Merge branch 'task/1.16.3-release-prep' into pr1093

.devcontainer/devcontainer.json

@@ -6,7 +6,7 @@
       },
       "ghcr.io/devcontainers/features/aws-cli:1": {},
       "ghcr.io/devcontainers-contrib/features/aws-cdk:2": {
-        "version": "2.162.1"
+        "version": "2.173.2"
       }
     },
     "postCreateCommand": ".devcontainer/postCreateCommand.sh",

README.md

@@ -48,14 +48,14 @@ aws --version
 Install CDK matching the current version of the Blueprints QuickStart (which can be found in package.json).
 
 ```bash
-npm install -g aws-cdk@2.162.1
+npm install -g aws-cdk@2.173.2
 ```
 
 Verify the installation.
 
 ```bash
 cdk --version
-# must output 2.162.1
+# must output 2.173.2
 ```
 
 Create a new CDK project. We use `typescript` for this example.

docs/README.md

@@ -44,14 +44,14 @@ aws --version
 Install CDK matching the current version of the Blueprints QuickStart (which can be found in package.json).
 
 ```bash
-npm install -g aws-cdk@2.162.1
+npm install -g aws-cdk@2.173.2
 ```
 
 Verify the installation.
 
 ```bash
 cdk --version
-# must output 2.162.1
+# must output 2.173.2
 ```
 
 Create a new CDK project. We use `typescript` for this example.

docs/getting-started.md

@@ -26,8 +26,8 @@ Create a directory that represents you project (e.g. `my-blueprints`) and then c
 ```bash
 npm install -g n # may require sudo
 n stable # may require sudo 
-npm install -g aws-cdk@2.162.1 # may require sudo (Ubuntu) depending on configuration
-cdk --version # must produce 2.162.1
+npm install -g aws-cdk@2.173.2 # may require sudo (Ubuntu) depending on configuration
+cdk --version # must produce 2.173.2
 mkdir my-blueprints
 cd my-blueprints
 cdk init app --language typescript
@@ -57,7 +57,7 @@ npm ERR! peer bundled aws-cdk-lib@"2.133.0" from @aws-quickstart/eks-blueprints@
 npm ERR! node_modules/@aws-quickstart/eks-blueprint
 ```
 
-This message means that the version of CDK that the customer is using is different from the version of CDK used in EKS Blueprints. Locate the line `peer bundled` and check the expected version of the CDK. Make sure that in your `package.json` the version is set to the expected. In this example, `package.json` contained `"aws-cdk-lib": "2.133.0"`, while the expected version was `2.162.1`.
+This message means that the version of CDK that the customer is using is different from the version of CDK used in EKS Blueprints. Locate the line `peer bundled` and check the expected version of the CDK. Make sure that in your `package.json` the version is set to the expected. In this example, `package.json` contained `"aws-cdk-lib": "2.133.0"`, while the expected version was `2.173.2`.
 
 **Note**: after the initial installation, upgrading the version of CDK to an incompatible higher/lower version will produce a warning, but will succeed. For community support (submitting GitHub issues) please make sure you have a matching version configured.
 

docs/internal/ci.md

@@ -19,7 +19,7 @@ cd cdk-eks-blueprints
 Install CDK (please review and install any missing [pre-requisites](https://docs.aws.amazon.com/cdk/latest/guide/getting_started.html) for your environment)
 
 ```sh
-npm install -g aws-cdk@2.162.1
+npm install -g aws-cdk@2.173.2
 ```
 
 Install the dependencies for this project.

examples/examples.ts

@@ -35,7 +35,7 @@ const publicCluster = {
 };
 
 builder()
-    .clusterProvider(new bp.FargateClusterProvider(publicCluster))
+    .clusterProvider(new bp.FargateClusterProvider({...publicCluster}))
     .build(app, "fargate-blueprint");
 
 builder()

lib/addons/amp/collector-config-amp-daemonset.ytpl

@@ -49,6 +49,40 @@ spec:
               ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
               insecure_skip_verify: true
 
+          - job_name: ksh-metrics
+            scheme: https
+            metrics_path: /apis/metrics.eks.amazonaws.com/v1/ksh/container/metrics
+            tls_config:
+              ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+              insecure_skip_verify: true
+            bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
+            kubernetes_sd_configs:
+            - role: endpoints
+            relabel_configs:
+            - source_labels:
+              - __meta_kubernetes_namespace
+              - __meta_kubernetes_service_name
+              - __meta_kubernetes_endpoint_port_name
+              action: keep
+              regex: default;kubernetes;https
+
+          - job_name: kcm-metrics
+            scheme: https
+            metrics_path: /apis/metrics.eks.amazonaws.com/v1/kcm/container/metrics
+            tls_config:
+              ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+              insecure_skip_verify: true
+            bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
+            kubernetes_sd_configs:
+            - role: endpoints
+            relabel_configs:
+            - source_labels:
+              - __meta_kubernetes_namespace
+              - __meta_kubernetes_service_name
+              - __meta_kubernetes_endpoint_port_name
+              action: keep
+              regex: default;kubernetes;https
+
           - job_name: kubernetes-nodes
             bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
             kubernetes_sd_configs:
@@ -348,6 +382,13 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - metrics.eks.amazonaws.com
+  resources:
+  - kcm/metrics
+  - ksh/metrics
+  verbs:
+  - get
 - nonResourceURLs:
   - /metrics
   verbs:

lib/addons/amp/collector-config-amp.ytpl

@@ -43,6 +43,38 @@ spec:
               tls_config:
                 ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
                 insecure_skip_verify: true
+            - job_name: ksh-metrics
+              scheme: https
+              metrics_path: /apis/metrics.eks.amazonaws.com/v1/ksh/container/metrics
+              tls_config:
+                ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+                insecure_skip_verify: true
+              bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
+              kubernetes_sd_configs:
+              - role: endpoints
+              relabel_configs:
+              - source_labels:
+                - __meta_kubernetes_namespace
+                - __meta_kubernetes_service_name
+                - __meta_kubernetes_endpoint_port_name
+                action: keep
+                regex: default;kubernetes;https
+            - job_name: kcm-metrics
+              scheme: https
+              metrics_path: /apis/metrics.eks.amazonaws.com/v1/kcm/container/metrics
+              tls_config:
+                ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+                insecure_skip_verify: true
+              bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
+              kubernetes_sd_configs:
+              - role: endpoints
+              relabel_configs:
+              - source_labels:
+                - __meta_kubernetes_namespace
+                - __meta_kubernetes_service_name
+                - __meta_kubernetes_endpoint_port_name
+                action: keep
+                regex: default;kubernetes;https
             - job_name: kubernetes-nodes
               bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
               kubernetes_sd_configs:
@@ -1934,6 +1966,13 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - metrics.eks.amazonaws.com
+  resources:
+  - kcm/metrics
+  - ksh/metrics
+  verbs:
+  - get
 - nonResourceURLs:
   - /metrics
   verbs:

lib/addons/aws-loadbalancer-controller/iam-policy.ts

@@ -37,7 +37,9 @@ export const AwsLoadbalancerControllerIamPolicy = (partition: string) => {
                     "elasticloadbalancing:DescribeTargetGroups",
                     "elasticloadbalancing:DescribeTargetGroupAttributes",
                     "elasticloadbalancing:DescribeTargetHealth",
-                    "elasticloadbalancing:DescribeTags"
+                    "elasticloadbalancing:DescribeTags",
+                    "elasticloadbalancing:DescribeTrustStores",
+                    "elasticloadbalancing:DescribeListenerAttributes"
                 ],
                 "Resource": "*"
             },
@@ -186,7 +188,8 @@ export const AwsLoadbalancerControllerIamPolicy = (partition: string) => {
                     "elasticloadbalancing:DeleteLoadBalancer",
                     "elasticloadbalancing:ModifyTargetGroup",
                     "elasticloadbalancing:ModifyTargetGroupAttributes",
-                    "elasticloadbalancing:DeleteTargetGroup"
+                    "elasticloadbalancing:DeleteTargetGroup",
+                    "elasticloadbalancing:ModifyListenerAttributes"
                 ],
                 "Resource": "*",
                 "Condition": {

lib/addons/cloud-watch-insights/index.ts

@@ -10,11 +10,11 @@ import {KubernetesVersion} from "aws-cdk-lib/aws-eks";
 // aws eks describe-addon-versions --kubernetes-version <kubernetes-version> --addon-name amazon-cloudwatch-observability \
 //     --query 'addons[].addonVersions[].{Version: addonVersion, Defaultversion: compatibilities[0].defaultVersion}' --output table
 const versionMap: Map<KubernetesVersion, string> = new Map([
-    [KubernetesVersion.V1_31, "v2.1.3-eksbuild.1"],
-    [KubernetesVersion.V1_30, "v2.1.3-eksbuild.1"],
-    [KubernetesVersion.V1_29, "v2.1.3-eksbuild.1"],
-    [KubernetesVersion.V1_28, "v2.1.3-eksbuild.1"],
-    [KubernetesVersion.V1_27, "v2.1.3-eksbuild.1"]
+    [KubernetesVersion.V1_31, "v2.3.0-eksbuild.1"],
+    [KubernetesVersion.V1_30, "v2.3.0-eksbuild.1"],
+    [KubernetesVersion.V1_29, "v2.3.0-eksbuild.1"],
+    [KubernetesVersion.V1_28, "v2.3.0-eksbuild.1"],
+    [KubernetesVersion.V1_27, "v2.3.0-eksbuild.1"]
 ]);
 
 

lib/addons/cloudwatch-adot-addon/collector-config-cloudwatch.ytpl

@@ -45,6 +45,40 @@ spec:
               ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
               insecure_skip_verify: true
 
+          - job_name: ksh-metrics
+            scheme: https
+            metrics_path: /apis/metrics.eks.amazonaws.com/v1/ksh/container/metrics
+            tls_config:
+              ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+              insecure_skip_verify: true
+            bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
+            kubernetes_sd_configs:
+            - role: endpoints
+            relabel_configs:
+            - source_labels:
+              - __meta_kubernetes_namespace
+              - __meta_kubernetes_service_name
+              - __meta_kubernetes_endpoint_port_name
+              action: keep
+              regex: default;kubernetes;https
+
+          - job_name: kcm-metrics
+            scheme: https
+            metrics_path: /apis/metrics.eks.amazonaws.com/v1/kcm/container/metrics
+            tls_config:
+              ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+              insecure_skip_verify: true
+            bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
+            kubernetes_sd_configs:
+            - role: endpoints
+            relabel_configs:
+            - source_labels:
+              - __meta_kubernetes_namespace
+              - __meta_kubernetes_service_name
+              - __meta_kubernetes_endpoint_port_name
+              action: keep
+              regex: default;kubernetes;https
+
           - job_name: kubernetes-nodes
             bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
             kubernetes_sd_configs:
@@ -409,6 +443,13 @@ rules:
       - get
       - list
       - watch
+  - apiGroups:
+      - metrics.eks.amazonaws.com
+    resources:
+      - kcm/metrics
+      - ksh/metrics
+    verbs:
+      - get
   - nonResourceURLs:
       - /metrics
     verbs:

lib/addons/core-addon/index.ts

@@ -8,6 +8,7 @@ import { createServiceAccountWithPolicy, deployBeforeCapacity, logger, userLog,
 import * as sdk from "@aws-sdk/client-eks";
 import { RemovalPolicy } from "aws-cdk-lib";
 
+
 export class CoreAddOnProps {
     /**
      * Name of the add-on to instantiate
@@ -87,7 +88,7 @@ export class CoreAddOn implements ClusterAddOn {
         let version: string = this.coreAddOnProps.version;
 
         if (this.coreAddOnProps.version === "auto") {
-            version = await this.provideVersion(clusterInfo);
+            version = await this.provideVersion(clusterInfo.version, clusterInfo.cluster.stack.region);
         }
 
         let addOnProps = {
@@ -176,11 +177,11 @@ export class CoreAddOn implements ClusterAddOn {
         return result;
     }
 
-    async provideVersion(clusterInfo: ClusterInfo) : Promise<string> {
-        const client = new sdk.EKSClient({ region: clusterInfo.cluster.stack.region });
+    async provideVersion(clusterVersion: KubernetesVersion, region: string) : Promise<string> {
+        const client = new sdk.EKSClient({ region });
         const command = new sdk.DescribeAddonVersionsCommand({
             addonName: this.coreAddOnProps.addOnName,
-            kubernetesVersion: clusterInfo.version.version
+            kubernetesVersion: clusterVersion.version
         });
 
         try {
@@ -210,7 +211,7 @@ export class CoreAddOn implements ClusterAddOn {
             logger.warn(`Failed to retrieve add-on versions from EKS for add-on ${this.coreAddOnProps.addOnName}.`);
             logger.warn("Possible reasons for failures - Unauthorized or Authentication failure or Network failure on the terminal.");
             logger.warn(" Falling back to default version.");
-            let version: string = this.provideDefaultAutoVersion(clusterInfo.version);
+            let version: string = this.provideDefaultAutoVersion(clusterVersion);
             userLog.debug(`Core add-on ${this.coreAddOnProps.addOnName} has autoselected version ${version}`);
             return version;
         }

lib/addons/kube-proxy/index.ts

@@ -1,9 +1,9 @@
 import { KubernetesVersion } from "aws-cdk-lib/aws-eks";
-import { CoreAddOn, CoreAddOnProps } from "../core-addon";
 import { supportsALL } from "../../utils";
+import { CoreAddOn, CoreAddOnProps } from "../core-addon";
 
 const versionMap: Map<KubernetesVersion, string> = new Map([
-    [KubernetesVersion.V1_31, "1.31.0-eksbuild.5"],
+    [KubernetesVersion.V1_31, "v1.31.0-eksbuild.5"],
     [KubernetesVersion.V1_30, "v1.30.0-eksbuild.3"],
     [KubernetesVersion.V1_29, "v1.29.0-eksbuild.1"],
     [KubernetesVersion.V1_28, "v1.28.2-eksbuild.2"],

lib/pipelines/code-pipeline.ts

@@ -457,7 +457,7 @@ class CodePipeline {
               primaryOutputDirectory: `${path}/cdk.out`,
               installCommands: [
                 'n stable',
-                'npm install -g aws-cdk@2.162.1',
+                'npm install -g aws-cdk@2.173.2',
                 `cd $CODEBUILD_SRC_DIR/${path} && npm install`
               ],
               commands: [`cd $CODEBUILD_SRC_DIR/${path}`, 'npm run build', 'npx cdk synth ' + app]

lib/resource-providers/ipv6-iam.ts

@@ -1,7 +1,7 @@
 import * as spi from "../spi";
 import * as iam from "aws-cdk-lib/aws-iam";
 import {IManagedPolicy} from "aws-cdk-lib/aws-iam";
-import {getEKSNodeIpv6PolicyDocument} from '../../lib/utils/ipv6-utils';
+import {getEKSNodeIpv6PolicyDocument} from '../utils/ipv6-utils';
 
 /**
  * Resource provider that creates a new role with ipv6 permissions.

lib/resource-providers/vpc.ts

@@ -107,7 +107,6 @@ export function getVPCFromId(context: ResourceContext, nodeId: string, vpcId?: s
         } else {
             console.log(`looking up non-default ${vpcId} VPC`);
             vpc = ec2.Vpc.fromLookup(context.scope, nodeId + "-vpc", { vpcId: vpcId });
-            console.log(vpc);
         }
     }
     return vpc;

package.json

@@ -1,6 +1,6 @@
 {
     "name": "@aws-quickstart/eks-blueprints",
-    "version": "1.16.0",
+    "version": "1.16.2",
     "license": "Apache-2.0",
     "main": "dist/index.js",
     "types": "dist/index.d.ts",
@@ -74,7 +74,7 @@
         "semver": "^7.6.0"
     },
     "peerDependencies": {
-        "aws-cdk-lib": "2.162.1",
-        "aws-cdk": "2.162.1"
+        "aws-cdk-lib": "2.173.2",
+        "aws-cdk": "2.173.2"
     }
 }