replace replaceExistingRoles with update iamserviceaccount

pkg/actions/iam/iam.go

@@ -23,7 +23,7 @@ type Manager struct {
 type StackManager interface {
 	ListStacksMatching(nameRegex string, statusFilters ...string) ([]*manager.Stack, error)
 	UpdateStack(stackName, changeSetName, description string, templateData manager.TemplateData, parameters map[string]string) error
-	NewTasksToCreateIAMServiceAccounts(serviceAccounts []*api.ClusterIAMServiceAccount, oidc *iamoidc.OpenIDConnectManager, clientSetGetter kubernetes.ClientSetGetter, replaceExistingRole bool) *tasks.TaskTree
+	NewTasksToCreateIAMServiceAccounts(serviceAccounts []*api.ClusterIAMServiceAccount, oidc *iamoidc.OpenIDConnectManager, clientSetGetter kubernetes.ClientSetGetter) *tasks.TaskTree
 	GetIAMServiceAccounts() ([]*api.ClusterIAMServiceAccount, error)
 	NewTasksToDeleteIAMServiceAccounts(shouldDelete func(string) bool, clientSetGetter kubernetes.ClientSetGetter, wait bool) (*tasks.TaskTree, error)
 }

pkg/addons/irsa_helper.go

@@ -2,38 +2,37 @@ package addons
 
 import (
 	"fmt"
-	"strings"
+
+	"github.com/weaveworks/eksctl/pkg/actions/iam"
+
+	"github.com/weaveworks/eksctl/pkg/cfn/manager"
 
 	"github.com/pkg/errors"
 	api "github.com/weaveworks/eksctl/pkg/apis/eksctl.io/v1alpha5"
 	iamoidc "github.com/weaveworks/eksctl/pkg/iam/oidc"
-	"github.com/weaveworks/eksctl/pkg/kubernetes"
-	"github.com/weaveworks/eksctl/pkg/utils/tasks"
 )
 
-type serviceAccountCreator interface {
-	NewTasksToCreateIAMServiceAccounts(serviceAccounts []*api.ClusterIAMServiceAccount, oidc *iamoidc.OpenIDConnectManager, clientSetGetter kubernetes.ClientSetGetter, replaceExistingRole bool) *tasks.TaskTree
-}
-
 // IRSAHelper provides methods for enabling IRSA
 type IRSAHelper interface {
 	IsSupported() (bool, error)
-	Create(serviceAccounts []*api.ClusterIAMServiceAccount) error
+	CreateOrUpdate(serviceAccounts *api.ClusterIAMServiceAccount) error
 }
 
 // irsaHelper applies the annotations required for a ServiceAccount to work with IRSA
 type irsaHelper struct {
-	oidc *iamoidc.OpenIDConnectManager
-	serviceAccountCreator
-	clientSet kubernetes.ClientSetGetter
+	oidc         *iamoidc.OpenIDConnectManager
+	iamManager   *iam.Manager
+	stackManager *manager.StackCollection
+	clusterName  string
 }
 
 // NewIRSAHelper creates a new IRSAHelper
-func NewIRSAHelper(oidc *iamoidc.OpenIDConnectManager, saCreator serviceAccountCreator, clientSet kubernetes.ClientSetGetter) IRSAHelper {
+func NewIRSAHelper(oidc *iamoidc.OpenIDConnectManager, stackManager *manager.StackCollection, iamManager *iam.Manager, clusterName string) IRSAHelper {
 	return &irsaHelper{
-		oidc:                  oidc,
-		serviceAccountCreator: saCreator,
-		clientSet:             clientSet,
+		oidc:         oidc,
+		stackManager: stackManager,
+		iamManager:   iamManager,
+		clusterName:  clusterName,
 	}
 }
 
@@ -47,21 +46,20 @@ func (h *irsaHelper) IsSupported() (bool, error) {
 }
 
 // Create creates IRSA for the specified IAM service accounts
-func (h *irsaHelper) Create(serviceAccounts []*api.ClusterIAMServiceAccount) error {
-	taskTree := h.NewTasksToCreateIAMServiceAccounts(serviceAccounts, h.oidc, h.clientSet, true)
-	if errs := taskTree.DoAllSync(); len(errs) > 0 {
-		return errors.Wrap(joinErrors(errs), "error creating IAM service account")
+func (h *irsaHelper) CreateOrUpdate(sa *api.ClusterIAMServiceAccount) error {
+	serviceAccounts := []*api.ClusterIAMServiceAccount{sa}
+	stacks, err := h.stackManager.ListStacksMatching(makeIAMServiceAccountStackName(h.clusterName, sa.Namespace, sa.Name))
+	if err != nil {
+		return errors.Wrapf(err, "error checking if iamserviceaccount %s/%s exists", sa.Namespace, sa.Name)
+	}
+	if len(stacks) == 0 {
+		err = h.iamManager.CreateIAMServiceAccount(serviceAccounts, false)
+	} else {
+		err = h.iamManager.UpdateIAMServiceAccounts(serviceAccounts, false)
 	}
-	return nil
+	return err
 }
 
-func joinErrors(errs []error) error {
-	if len(errs) == 1 {
-		return errs[0]
-	}
-	allErrs := []string{"errors:\n"}
-	for _, err := range errs {
-		allErrs = append(allErrs, fmt.Sprintf("- %v", err))
-	}
-	return errors.New(strings.Join(allErrs, "\n"))
+func makeIAMServiceAccountStackName(clusterName, namespace, name string) string {
+	return fmt.Sprintf("eksctl-%s-addon-iamserviceaccount-%s-%s", clusterName, namespace, name)
 }

pkg/addons/vpc_controller.go

@@ -244,7 +244,7 @@ func (v *VPCController) deployVPCResourceController() error {
 			},
 			AttachPolicy: makePolicyDocument(),
 		}
-		if err := v.irsa.Create([]*api.ClusterIAMServiceAccount{sa}); err != nil {
+		if err := v.irsa.CreateOrUpdate(sa); err != nil {
 			return errors.Wrap(err, "error enabling IRSA")
 		}
 	} else {

pkg/cfn/manager/create_tasks.go

@@ -96,7 +96,7 @@ func (c *StackCollection) NewClusterCompatTask() tasks.Task {
 }
 
 // NewTasksToCreateIAMServiceAccounts defines tasks required to create all of the IAM ServiceAccounts
-func (c *StackCollection) NewTasksToCreateIAMServiceAccounts(serviceAccounts []*api.ClusterIAMServiceAccount, oidc *iamoidc.OpenIDConnectManager, clientSetGetter kubernetes.ClientSetGetter, replaceExistingRole bool) *tasks.TaskTree {
+func (c *StackCollection) NewTasksToCreateIAMServiceAccounts(serviceAccounts []*api.ClusterIAMServiceAccount, oidc *iamoidc.OpenIDConnectManager, clientSetGetter kubernetes.ClientSetGetter) *tasks.TaskTree {
 	taskTree := &tasks.TaskTree{Parallel: true}
 
 	for i := range serviceAccounts {
@@ -107,11 +107,10 @@ func (c *StackCollection) NewTasksToCreateIAMServiceAccounts(serviceAccounts []*
 		}
 
 		saTasks.Append(&taskWithClusterIAMServiceAccountSpec{
-			info:                fmt.Sprintf("create IAM role for serviceaccount %q", sa.NameString()),
-			stackCollection:     c,
-			serviceAccount:      sa,
-			oidc:                oidc,
-			replaceExistingRole: replaceExistingRole,
+			info:            fmt.Sprintf("create IAM role for serviceaccount %q", sa.NameString()),
+			stackCollection: c,
+			serviceAccount:  sa,
+			oidc:            oidc,
 		})
 
 		saTasks.Append(&kubernetesTask{

pkg/cfn/manager/iam.go

@@ -3,9 +3,6 @@ package manager
 import (
 	"fmt"
 
-	"github.com/pkg/errors"
-
-	"github.com/aws/aws-sdk-go/aws/awserr"
 	cfn "github.com/aws/aws-sdk-go/service/cloudformation"
 	"github.com/kris-nova/logger"
 
@@ -21,7 +18,7 @@ func (c *StackCollection) makeIAMServiceAccountStackName(namespace, name string)
 }
 
 // createIAMServiceAccountTask creates the iamserviceaccount in CloudFormation
-func (c *StackCollection) createIAMServiceAccountTask(errs chan error, spec *api.ClusterIAMServiceAccount, oidc *iamoidc.OpenIDConnectManager, replaceExistingRole bool) error {
+func (c *StackCollection) createIAMServiceAccountTask(errs chan error, spec *api.ClusterIAMServiceAccount, oidc *iamoidc.OpenIDConnectManager) error {
 	name := c.makeIAMServiceAccountStackName(spec.Namespace, spec.Name)
 	logger.Info("building iamserviceaccount stack %q", name)
 	stack := builder.NewIAMServiceAccountResourceSet(spec, oidc)
@@ -35,18 +32,6 @@ func (c *StackCollection) createIAMServiceAccountTask(errs chan error, spec *api
 	spec.Tags[api.IAMServiceAccountNameTag] = spec.NameString()
 
 	if err := c.CreateStack(name, stack, spec.Tags, nil, errs); err != nil {
-		if !replaceExistingRole {
-			return err
-		}
-		var awsErr awserr.Error
-		if errors.As(err, &awsErr) && awsErr.Code() == cfn.ErrCodeAlreadyExistsException {
-			logger.Debug("CFN stack for IRSA already exists, replacing it with a new stack")
-			if err := c.DeleteStackByNameSync(name); err != nil {
-				close(errs)
-				return errors.Wrap(err, "error deleting stack")
-			}
-			return c.createIAMServiceAccountTask(errs, spec, oidc, false)
-		}
 		return err
 	}
 	return nil

pkg/cfn/manager/tasks.go

@@ -61,16 +61,15 @@ func (t *clusterCompatTask) Do(errorCh chan error) error {
 }
 
 type taskWithClusterIAMServiceAccountSpec struct {
-	info                string
-	stackCollection     *StackCollection
-	serviceAccount      *api.ClusterIAMServiceAccount
-	oidc                *iamoidc.OpenIDConnectManager
-	replaceExistingRole bool
+	info            string
+	stackCollection *StackCollection
+	serviceAccount  *api.ClusterIAMServiceAccount
+	oidc            *iamoidc.OpenIDConnectManager
 }
 
 func (t *taskWithClusterIAMServiceAccountSpec) Describe() string { return t.info }
 func (t *taskWithClusterIAMServiceAccountSpec) Do(errs chan error) error {
-	return t.stackCollection.createIAMServiceAccountTask(errs, t.serviceAccount, t.oidc, t.replaceExistingRole)
+	return t.stackCollection.createIAMServiceAccountTask(errs, t.serviceAccount, t.oidc)
 }
 
 type taskWithStackSpec struct {

pkg/eks/tasks.go

@@ -5,6 +5,8 @@ import (
 	"fmt"
 	"time"
 
+	"github.com/weaveworks/eksctl/pkg/actions/iam"
+
 	"github.com/kris-nova/logger"
 	"github.com/pkg/errors"
 	"github.com/weaveworks/eksctl/pkg/cfn/manager"
@@ -61,7 +63,13 @@ func (v *VPCControllerTask) Do(errCh chan error) error {
 	}
 
 	stackCollection := manager.NewStackCollection(v.ClusterProvider.Provider, v.ClusterConfig)
-	irsa := addons.NewIRSAHelper(oidc, stackCollection, kubernetes.NewCachedClientSet(rawClient.ClientSet()))
+
+	clientSet, err := v.ClusterProvider.NewStdClientSet(v.ClusterConfig)
+	if err != nil {
+		return err
+	}
+	iamManager := iam.New(v.ClusterConfig.Metadata.Name, stackCollection, oidc, clientSet)
+	irsa := addons.NewIRSAHelper(oidc, stackCollection, iamManager, v.ClusterConfig.Metadata.Name)
 
 	// TODO PlanMode doesn't work as intended
 	vpcController := addons.NewVPCController(rawClient, irsa, v.ClusterConfig.Status, v.ClusterProvider.Provider.Region(), v.PlanMode)
@@ -285,7 +293,6 @@ func (c *ClusterProvider) appendCreateTasksForIAMServiceAccounts(cfg *api.Cluste
 		api.IAMServiceAccountsWithAWSNodeServiceAccount(cfg),
 		oidcPlaceholder,
 		clientSet,
-		false,
 	)
 	newTasks.IsSubTask = true
 	tasks.Append(newTasks)