fix: do not set AWS_PROFILE env in generated kubeconfig

AWS_PROFILE values can vary between users despite variations providing the same level of access to the AWS resources. Always setting the profile name in the kubeconfig will mean that other users of the Pulumi program will need to ensure that their profile names also match, which isn't ideal.
pulumi · Mar 21, 2024 · 806b189 · 806b189
1 parent 990aa23
commit 806b189
Showing 1 changed file with 22 additions and 8 deletions.
diff --git a/nodejs/eks/cluster.ts b/nodejs/eks/cluster.ts
@@ -199,6 +199,7 @@ interface ExecEnvVar {
 export function generateKubeconfig(
     clusterName: pulumi.Input<string>,
     clusterEndpoint: pulumi.Input<string>,
+    includeProfile: boolean,
     certData?: pulumi.Input<string>,
     opts?: KubeconfigOptions,
 ) {
@@ -213,11 +214,9 @@ export function generateKubeconfig(
     if (opts?.roleArn) {
         args = [...args, "--role", opts.roleArn];
     }
-    if (opts?.profileName) {
-        env.push({
-            name: "AWS_PROFILE",
-            value: opts.profileName,
-        });
+
+    if (includeProfile && opts?.profileName) {
+        env.push({ name: "AWS_PROFILE", value: opts.profileName });
     }
 
     return pulumi.all([args, env]).apply(([tokenArgs, envvars]) => {
@@ -653,7 +652,8 @@ export function createCore(
     // Compute the required kubeconfig. Note that we do not export this value: we want the exported config to
     // depend on the autoscaling group we'll create later so that nothing attempts to use the EKS cluster before
     // its worker nodes have come up.
-    const kubeconfig = pulumi
+    const genKubeconfig = (useProfileName: boolean) => {
+        const kubeconfig = pulumi
         .all([
             eksCluster.name,
             endpoint,
@@ -675,6 +675,7 @@ export function createCore(
                         return generateKubeconfig(
                             clusterName,
                             clusterEndpoint,
+                            useProfileName,
                             clusterCertificateAuthority?.data,
                             opts,
                         );
@@ -683,19 +684,30 @@ export function createCore(
                     config = generateKubeconfig(
                         clusterName,
                         clusterEndpoint,
+                        useProfileName,
                         clusterCertificateAuthority?.data,
                         providerCredentialOpts,
                     );
                 } else {
                     config = generateKubeconfig(
                         clusterName,
                         clusterEndpoint,
+                        useProfileName,
                         clusterCertificateAuthority?.data,
                     );
                 }
                 return config;
             },
         );
+
+        return kubeconfig;
+    }
+
+    // We need 2 forms of kubeconfig, one with the profile name and one without. The one with the profile name
+    // is required to interact with the cluster by this provider. The one without is used by the user to interact
+    // with the cluster and enable multi-user access.
+    const kubeconfig = genKubeconfig(true);
+    const kubeconfigWithoutProfile = genKubeconfig(false);
 
     const k8sProvider = new k8s.Provider(
         `${name}-eks-k8s`,
@@ -950,7 +962,7 @@ export function createCore(
                             });
                             const getAnnosOutputStr = getAnnosOutput.toString();
                             // See if getAnnosOutputStr contains the annotation we're looking for.
-                            if (!getAnnosOutputStr.includes("eks.amazonaws.com/compute-type") ) {
+                            if (!getAnnosOutputStr.includes("eks.amazonaws.com/compute-type")) {
                                 // No need to patch the deployment object since the annotation is not present. However, we need to re-create the CoreDNS pods since
                                 // the existing pods were created before the FargateProfile was created, and therefore will not have been scheduled by fargate-scheduler.
                                 // See: https://github.com/pulumi/pulumi-eks/issues/1030.
@@ -1018,7 +1030,7 @@ export function createCore(
         cluster: eksCluster,
         endpoint: endpoint,
         nodeGroupOptions: nodeGroupOptions,
-        kubeconfig: kubeconfig,
+        kubeconfig: kubeconfigWithoutProfile,
         provider: k8sProvider,
         awsProvider: provider,
         vpcCni: vpcCni,
@@ -1695,6 +1707,7 @@ export class Cluster extends pulumi.ComponentResource {
         const kc = generateKubeconfig(
             this.eksCluster.name,
             this.eksCluster.endpoint,
+            true,
             this.eksCluster.certificateAuthority?.data,
             args,
         );
@@ -1898,6 +1911,7 @@ export class ClusterInternal extends pulumi.ComponentResource {
         const kc = generateKubeconfig(
             this.eksCluster.name,
             this.eksCluster.endpoint,
+            true,
             this.eksCluster.certificateAuthority?.data,
             args,
         );