| agent: |
DIQZV5Ab94XqDTR5qTz6Ensure OIDC provider URL and Service Account issuer URL are different before upgrading to EKS v1.30
Ensure OIDC provider URL and Service Account issuer URL are different before upgrading to EKS v1.30
There was a problem that the LLM was not able to address. Please rephrase your prompt and try again.
Before upgrading an EKS cluster to v1.30, verify that the OIDC provider URL used for IAM authentication is different from the Service Account issuer URL. If they are the same, disassociate the identity provider to avoid API server startup failures due to new validation in Kubernetes v1.30.
By default both have the same value: A AWS managed OIDC Provider [which leads to version update issues >>> Kube API server failing]
inputs
outputs
- 1ZTh6LRfwsf2Mwat1VF5NGet current Service Account Issuer URL to EKS Cluster
1
Get current Service Account Issuer URL to EKS Cluster
There was a problem that the LLM was not able to address. Please rephrase your prompt and try again.This is generated by default when the EKS cluster is created
inputsoutputsaws eks describe-cluster --region <region_name> --name <cluster_name> \ --query "cluster.identity.oidc.issuer" --output textcopied1 - 2XuMIseLyOnFDa6TCD5gyList IAM OIDC Provider ARN for the custer
2
List IAM OIDC Provider ARN for the custer
There was a problem that the LLM was not able to address. Please rephrase your prompt and try again.inputsoutputsaws iam list-open-id-connect-providers --region <region_name>copied2 - 3JVWT7GEOPopNUunA1wp5Backup IAM OIDC Provider ARN(optional)
3
Backup IAM OIDC Provider ARN(optional)
There was a problem that the LLM was not able to address. Please rephrase your prompt and try again.inputsoutputsaws iam get-open-id-connect-provider \ --open-id-connect-provider-arn <oidc_provider_arn> \ --region <region_name> \ --output json > <filename>copied3 - 4Of8i1gChMMHwch3UwGC2List IAM roles using OIDC provider
4
List IAM roles using OIDC provider
There was a problem that the LLM was not able to address. Please rephrase your prompt and try again.For Prod Cluster: (Roles with OIDC usage)
eks-prod-341-alb-ingress
eks-prod-341-efs-csi-driver
inputsoutputsaws iam list-roles --query 'Roles[*].{RoleName:RoleName,OIDC_Provider:AssumeRolePolicyDocument.Statement[].Principal.Federated}' --output json | jq .copied4 - 5iVvVctF17bqcgqbYK7cpList Identity Provider Config
5
There was a problem that the LLM was not able to address. Please rephrase your prompt and try again.This should come up as empty for now.
inputsoutputsaws eks list-identity-provider-configs \ --region <region_name> \ --cluster-name <cluster_name>copied5 - 6KiKJqn03DxUj3b5aYqvNDelete old IAM oidc identity provider
6
Delete old IAM oidc identity provider
There was a problem that the LLM was not able to address. Please rephrase your prompt and try again.inputsoutputsaws iam delete-open-id-connect-provider \ --open-id-connect-provider-arn <oidc_provider_arn>copied6 - 7iH9hbZwRF7Uzn9JLaSW4Creating a new OIDC provider using AWS Cognito
7
Creating a new OIDC provider using AWS Cognito
There was a problem that the LLM was not able to address. Please rephrase your prompt and try again.inputsoutputs7- 7.1EoGH95W3qlKJ9Z4IiD8vCreate user pool in AWS Cognito
7.1
Create user pool in AWS Cognito
There was a problem that the LLM was not able to address. Please rephrase your prompt and try again.inputsoutputsaws cognito-idp create-user-pool \ --pool-name <oidc_pool_name> \ --region <region_name>copied7.1 - 7.2sBbotjBnwXGXK3acgUYRCreate an app client for AWS cognito using the user_id from previously created user-pool
7.2
Create an app client for AWS cognito using the user_id from previously created user-pool
There was a problem that the LLM was not able to address. Please rephrase your prompt and try again.inputsoutputsaws cognito-idp create-user-pool-client \ --user-pool-id <user_pool_id> \ --client-name eks-client \ --no-generate-secret \ --region <region_name>copied7.2 - 7.3AACX9hFj716kx0WgqdKxCreate an IAM OIDC Provider Using AWS Cognito
7.3
Create an IAM OIDC Provider Using AWS Cognito
There was a problem that the LLM was not able to address. Please rephrase your prompt and try again.inputsoutputsaws iam create-open-id-connect-provider \ --url <provider_url_cognito> \ --client-id-list "sts.amazonaws.com" \ --thumbprint-list $(openssl s_client -servername cognito-idp.us-east-2.amazonaws.com -connect cognito-idp.us-east-2.amazonaws.com:443 </dev/null 2>/dev/null | openssl x509 -fingerprint -sha1 -noout | cut -d"=" -f2) \ --region <region_name>copied7.3 - 7.4D6IlchmFl5jllsLMDFYlAssociating Cognito OIDC provider with EKS Cluster
7.4
Associating Cognito OIDC provider with EKS Cluster
There was a problem that the LLM was not able to address. Please rephrase your prompt and try again.inputsoutputsaws eks associate-identity-provider-config \ --region <region_name> \ --cluster-name <cluster_name> \ --oidc identityProviderConfigName="eks-oidc-cognito",issuerUrl=<provider_url_cognito>,clientId=<client_id>copied7.4
- 8lDxj18hY83RZjvulPwWNRemove old oidc from required eks statefile
8
Remove old oidc from required eks statefile
There was a problem that the LLM was not able to address. Please rephrase your prompt and try again.Use terraform state list | grep "oidc_provider" to find the required state file items.
inputsoutputsterraform state rm module.eks.aws_iam_openid_connect_provider.oidc_provider[0]copied8 - 9bR5cfr1W3PmLYX8bkx29Run Terraform Import to sync the manually created Cognito User Pool into Terraform state
9
Run Terraform Import to sync the manually created Cognito User Pool into Terraform state
There was a problem that the LLM was not able to address. Please rephrase your prompt and try again.Use arn to import if facing issues, correlate name from main.tf file
inputsoutputsterraform import \ -var environment=<env_name> \ -var aws_region=<region_name> \ -var remote_state_bucket=<s3_backend_bucket> \ -var remote_state_region=<backend_region> \ aws_cognito_user_pool.eks_user_pool <user_pool_name>copied9 - 10OwuIjonHGLWj8QRhU3JbAdd the following code blocks in eks/main.tf outside the eks module
10
Add the following code blocks in eks/main.tf outside the eks module
There was a problem that the LLM was not able to address. Please rephrase your prompt and try again.inputsoutputsdata "tls_certificate" "cognito_oidc_thumbprint" { url = "https://cognito-idp.us-east-2.amazonaws.com/${data.aws_cognito_user_pool.eks_user_pool.id}" } data "aws_cognito_user_pool" "eks_user_pool" { user_pool_id = <user_pool_id> } resource "aws_iam_openid_connect_provider" "eks_oidc" { client_id_list = ["sts.amazonaws.com"] thumbprint_list = [data.tls_certificate.cognito_oidc_thumbprint.certificates[0].sha1_fingerprint] url = "https://cognito-idp.us-east-2.amazonaws.com/${data.aws_cognito_user_pool.eks_user_pool.user_pool_id}" } resource "aws_eks_identity_provider_config" "eks_oidc" { cluster_name = module.eks.cluster_name oidc { identity_provider_config_name = "eks-oidc-cognito" issuer_url = "https://${aws_iam_openid_connect_provider.eks_oidc.url}" client_id = <client_id> } depends_on = [aws_iam_openid_connect_provider.eks_oidc] }copied10 - 11k8R7gKIFXWVf4om1eGAGImport the existing Cognito-EKS association into Terraform
11
Import the existing Cognito-EKS association into Terraform
There was a problem that the LLM was not able to address. Please rephrase your prompt and try again.inputsoutputsterraform import \ -var environment=<env_name> \ -var aws_region=<region_name> \ -var remote_state_bucket=<s3_backend_bucket> \ -var remote_state_region=<backend_region> \ aws_eks_identity_provider_config.eks_oidc <cluster_name>:<oidc_name_cognito>copied11 - 12G51Ig0kePTPi3ZHUazKCAdd below lines in eks/main.tf in the eks module to not let terraform create irsa roles and provider by default
12
There was a problem that the LLM was not able to address. Please rephrase your prompt and try again.inputsoutputsenable_irsa = false cluster_identity_providers = {}copied12 - 13r9tfWHcxALcMVL6viKrLDo a terraform init, plan and apply cycle for eks module so new outputs of eks module are propogated
13
Do a terraform init, plan and apply cycle for eks module so new outputs of eks module are propogated
There was a problem that the LLM was not able to address. Please rephrase your prompt and try again.cluster_oidc_issuer_url: aws based oidc
oidc_provider_arn: cognito based
Should be different now.
inputsoutputsterraform init \ -backend-config=<backend_s3_bucket> \ -backend-config=<dynamo_db_lock_name> \ -backend-config=<statefile_key> \ -backend-config="encrypt=true" \ -backend-config="region=us-east-2" terraform apply \ -var environment=<env_name> \ -var aws_region=<region_name> \ -var remote_state_bucket=<backend_s3_bucket> \ -var remote_state_region=<backend_region> # Same apply usage for plan as wellcopied13 - 14YR9KWOxtO0wFHPQdreyUDo a terraform init, plan and apply cycle for eks-services module so new outputs of eks module are used for IAM Role creation
14
There was a problem that the LLM was not able to address. Please rephrase your prompt and try again.inputsoutputsterraform init \ -backend-config=<backend_s3_bucket> \ -backend-config=<dynamo_db_lock_name> \ -backend-config=<statefile_key> \ -backend-config="encrypt=true" \ -backend-config="region=us-east-2" terraform apply \ -var environment=<env_name> \ -var aws_region=<region_name> \ -var remote_state_bucket=<backend_s3_bucket> \ -var remote_state_region=<backend_region> # Same apply usage for plan as wellcopied14