I am currently working upon a cloudformation template. The template typically creates the EKS Cluster with cluster autoscaler. In doing so I created a lambda function which would automatically create the OIDC provider with the EKS cluster Url. The issue is the thumbprint. I am not able to create the thumbprint for the same which is leading to the failure of cluster autoscaler pod. Is there any way through which we can create the thumbprint also from the lambda function? Below is the code for the lambda function. The thumbprint present is a sample one.
import boto3
import json
import cfnresponse
def lambda_handler(event, context):
client = boto3.client('iam')
name= event['ResourceProperties']['cluster_name']
responseData= {}
responseStatus="SUCCESS"
try:
print("In thetry block")
if event['RequestType'] == 'Delete':
print("Request Type:",event['RequestType'])
print("Delete Request - No Physical resources to delete")
elif event['RequestType'] == 'Create' or event['RequestType'] == 'Update':
print("The request type is updated")
response2 = client.create_open_id_connect_provider(
ClientIDList=[
'my-application-id',
],
ThumbprintList=[
'3768084dfb3d2b68b7897bf5f565da8efEXAMPLE',
],
Url=fetchClusterOIDC(name),
)
print("The OIDC Created")
oidc_response_url = fetchClusterOIDC(name)
oidc_response=oidc_response_url.split("https://")[1]
responseData = {'oidc': oidc_response}
print("Responsedata Created",responseData)
print("Request Type:",event['RequestType'])
print("Sending response to custom resource for event type " + event['RequestType'])
cfnresponse.send(event, context, cfnresponse.SUCCESS, responseData)
except Exception as e:
print(e)
responseData = {'Failed': 'Test Failed.'}
responseStatus="FAILED"
cfnresponse.send(event, context, cfnresponse.FAILED, responseData)
def fetchClusterOIDC(cluster_name):
print("Getting Cluster OIDC value for cluster name "+ cluster_name)
oidc = ''
client = boto3.client('eks')
try:
response = client.describe_cluster(
name=cluster_name
)
if response['ResponseMetadata']['HTTPStatusCode'] == 200:
print("Success response recieved for describing cluster "+ cluster_name)
oidc = (response['cluster']['identity']['oidc']['issuer'])
print('OIDC output recieved '+ oidc + ' for Cluster Name ' + cluster_name)
return oidc
except Exception as e:
print('Failed to fetch Cluster OIDC value for cluster name ' + cluster_name, e)
I have used the aws api instead of the Lambda function. The cloudformation script gives the OIDC url and CertificateAuthority in the output. After which I run the bash script which automatically runs and generates the thumbprint post which we can use the Aws Apis to create the OIDC provider using the url and thumbprint generated .
To generate the thumbprint follow the below link: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html
In this instead of performing the step 4 we can directly decode the CertificateAuthority provided by the EKS cluster. The command for decoding is : echo -n 'CertificateAuhtority'| base64 --decode
This would generate the certificate and make your job easier.
I found this way much easier than creating the lambda function and generating the OIDC provider.