Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(iam): oidc provider retrieves leaf certificate instead of root certificate #22509

Merged
merged 13 commits into from
Nov 4, 2022
Merged
8 changes: 0 additions & 8 deletions packages/@aws-cdk/aws-eks/lib/oidc-provider.ts
Original file line number Diff line number Diff line change
Expand Up @@ -41,18 +41,10 @@ export class OpenIdConnectProvider extends iam.OpenIdConnectProvider {
* @param props Initialization properties
*/
public constructor(scope: Construct, id: string, props: OpenIdConnectProviderProps) {
/**
* For some reason EKS isn't validating the root certificate but a intermediate certificate
* which is one level up in the tree. Because of the a constant thumbprint value has to be
* stated with this OpenID Connect provider. The certificate thumbprint is the same for all the regions.
*/
const thumbprints = ['9e99a48a9960b14926bb7f3b02e22da2b0ab7280'];

const clientIds = ['sts.amazonaws.com'];

super(scope, id, {
url: props.url,
thumbprints,
clientIds,
});
}
Expand Down
3 changes: 0 additions & 3 deletions packages/@aws-cdk/aws-eks/test/cluster.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -2156,9 +2156,6 @@ describe('cluster', () => {
ClientIDList: [
'sts.amazonaws.com',
],
ThumbprintList: [
'9e99a48a9960b14926bb7f3b02e22da2b0ab7280',
],
Url: {
'Fn::GetAtt': [
'Cluster9EE0221C',
Expand Down
Binary file not shown.

This file was deleted.

This file was deleted.

This file was deleted.

This file was deleted.

This file was deleted.

This file was deleted.

This file was deleted.

Loading