Merge pull request #1242 from awslabs/bugfix/s3mountpoint-fails-rbac

Bugfix/s3mountpoint fails rbac

Author: shapirov103

lib/addons/s3-csi-driver/index.ts

@@ -37,7 +37,7 @@ const defaultProps: HelmAddOnUserProps & S3CSIDriverAddOnProps = {
   name: S3_CSI_DRIVER,
   namespace: "kube-system",
   release: S3_CSI_DRIVER_RELEASE,
-  version: "2.4.0",
+  version: "2.4.1",
   repository: "https://awslabs.github.io/mountpoint-s3-csi-driver",
   createNamespace: false,
   bucketNames: [],
@@ -55,40 +55,38 @@ export class S3CSIDriverAddOn extends HelmAddOn {
     }
 
     deploy(clusterInfo: ClusterInfo): Promise<Construct> {
-        // Create service account and policy
         const cluster = clusterInfo.cluster;
+
+        // Create namespace
+        if (this.options.createNamespace) {
+            createNamespace(this.options.namespace!, cluster, true);
+        }
+
+        // Let Helm create the node SA with RBAC bindings
+        const chartValues = populateValues(this.options);
+        const s3CsiDriverChart = this.addHelmChart(clusterInfo, chartValues, true, true);
+
+        // Overwrite the Helm-created SA with IRSA annotation (fires after chart)
         const serviceAccount = cluster.addServiceAccount(S3_CSI_DRIVER_SA, {
             name: S3_CSI_DRIVER_SA,
             namespace: this.options.namespace,
+            overwriteServiceAccount: true
         });
 
         const s3BucketPolicy = new iam.Policy(cluster, S3_DRIVER_POLICY, {
             statements:
                 getS3DriverPolicyStatements(this.options.bucketNames, this.options.kmsArns ?? [])
         });
         serviceAccount.role.attachInlinePolicy(s3BucketPolicy);
-        
-        // Create namespace
-        if (this.options.createNamespace) {
-            const ns = createNamespace(this.options.namespace!, cluster, true);
-            serviceAccount.node.addDependency(ns);
-        }
-
-        // setup value for helm chart
-        const chartValues = populateValues(this.options, serviceAccount.serviceAccountName);
 
-        const s3CsiDriverChart = this.addHelmChart(clusterInfo, chartValues, true, true);
-        s3CsiDriverChart.node.addDependency(serviceAccount);
+        serviceAccount.node.addDependency(s3CsiDriverChart);
         return Promise.resolve(s3CsiDriverChart);
     }
 }
 
-function populateValues(helmOptions: S3CSIDriverAddOnProps, serviceAccountName: string): any {
+function populateValues(helmOptions: S3CSIDriverAddOnProps): any {
     const values = helmOptions.values ?? {};
-    // Only configure the node service account (which needs S3 access)
-    setPath(values, 'node.serviceAccount.create', false);
-    setPath(values, 'node.serviceAccount.name', serviceAccountName);
-    // Let Helm create the controller service account (no S3 access needed)
+    setPath(values, 'node.serviceAccount.create', true);
     setPath(values, 'controller.serviceAccount.create', true);
     setPath(values, 'node.tolerateAllTaints', true);
     return values;

lib/addons/vpc-cni/index.ts

@@ -3,7 +3,7 @@ import * as eks from "aws-cdk-lib/aws-eks";
 import * as iam from "aws-cdk-lib/aws-iam";
 import { Construct } from 'constructs';
 import { ClusterInfo, Values } from "../../spi";
-import { loadYaml, readYamlDocument, ReplaceServiceAccount, supportsALL, conflictsWithAutoMode, AutoModeConflictType} from "../../utils";
+import { loadYaml, readYamlDocument, supportsALL, conflictsWithAutoMode, AutoModeConflictType} from "../../utils";
 import { CoreAddOn, CoreAddOnProps } from "../core-addon";
 import { KubectlProvider, ManifestDeployment } from "../helm-addon/kubectl-provider";
 import { KubernetesVersion } from "aws-cdk-lib/aws-eks";
@@ -426,14 +426,14 @@ export class VpcCniAddOn extends CoreAddOn {
    * @returns 
    */
   createServiceAccount(clusterInfo: ClusterInfo, saNamespace: string, policies: iam.IManagedPolicy[]): eks.ServiceAccount {
-    const sa = new ReplaceServiceAccount(clusterInfo.cluster, `${this.coreAddOnProps.saName}-sa`, {
-      cluster: clusterInfo.cluster,
+    const sa = clusterInfo.cluster.addServiceAccount(`${this.coreAddOnProps.saName}-sa`, {
       name: this.coreAddOnProps.saName,
-      namespace: saNamespace
+      namespace: saNamespace,
+      overwriteServiceAccount: true
     });
 
     policies.forEach(p => sa.role.addManagedPolicy(p));
-    return sa as any as eks.ServiceAccount;
+    return sa;
   }
 }