fix(iam): oidc provider fetches leaf certificate thumbprint instead o…

…f root (#22924)

Backports #22802 and #22608 to v1.

----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

.github/workflows/yarn-upgrade.yml

@@ -38,8 +38,6 @@ jobs:
       - name: Install Tools
         run: |-
           npm -g install lerna npm-check-updates@^9.0.0
-      - name: Build CLI
-        run: cd packages/aws-cdk && ../../scripts/buildup
       - name: Build Integ Runner
         run: cd packages/@aws-cdk/integ-runner && ../../../scripts/buildup
       - name: List Mono-Repo Packages
@@ -69,6 +67,8 @@ jobs:
           for pj in $(find packages/aws-cdk/lib/init-templates -name package.json); do
             (cd $(dirname $pj) && ncu --upgrade --reject='@types/node,@types/prettier,@types/fs-extra,constructs,typescript,aws-sdk,aws-sdk-mock,ts-jest,jest,${{ steps.list-packages.outputs.list }}')
           done
+          # Upgrade dependencies at an aws-eks integ test docker image
+          cd packages/@aws-cdk/aws-eks/test/sdk-call-integ-test-docker-app/app/ && ncu --upgrade --reject='@types/jest,@types/node,@types/prettier,@types/fs-extra,constructs,typescript,aws-sdk,aws-sdk-mock,ts-jest,jest,${{ steps.list-packages.outputs.list }}'
 
       # This will ensure the current lockfile is up-to-date with the dependency specifications (necessary for "yarn update" to run)
       - name: Run "yarn install"

packages/@aws-cdk/aws-eks/lib/alb-controller.ts

@@ -231,7 +231,7 @@ export class AlbController extends CoreConstruct {
       // want to expose this since helm here is just an implementation detail
       // for installing a specific version of the controller itself.
       // https://github.com/aws/eks-charts/blob/v0.0.65/stable/aws-load-balancer-controller/Chart.yaml
-      version: '1.2.7',
+      version: '1.4.1',
 
       wait: true,
       timeout: Duration.minutes(15),

packages/@aws-cdk/aws-eks/lib/oidc-provider.ts

@@ -41,18 +41,11 @@ export class OpenIdConnectProvider extends iam.OpenIdConnectProvider {
    * @param props Initialization properties
    */
   public constructor(scope: Construct, id: string, props: OpenIdConnectProviderProps) {
-    /**
-     * For some reason EKS isn't validating the root certificate but a intermediate certificate
-     * which is one level up in the tree. Because of the a constant thumbprint value has to be
-     * stated with this OpenID Connect provider. The certificate thumbprint is the same for all the regions.
-     */
-    const thumbprints = ['9e99a48a9960b14926bb7f3b02e22da2b0ab7280'];
 
     const clientIds = ['sts.amazonaws.com'];
 
     super(scope, id, {
       url: props.url,
-      thumbprints,
       clientIds,
     });
   }

packages/@aws-cdk/aws-eks/package.json

@@ -82,6 +82,8 @@
     "@aws-cdk/assertions": "0.0.0",
     "@aws-cdk/cdk-build-tools": "0.0.0",
     "@aws-cdk/integ-runner": "0.0.0",
+    "@aws-cdk/integ-tests": "0.0.0",
+    "@aws-cdk/aws-ecr-assets": "0.0.0",
     "@aws-cdk/cfn2ts": "0.0.0",
     "@aws-cdk/pkglint": "0.0.0",
     "@types/aws-lambda": "^8.10.108",