build: Update EKS from 29 to 30 TDE-1255 (#783)

#### Motivation

Use recent version of AWS EKS.

#### Checklist

- [ ] Tests updated (N/A)
- [x] Docs updated
- [x] Issue linked in Title

docs/infrastructure/kubernetes.version.md

@@ -59,7 +59,10 @@ Below is an example of upgrading from v1.27 to v1.28
 4. Diff the stack to make sure that only versions are updated
 
    ```bash
-   npx cdk diff Workflows -c ci-role-arn=...
+   ci_role="$(aws iam list-roles | jq --raw-output '.Roles[] | select(.RoleName | contains("CiTopo")) | select(.RoleName | contains("-CiRole")).Arn')"
+   admin_role="arn:aws:iam::$(aws sts get-caller-identity --query Account --output text):role/AccountAdminRole"
+   workflow_maintainer_role="$(aws cloudformation describe-stacks --stack-name=TopographicSharedResourcesProd | jq --raw-output .Stacks[0].Outputs[0].OutputValue)"
+   npx cdk diff --context=maintainer-arns="${ci_role},${admin_role},${workflow_maintainer_role}" Workflows
    ```
    
    The only changes should be Kubernetes version related.

infra/README.md

@@ -30,28 +30,24 @@ Main entry point: [app](./cdk8s.ts)
   ```shell
   npm install
   ```
-
 - Login to AWS
 
 ### Deploy CDK
 
-To deploy with AWS CDK a few configuration variables need to be set
-
-Due to VPC lookups a AWS account ID needs to be provided
+To deploy with AWS CDK a few context values need to be set:
 
-This can be done with either a `export CDK_DEFAULT_ACCOUNT=1234567890` or passed in at run time with `-c aws-account-id=1234567890`
+- `aws-account-id`: Account ID to deploy into. This can be set with `export CDK_DEFAULT_ACCOUNT="$(aws sts get-caller-identity --query Account --output text)"`.
+- `maintainer-arns`: Comma-separated list of AWS Role ARNs for the stack maintainers.
 
-Then a deployment can be made with `cdk`
+Then a deployment can be made with `cdk`:
 
 ```shell
-npx cdk diff -c aws-account-id=1234567890 -c ci-role-arn=arn::...
+ci_role="$(aws iam list-roles | jq --raw-output '.Roles[] | select(.RoleName | contains("CiTopo")) | select(.RoleName | contains("-CiRole")).Arn')"
+admin_role="arn:aws:iam::$(aws sts get-caller-identity --query Account --output text):role/AccountAdminRole"
+workflow_maintainer_role="$(aws cloudformation describe-stacks --stack-name=TopographicSharedResourcesProd | jq --raw-output .Stacks[0].Outputs[0].OutputValue)"
+npx cdk deploy --context=maintainer-arns="${ci_role},${admin_role},${workflow_maintainer_role}" Workflows
 ```
 
-#### CDK Context
-
-- `aws-account-id`: Account ID to deploy into
-- `ci-role-arn`: AWS Role ARN for the CI user
-
 ### Deploy CDK8s
 
 Generate the kubernetes configuration yaml into `dist/`
@@ -63,12 +59,12 @@ npx cdk8s synth
 Apply the generated yaml files
 
 ```shell
-kubectl apply -f dist/
+kubectl apply --filename=dist/
 ```
 
 ### Testing
 
-To debug use the following as `cdk8s syth` swallows the errors
+To debug use the following as `cdk8s synth` swallows the errors
 
 ```shell
 npx tsx infra/cdk8s.ts

infra/charts/argo.extras.ts

@@ -1,5 +1,5 @@
 import { Chart, ChartProps } from 'cdk8s';
-import * as kplus from 'cdk8s-plus-29';
+import * as kplus from 'cdk8s-plus-30';
 import { Construct } from 'constructs';
 
 import { applyDefaultLabels } from '../util/labels.js';

infra/charts/argo.workflows.ts

@@ -1,5 +1,5 @@
 import { Chart, ChartProps, Duration, Helm } from 'cdk8s';
-import { Secret } from 'cdk8s-plus-29';
+import { Secret } from 'cdk8s-plus-30';
 import { Construct } from 'constructs';
 
 import { ArgoDbName, ArgoDbUser, DefaultRegion } from '../constants.js';

infra/charts/cloudflared.ts

@@ -1,5 +1,5 @@
 import { Chart, ChartProps, Size } from 'cdk8s';
-import * as kplus from 'cdk8s-plus-29';
+import * as kplus from 'cdk8s-plus-30';
 import { Construct } from 'constructs';
 
 import { applyDefaultLabels } from '../util/labels.js';

infra/charts/event.exporter.ts

@@ -8,7 +8,7 @@ import {
   Namespace,
   ServiceAccount,
   Volume,
-} from 'cdk8s-plus-29';
+} from 'cdk8s-plus-30';
 import { Construct } from 'constructs';
 
 import { applyDefaultLabels } from '../util/labels.js';
@@ -28,7 +28,7 @@ export class EventExporter extends Chart {
       metadata: { name: 'event-exporter', namespace: props.namespace },
     });
 
-    // https://cdk8s.io/docs/latest/plus/cdk8s-plus-29/rbac/#role
+    // https://cdk8s.io/docs/latest/plus/cdk8s-plus-30/rbac/#role
     const clusterRole = new ClusterRole(this, 'event-exporter-cr', {
       metadata: { name: 'event-exporter' },
     });

infra/charts/kube-system.coredns.ts

@@ -1,5 +1,5 @@
 import { Chart, ChartProps } from 'cdk8s';
-import * as kplus from 'cdk8s-plus-29';
+import * as kplus from 'cdk8s-plus-30';
 import { Construct } from 'constructs';
 
 import { applyDefaultLabels } from '../util/labels.js';

infra/charts/kube-system.node.local.dns.ts

@@ -1,5 +1,5 @@
 import { ApiObject, Chart, ChartProps, JsonPatch, Size } from 'cdk8s';
-import * as kplus from 'cdk8s-plus-29';
+import * as kplus from 'cdk8s-plus-30';
 import { Construct } from 'constructs';
 
 import { applyDefaultLabels } from '../util/labels.js';

infra/eks/cluster.ts

@@ -1,4 +1,4 @@
-import { KubectlV29Layer } from '@aws-cdk/lambda-layer-kubectl-v29';
+import { KubectlV30Layer } from '@aws-cdk/lambda-layer-kubectl-v30';
 import { Aws, CfnOutput, Duration, RemovalPolicy, SecretValue, Size, Stack, StackProps } from 'aws-cdk-lib';
 import * as chatbot from 'aws-cdk-lib/aws-chatbot';
 import * as cloudwatch from 'aws-cdk-lib/aws-cloudwatch';
@@ -44,7 +44,7 @@ export class LinzEksCluster extends Stack {
   /* Cluster ID */
   id: string;
   /** Version of EKS to use, this must be aligned to the `kubectlLayer` */
-  version = KubernetesVersion.of('1.29');
+  version = KubernetesVersion.of('1.30');
   /** Argo needs a database for workflow archive */
   argoDb: DatabaseInstance;
   /** Argo needs a temporary bucket to store objects */
@@ -72,7 +72,7 @@ export class LinzEksCluster extends Stack {
       defaultCapacity: 0,
       vpcSubnets: [{ subnetType: SubnetType.PRIVATE_WITH_EGRESS }],
       /** This must align to Cluster version: {@link version} */
-      kubectlLayer: new KubectlV29Layer(this, 'KubeCtlLayer'),
+      kubectlLayer: new KubectlV30Layer(this, 'KubeCtlLayer'),
       /** To prevent IP exhaustion when running huge workflows run using ipv6 */
       ipFamily: IpFamily.IP_V6,
       clusterLogging: [ClusterLoggingTypes.API, ClusterLoggingTypes.CONTROLLER_MANAGER, ClusterLoggingTypes.SCHEDULER],
@@ -81,7 +81,7 @@ export class LinzEksCluster extends Stack {
     // TODO: setup up a database CNAME for changing Argo DB without updating Argo config
     // TODO: run a Disaster Recovery test to recover database data
     this.argoDb = new DatabaseInstance(this, ArgoDbInstanceName, {
-      engine: DatabaseInstanceEngine.postgres({ version: PostgresEngineVersion.VER_15_3 }),
+      engine: DatabaseInstanceEngine.postgres({ version: PostgresEngineVersion.VER_15_7 }),
       instanceType: InstanceType.of(InstanceClass.T3, InstanceSize.SMALL),
       vpc: this.vpc,
       databaseName: ArgoDbName,

package.json

@@ -23,7 +23,7 @@
     "test": "node --import tsx --test infra/**/*.test.ts templates/common/__test__/*.test.ts"
   },
   "devDependencies": {
-    "@aws-cdk/lambda-layer-kubectl-v29": "^2.1.0",
+    "@aws-cdk/lambda-layer-kubectl-v30": "^2.0.1",
     "@aws-sdk/client-cloudformation": "3.658.1",
     "@aws-sdk/client-eks": "3.658.1",
     "@aws-sdk/client-ssm": "3.658.1",
@@ -33,7 +33,7 @@
     "aws-cdk-lib": "2.160.x",
     "cdk8s": "^2.69.5",
     "cdk8s-cli": "^2.198.228",
-    "cdk8s-plus-29": "^2.5.5",
+    "cdk8s-plus-30": "^2.2.5",
     "constructs": "^10.3.0",
     "tsx": "^4.6.2"
   }