feat(aws-cdk): Set all storage types to S3 and wire IRSA annotation to service account

Author: junhaoliao

tools/deployment/aws-cdk/lib/clp-stack.ts

@@ -58,6 +58,15 @@ export class ClpStack extends cdk.Stack {
       })
     );
 
+    // S3 config shared by archive_output, stream_output, and logs_input
+    const s3AuthConfig = {
+      aws_authentication: {
+        type: "default", // Uses the SDK credential chain (picks up IRSA)
+      },
+      region_code: this.region,
+      bucket: archiveBucket.bucketName,
+    };
+
     // Deploy CLP Helm chart
     new eks.HelmChart(this, "ClpHelmChart", {
       cluster,
@@ -70,13 +79,23 @@ export class ClpStack extends cdk.Stack {
         storage: {
           storageClassName: "gp3",
         },
+        serviceAccount: {
+          annotations: {
+            "eks.amazonaws.com/role-arn": s3AccessRole.roleArn,
+          },
+        },
         clpConfig: {
+          logs_input: {
+            type: "s3",
+            aws_authentication: {
+              type: "default",
+            },
+          },
           archive_output: {
             storage: {
               type: "s3",
               s3_config: {
-                region: this.region,
-                bucket: archiveBucket.bucketName,
+                ...s3AuthConfig,
                 key_prefix: "archives/",
               },
             },
@@ -85,8 +104,7 @@ export class ClpStack extends cdk.Stack {
             storage: {
               type: "s3",
               s3_config: {
-                region: this.region,
-                bucket: archiveBucket.bucketName,
+                ...s3AuthConfig,
                 key_prefix: "streams/",
               },
             },

tools/deployment/aws-cdk/scripts/push-images-to-ecr.sh

@@ -12,7 +12,7 @@ AWS_REGION="${2:-$(aws configure get region || echo us-east-2)}"
 ECR_REGISTRY="${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com"
 
 # CLP package image -- uses the tag from Chart.yaml appVersion
-CLP_TAG="${CLP_TAG:-0.9.1-dev}"
+CLP_TAG="${CLP_TAG:-0.9.0}"
 CLP_SOURCE="${CLP_SOURCE:-ghcr.io/y-scope/clp/clp-package:${CLP_TAG}}"
 
 # Third-party images used by the Helm chart (hardcoded in templates today)
@@ -22,7 +22,9 @@ declare -A IMAGES=(
   ["clp/mongo:7.0.1"]="mongo:7.0.1"
   ["clp/rabbitmq:3.9.8"]="rabbitmq:3.9.8"
   ["clp/redis:7.2.4"]="redis:7.2.4"
-  ["clp/kubectl:1.32.0"]="bitnami/kubectl:1.32.0"
+  # bitnami/kubectl only publishes "latest" on Docker Hub; we pin the ECR tag
+  # to the K8s version used by EKS so our reference is fixed.
+  ["clp/kubectl:1.32"]="bitnami/kubectl:latest"
 )
 
 echo "==> Authenticating Docker to ECR (${ECR_REGISTRY})"

tools/deployment/aws-cdk/test/clp-stack.test.ts

@@ -92,11 +92,28 @@ describe("ClpStack", () => {
     expect(values).toHaveProperty("storage.storageClassName", "gp3");
   });
 
+  test("Helm values set logs_input type to s3", () => {
+    const values = getHelmValues(template);
+    expect(values).toHaveProperty("clpConfig.logs_input.type", "s3");
+  });
+
   test("Helm values reference S3 bucket for archive output", () => {
     const values = getHelmValues(template);
     expect(values).toHaveProperty("clpConfig.archive_output.storage.type", "s3");
   });
 
+  test("Helm values reference S3 bucket for stream output", () => {
+    const values = getHelmValues(template);
+    expect(values).toHaveProperty("clpConfig.stream_output.storage.type", "s3");
+  });
+
+  test("Helm values set IRSA annotation on service account", () => {
+    const values = getHelmValues(template);
+    const sa = (values as any).serviceAccount;
+    expect(sa).toBeDefined();
+    expect(sa.annotations).toHaveProperty("eks.amazonaws.com/role-arn");
+  });
+
   test("IRSA role for S3 access is created", () => {
     template.hasResourceProperties("AWS::IAM::Role", {
       AssumeRolePolicyDocument: Match.objectLike({