optimize

Author: xazhao

packages/@aws-cdk/aws-eks-v2-alpha/lib/access-entry.ts

@@ -3,6 +3,7 @@ import { ICluster } from './cluster';
 import { CfnAccessEntry } from 'aws-cdk-lib/aws-eks';
 import {
   Resource, IResource, Aws, Lazy,
+  RemovalPolicy,
 } from 'aws-cdk-lib/core';
 import { MethodMetadata, addConstructMetadata } from 'aws-cdk-lib/core/lib/metadata-resource';
 
@@ -346,8 +347,8 @@ export class AccessEntry extends Resource implements IAccessEntry {
           policyArn: p.policy,
         })),
       }),
-
     });
+    resource.applyRemovalPolicy(RemovalPolicy.RETAIN);
     this.accessEntryName = this.getResourceNameAttribute(resource.ref);
     this.accessEntryArn = this.getResourceArnAttribute(resource.attrAccessEntryArn, {
       service: 'eks',

packages/@aws-cdk/aws-eks-v2-alpha/lib/cluster.ts

@@ -1460,6 +1460,9 @@ export class Cluster extends ClusterBase {
         accessPolicies: policies,
       });
       this.accessEntries.set(principal, newEntry);
+      // if (this.kubectlProvider) {
+      //   Node.of(this.kubectlProvider).addDependency(newEntry);
+      // }
     }
   }
 

packages/aws-cdk-lib/aws-eks/README.md

@@ -515,14 +515,11 @@ cluster.connectAutoScalingGroupCapacity(asg, {});
 To connect a self-managed node group to an imported cluster, use the `cluster.connectAutoScalingGroupCapacity()` method:
 
 ```ts
-import { KubectlV32Layer } from '@aws-cdk/lambda-layer-kubectl-v32';
-
 declare const cluster: eks.Cluster;
 declare const asg: autoscaling.AutoScalingGroup;
 const importedCluster = eks.Cluster.fromClusterAttributes(this, 'ImportedCluster', {
   clusterName: cluster.clusterName,
   clusterSecurityGroupId: cluster.clusterSecurityGroupId,
-  kubectlLayer: new KubectlV32Layer(this, 'kubectl'),
 });
 
 importedCluster.connectAutoScalingGroupCapacity(asg, {});
@@ -843,8 +840,6 @@ The resources are created in the cluster by running `kubectl apply` from a pytho
 By default, CDK will create a new python lambda function to apply your k8s manifests. If you want to use an existing kubectl provider function, for example with tight trusted entities on your IAM Roles - you can import the existing provider and then use the imported provider when importing the cluster:
 
 ```ts
-import { KubectlV32Layer } from '@aws-cdk/lambda-layer-kubectl-v32';
-
 const handlerRole = iam.Role.fromRoleArn(this, 'HandlerRole', 'arn:aws:iam::123456789012:role/lambda-role');
 // get the serviceToken from the custom resource provider
 const functionArn = lambda.Function.fromFunctionName(this, 'ProviderOnEventFunc', 'ProviderframeworkonEvent-XXX').functionArn;
@@ -857,7 +852,6 @@ const kubectlProvider = eks.KubectlProvider.fromKubectlProviderAttributes(this,
 const cluster = eks.Cluster.fromClusterAttributes(this, 'Cluster', {
   clusterName: 'cluster',
   kubectlProvider,
-  kubectlLayer: new KubectlV32Layer(this, 'kubectl'),
 });
 ```
 
@@ -959,7 +953,6 @@ eks.Cluster.fromClusterAttributes(this, 'MyCluster', {
   kubectlMemory: Size.gibibytes(4),
   vpc,
   clusterName: 'cluster-name',
-  kubectlLayer: new KubectlV32Layer(this, 'kubectl'),
 });
 ```
 
@@ -1372,8 +1365,6 @@ You can also add service accounts to existing clusters.
 To do so, pass the `openIdConnectProvider` property when you import the cluster into the application.
 
 ```ts
-import { KubectlV32Layer } from '@aws-cdk/lambda-layer-kubectl-v32';
-
 // you can import an existing provider
 const provider = eks.OpenIdConnectProvider.fromOpenIdConnectProviderArn(this, 'Provider', 'arn:aws:iam::123456:oidc-provider/oidc.eks.eu-west-1.amazonaws.com/id/AB123456ABC');
 
@@ -1387,7 +1378,6 @@ const cluster = eks.Cluster.fromClusterAttributes(this, 'MyCluster', {
   clusterName: 'Cluster',
   openIdConnectProvider: provider,
   kubectlRoleArn: 'arn:aws:iam::123456:role/service-role/k8sservicerole',
-  kubectlLayer: new KubectlV32Layer(this, 'kubectl'),
 });
 
 const serviceAccount = cluster.addServiceAccount('MyServiceAccount');
@@ -1930,12 +1920,9 @@ First, you'll need to "import" a cluster to your CDK app. To do that, use the
 `eks.Cluster.fromClusterAttributes()` static method:
 
 ```ts
-import { KubectlV32Layer } from '@aws-cdk/lambda-layer-kubectl-v32';
-
 const cluster = eks.Cluster.fromClusterAttributes(this, 'MyCluster', {
   clusterName: 'my-cluster-name',
   kubectlRoleArn: 'arn:aws:iam::1111111:role/iam-role-that-has-masters-access',
-  kubectlLayer: new KubectlV32Layer(this, 'kubectl'),
 });
 ```
 

packages/aws-cdk-lib/aws-eks/lib/cluster.ts

@@ -144,7 +144,7 @@ export interface ICluster extends IResource, ec2.IConnectable {
    * An AWS Lambda layer that includes `kubectl` and `helm`
    *
    */
-  readonly kubectlLayer: lambda.ILayerVersion;
+  readonly kubectlLayer?: lambda.ILayerVersion;
 
   /**
    * Specify which IP family is used to assign Kubernetes pod and service IP addresses.
@@ -383,8 +383,10 @@ export interface ClusterAttributes {
    * /opt/helm/helm
    * /opt/kubectl/kubectl
    * ```
+   *
+   * @default - No default layer will be provided
    */
-  readonly kubectlLayer: lambda.ILayerVersion;
+  readonly kubectlLayer?: lambda.ILayerVersion;
 
   /**
    * An AWS Lambda layer that contains the `aws` CLI.
@@ -1085,7 +1087,7 @@ abstract class ClusterBase extends Resource implements ICluster {
   public abstract readonly ipFamily?: IpFamily;
   public abstract readonly kubectlRole?: iam.IRole;
   public abstract readonly kubectlLambdaRole?: iam.IRole;
-  public abstract readonly kubectlLayer: lambda.ILayerVersion;
+  public abstract readonly kubectlLayer?: lambda.ILayerVersion;
   public abstract readonly kubectlEnvironment?: { [key: string]: string };
   public abstract readonly kubectlSecurityGroup?: ec2.ISecurityGroup;
   public abstract readonly kubectlPrivateSubnets?: ec2.ISubnet[];
@@ -1477,7 +1479,7 @@ export class Cluster extends ClusterBase {
    * An AWS Lambda layer that includes `kubectl` and `helm`
    *
    */
-  readonly kubectlLayer: lambda.ILayerVersion;
+  readonly kubectlLayer?: lambda.ILayerVersion;
 
   /**
    * An AWS Lambda layer that contains the `aws` CLI.
@@ -2398,7 +2400,7 @@ class ImportedCluster extends ClusterBase {
   public readonly kubectlEnvironment?: { [key: string]: string } | undefined;
   public readonly kubectlSecurityGroup?: ec2.ISecurityGroup | undefined;
   public readonly kubectlPrivateSubnets?: ec2.ISubnet[] | undefined;
-  public readonly kubectlLayer: lambda.ILayerVersion;
+  public readonly kubectlLayer?: lambda.ILayerVersion;
   public readonly ipFamily?: IpFamily;
   public readonly awscliLayer?: lambda.ILayerVersion;
   public readonly kubectlProvider?: IKubectlProvider;

packages/aws-cdk-lib/aws-eks/lib/kubectl-provider.ts

@@ -149,7 +149,9 @@ export class KubectlProvider extends NestedStack implements IKubectlProvider {
 
     // allow user to customize the layers with the tools we need
     handler.addLayers(props.cluster.awscliLayer ?? new AwsCliLayer(this, 'AwsCliLayer'));
-    handler.addLayers(props.cluster.kubectlLayer);
+    if (props.cluster.kubectlLayer) {
+      handler.addLayers(props.cluster.kubectlLayer);
+    }
 
     this.handlerRole = handler.role!;
 

packages/aws-cdk-lib/aws-eks/test/cluster.test.ts

@@ -174,7 +174,6 @@ describe('cluster', () => {
 
     const cluster = eks.Cluster.fromClusterAttributes(stack, 'Cluster', {
       clusterName: 'cluster',
-      kubectlLayer: new KubectlV31Layer(stack, 'KubectlLayer'),
     });
 
     expect(() => cluster.clusterSecurityGroup).toThrow(/"clusterSecurityGroup" is not defined for this imported cluster/);
@@ -215,7 +214,6 @@ describe('cluster', () => {
     const cluster = eks.Cluster.fromClusterAttributes(stack, 'Cluster', {
       clusterName: 'cluster',
       clusterSecurityGroupId: clusterSgId,
-      kubectlLayer: new KubectlV31Layer(stack, 'KubectlLayer'),
     });
 
     const clusterSg = cluster.clusterSecurityGroup;
@@ -281,7 +279,6 @@ describe('cluster', () => {
     const importedCluster = eks.Cluster.fromClusterAttributes(stack, 'ImportedCluster', {
       clusterName: cluster.clusterName,
       clusterSecurityGroupId: cluster.clusterSecurityGroupId,
-      kubectlLayer: new KubectlV31Layer(stack, 'ImportKubectlLayer'),
     });
 
     const selfManaged = new asg.AutoScalingGroup(stack, 'self-managed', {
@@ -981,7 +978,6 @@ describe('cluster', () => {
     const cluster = eks.Cluster.fromClusterAttributes(stack, 'Cluster', {
       clusterName: 'cluster',
       kubectlProvider: kubectlProvider,
-      kubectlLayer: new KubectlV31Layer(stack, 'KubectlLayer'),
     });
 
     expect(cluster.kubectlProvider).toEqual(kubectlProvider);
@@ -1001,7 +997,6 @@ describe('cluster', () => {
       const cluster = eks.Cluster.fromClusterAttributes(stack, 'Cluster', {
         clusterName: 'cluster',
         kubectlProvider: kubectlProvider,
-        kubectlLayer: new KubectlV31Layer(stack, 'KubectlLayer'),
       });
 
       new eks.HelmChart(stack, 'Chart', {
@@ -1028,7 +1023,6 @@ describe('cluster', () => {
       const cluster = eks.Cluster.fromClusterAttributes(stack, 'Cluster', {
         clusterName: 'cluster',
         kubectlProvider: kubectlProvider,
-        kubectlLayer: new KubectlV31Layer(stack, 'KubectlLayer'),
       });
 
       new eks.HelmChart(stack, 'Chart', {
@@ -1062,7 +1056,6 @@ describe('cluster', () => {
       const cluster = eks.Cluster.fromClusterAttributes(stack, 'Cluster', {
         clusterName: 'cluster',
         kubectlProvider: kubectlProvider,
-        kubectlLayer: new KubectlV31Layer(stack, 'KubectlLayer'),
       });
 
       new eks.HelmChart(stack, 'Chart', {
@@ -1104,7 +1097,6 @@ describe('cluster', () => {
     const cluster = eks.Cluster.fromClusterAttributes(stack, 'Cluster', {
       clusterName: 'cluster',
       kubectlPrivateSubnetIds: vpc.privateSubnets.map(s => s.subnetId),
-      kubectlLayer: new KubectlV31Layer(stack, 'KubectlLayer'),
     });
 
     expect(cluster.kubectlPrivateSubnets?.map(s => stack.resolve(s.subnetId))).toEqual([
@@ -1139,7 +1131,6 @@ describe('cluster', () => {
       clusterCertificateAuthorityData: cluster.clusterCertificateAuthorityData,
       clusterSecurityGroupId: cluster.clusterSecurityGroupId,
       clusterEncryptionConfigKeyArn: cluster.clusterEncryptionConfigKeyArn,
-      kubectlLayer: new KubectlV31Layer(stack2, 'KubectlLayer'),
     });
 
     // this should cause an export/import
@@ -2605,7 +2596,6 @@ describe('cluster', () => {
         clusterName,
         kubectlRoleArn: 'arn:aws:iam::1111111:role/iam-role-that-has-masters-access',
         kubectlLambdaRole: kubectlLambdaRole,
-        kubectlLayer: new KubectlV31Layer(stack, 'KubectlLayer'),
       });
 
       const chart = 'hello-world';
@@ -3338,7 +3328,6 @@ describe('cluster', () => {
       clusterName: 'my-cluster',
       kubectlRoleArn: 'arn:aws:iam::123456789012:role/MyRole',
       kubectlMemory: cdk.Size.gibibytes(4),
-      kubectlLayer: new KubectlV31Layer(stack, 'KubectlLayer'),
     });
 
     cluster.addManifest('foo', { bar: 123 });

packages/aws-cdk-lib/aws-eks/test/k8s-manifest.test.ts

@@ -88,7 +88,6 @@ describe('k8s manifest', () => {
     const cluster = Cluster.fromClusterAttributes(stack, 'MyCluster', {
       clusterName: 'my-cluster-name',
       kubectlRoleArn: 'arn:aws:iam::1111111:role/iam-role-that-has-masters-access',
-      kubectlLayer: new KubectlV31Layer(stack, 'KubectlLayer'),
     });
 
     // WHEN
@@ -116,7 +115,6 @@ describe('k8s manifest', () => {
     const cluster = Cluster.fromClusterAttributes(stack, 'MyCluster', {
       clusterName: 'my-cluster-name',
       kubectlRoleArn: 'arn:aws:iam::1111111:role/iam-role-that-has-masters-access',
-      kubectlLayer: new KubectlV31Layer(stack, 'KubectlLayer'),
     });
 
     const manifest = cluster.addManifest('foo', { bar: 2334 });

packages/aws-cdk-lib/aws-eks/test/service-account.test.ts

@@ -33,7 +33,6 @@ describe('service account', () => {
         clusterName: 'Cluster',
         openIdConnectProvider: oidcProvider,
         kubectlRoleArn: 'arn:aws:iam::123456:role/service-role/k8sservicerole',
-        kubectlLayer: new KubectlV31Layer(stack, 'KubectlLayer'),
       });
 
       cluster.addServiceAccount('MyServiceAccount');

packages/aws-cdk-lib/aws-eks/test/user-data.test.ts

@@ -54,7 +54,6 @@ describe('user data', () => {
       clusterName: cluster.clusterName,
       openIdConnectProvider: cluster.openIdConnectProvider,
       clusterCertificateAuthorityData: cluster.clusterCertificateAuthorityData,
-      kubectlLayer: new KubectlV31Layer(stack, 'ImportKubectlLayer'),
     });
 
     // WHEN
@@ -93,7 +92,6 @@ describe('user data', () => {
       clusterName: cluster.clusterName,
       openIdConnectProvider: cluster.openIdConnectProvider,
       clusterEndpoint: cluster.clusterEndpoint,
-      kubectlLayer: new KubectlV31Layer(stack, 'ImportKubectlLayer'),
     });
 
     // WHEN