feat: Allow OIDC root CA thumbprint to be included/excluded #2778
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Great feature, this is awesome 👍 |
2 tasks
bryantbiggs
changed the title
bryantbiggs
approved these changes
Nov 14, 2023
antonbabenko
pushed a commit
that referenced
this pull request
Nov 14, 2023
## [19.20.0](v19.19.1...v19.20.0) (2023-11-14) ### Features * Allow OIDC root CA thumbprint to be included/excluded ([#2778](#2778)) ([091c680](091c680))
|
This PR is included in version 19.20.0 🎉 |
|
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This change adds a new
include_oidc_root_ca_thumbprintinput which allows the default root CA thumbprint to be included in or excluded from the OIDC thumbprint list.Motivation and Context
As per #2768, I am not able to reliably retrieve the root CA thumbprint within a corporate environment where HTTPS traffic is intercepted and inspected.
I need a way to configure the EKS cluster to use the correct AWS CA thumbprint, rather than expecting the module to be able to query the thumbprint itself.
I could add the correct thumbprint to the existing
custom_oidc_thumbprintslist without this change, but there is a ~50% chance the root CA thumbprint will change every time Iapplywhich creates churn in the configuration.The wording of this input is based on the eks_oidc_root_ca_thumbprint input from an earlier version of this module.
Breaking Changes
The default value aligns with the current behavior, and the new input is not required. There should be no breaking change.
How Has This Been Tested?
I have executed
pre-commit run -aon my pull requestI have updated at least one of the
examples/*to demonstrate and validate my change(s)I have tested and validated these changes using one or more of the provided
examples/*projectsI have not updated the
examples/*since they do not currently use custom thumbprints, and most users would not need to I would think.I tested this change by deploying a simple cluster with no configured OIDC inputs. The cluster was deployed with the single root CA thumbprint.
I then added the following configuration:
When I applied the change, the resulting cluster had no thumbprints at all.
I then added the following configuration:
When I applied the change, the resulting cluster had only the single custom thumbprint.