Skip to content

Commit ec32b5b

Browse files
vinayak-kukrejavinayak-kukreja
authored
fix(iam): oidc provider retrieves leaf certificate instead of root certificate (#22509)
Currently, the IAM OIDC Provider is retrieving leaf certificates for a given url. The validity for these certificates is not that long. This can cause an outage for the customer since they might not be aware of when the certificate is going to expire. We have seen an [outage](#8607) in EKS due to this issue. This change will help retrieving root certificates instead of leaf certificates. The validity of root certificate is much more than the leaf certificates. I am also adding validations for the certificate and also informing the customer if there retrieved certificate is going to expire within six months when they do a new deployment. Fixes #8607 Signed-off-by: Vinayak Kukreja <vinakuk@amazon.com> ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
1 parent aa19ec0 commit ec32b5b

100 files changed

Lines changed: 866 additions & 1428 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

packages/@aws-cdk/aws-eks/lib/oidc-provider.ts

Lines changed: 0 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -41,18 +41,10 @@ export class OpenIdConnectProvider extends iam.OpenIdConnectProvider {
4141
* @param props Initialization properties
4242
*/
4343
public constructor(scope: Construct, id: string, props: OpenIdConnectProviderProps) {
44-
/**
45-
* For some reason EKS isn't validating the root certificate but a intermediate certificate
46-
* which is one level up in the tree. Because of the a constant thumbprint value has to be
47-
* stated with this OpenID Connect provider. The certificate thumbprint is the same for all the regions.
48-
*/
49-
const thumbprints = ['9e99a48a9960b14926bb7f3b02e22da2b0ab7280'];
50-
5144
const clientIds = ['sts.amazonaws.com'];
5245

5346
super(scope, id, {
5447
url: props.url,
55-
thumbprints,
5648
clientIds,
5749
});
5850
}

packages/@aws-cdk/aws-eks/test/cluster.test.ts

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -2156,9 +2156,6 @@ describe('cluster', () => {
21562156
ClientIDList: [
21572157
'sts.amazonaws.com',
21582158
],
2159-
ThumbprintList: [
2160-
'9e99a48a9960b14926bb7f3b02e22da2b0ab7280',
2161-
],
21622159
Url: {
21632160
'Fn::GetAtt': [
21642161
'Cluster9EE0221C',

packages/@aws-cdk/aws-eks/test/integ.alb-controller.js.snapshot/asset.4288ebb3652acdf2d828b7db7ca44a7162a401ace50ebb4026e84b18a02a06ee.zip

0 Bytes
Binary file not shown.

packages/@aws-cdk/aws-eks/test/integ.alb-controller.js.snapshot/asset.42973d1d89f4a393a64981f78d088964ba13e63a3aab4478cd74109c77cf9174/diff.d.ts

Lines changed: 0 additions & 4 deletions
This file was deleted.

packages/@aws-cdk/aws-eks/test/integ.alb-controller.js.snapshot/asset.42973d1d89f4a393a64981f78d088964ba13e63a3aab4478cd74109c77cf9174/diff.ts

Lines changed: 0 additions & 17 deletions
This file was deleted.

packages/@aws-cdk/aws-eks/test/integ.alb-controller.js.snapshot/asset.42973d1d89f4a393a64981f78d088964ba13e63a3aab4478cd74109c77cf9174/external.d.ts

Lines changed: 0 additions & 24 deletions
This file was deleted.

packages/@aws-cdk/aws-eks/test/integ.alb-controller.js.snapshot/asset.42973d1d89f4a393a64981f78d088964ba13e63a3aab4478cd74109c77cf9174/external.js

Lines changed: 0 additions & 53 deletions
This file was deleted.

packages/@aws-cdk/aws-eks/test/integ.alb-controller.js.snapshot/asset.42973d1d89f4a393a64981f78d088964ba13e63a3aab4478cd74109c77cf9174/external.ts

Lines changed: 0 additions & 53 deletions
This file was deleted.

packages/@aws-cdk/aws-eks/test/integ.alb-controller.js.snapshot/asset.42973d1d89f4a393a64981f78d088964ba13e63a3aab4478cd74109c77cf9174/index.d.ts

Lines changed: 0 additions & 3 deletions
This file was deleted.

packages/@aws-cdk/aws-eks/test/integ.alb-controller.js.snapshot/asset.42973d1d89f4a393a64981f78d088964ba13e63a3aab4478cd74109c77cf9174/index.ts

Lines changed: 0 additions & 89 deletions
This file was deleted.

0 commit comments

Comments
 (0)