partition}:s3:::{project_name}*/*"]
 
-        # IRSA for S3 Addon
-        s3_addon_role = iam.Role(
-            self,
-            "S3Role",
-            assumed_by=iam.FederatedPrincipal(
-                eks_cluster.open_id_connect_provider.open_id_connect_provider_arn,
-                assume_role_action="sts:AssumeRoleWithWebIdentity",
-                conditions={
-                    "StringEquals": CfnJson(
-                        self,
-                        "S3RoleProvider",
-                        value={f"{eks_cluster.cluster_open_id_connect_issuer}:aud": "sts.amazonaws.com"},
-                    )
-                },
-            ),
-            inline_policies={
-                "mpfullbucketaccess": iam.PolicyDocument(
-                    statements=[
-                        iam.PolicyStatement(
-                            effect=iam.Effect.ALLOW,
-                            resources=arns,
-                            actions=["s3:ListBucket"],
-                        )
-                    ],
-                ),
-                "mpfullobjectaccess": iam.PolicyDocument(
-                    statements=[
-                        iam.PolicyStatement(
-                            effect=iam.Effect.ALLOW,
-                            resources=arns_with_paths,
-                            actions=["s3:GetObject", "s3:PutObject", "s3:AbortMultipartUpload", "s3:DeleteObject"],
-                        )
-                    ],
-                ),
+        s3_csi_storageclass = eks_cluster.add_manifest(
+            "S3CSIStorageClass",
+            {
+                "kind": "StorageClass",
+                "apiVersion": "storage.k8s.io/v1",
+                "metadata": {"name": "s3-csi"},
+                "parameters": {"type": "standard"},
+                "provisioner": "s3.csi.aws.com",
             },
         )
 
+        # Create service account
+        s3_csi_service_account = eks_cluster.add_service_account(
+            "s3-csi-driver-sa",
+            name="s3-csi-driver-sa",
+            namespace="kube-system",
+            labels={"app.kubernetes.io/name": "aws-mountpoint-s3-csi-driver"},
+        )
+
+        s3_csi_service_account.role.attach_inline_policy(
+            iam.Policy(
+                self,
+                "S3Policy",
+                statements=[
+                    iam.PolicyStatement(
+                        effect=iam.Effect.ALLOW,
+                        resources=arns,
+                        actions=["s3:ListBucket"],
+                    ),
+                    iam.PolicyStatement(
+                        effect=iam.Effect.ALLOW,
+                        resources=arns_with_paths,
+                        actions=["s3:GetObject", "s3:PutObject", "s3:AbortMultipartUpload", "s3:DeleteObject"],
+                    ),
+                ],
+            )
+        )
+
         s3_addon = eks.CfnAddon(
             self,
             "s3-addon",
             addon_name="aws-mountpoint-s3-csi-driver",
             resolve_conflicts="OVERWRITE",
             cluster_name=eks_cluster.cluster_name,
-            service_account_role_arn=s3_addon_role.role_arn,
+            service_account_role_arn=s3_csi_service_account.role.role_arn,
         )
         s3_addon.node.add_dependency(eks_cluster)
+        s3_addon.node.add_dependency(s3_csi_storageclass)
+        s3_addon.node.add_dependency(s3_csi_service_account)
 
     def _create_cloudwatch_observability_addon(self, eks_cluster):
         """
@@ -1687,14 +1690,14 @@ def _deploy_adot_and_cert_manager(
                 {
                     "installCRDs": True,
                     "extraArgs": ["--dns01-recursive-nameservers-only=false"],
-                    "podSecurityPolicy": {"enabled": False},
                     "serviceAccount": {
                         "create": False,
                         "name": cert_manager_service_account.service_account_name,
                         "annotations": {
                             "eks.amazonaws.com/role-arn": cert_manager_service_account.role.role_arn,
                         },
                     },
+                    "webhook": {"securePort": 10260, "hostNetwork": True},
                 },
                 get_chart_values(str(eks_version), CERT_MANAGER),
             ),