-
Notifications
You must be signed in to change notification settings - Fork 930
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[aws-pod-identity-webhook] Adding chart #286
Open
max-rocket-internet
wants to merge
13
commits into
aws:master
Choose a base branch
from
max-rocket-internet:pod-identity-webhook
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from 12 commits
Commits
Show all changes
13 commits
Select commit
Hold shift + click to select a range
e37d6d1
initial commit
max-rocket-internet 99f7a18
switch logo
max-rocket-internet 129631b
update versions
max-rocket-internet 6b0d820
remove engine line
max-rocket-internet 78c1eba
update readme
max-rocket-internet b5c92ca
add resource request/limits
max-rocket-internet 3fff008
add serviceaccount options
max-rocket-internet 184b12a
adding podAnnotations
max-rocket-internet 848b738
camel case
max-rocket-internet 3a77dd4
fix request/limit error
max-rocket-internet a8f6c42
Update values.yaml
max-rocket-internet 52678bb
update with new docker image
max-rocket-internet 6673c76
misc fixes
max-rocket-internet File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
# Patterns to ignore when building packages. | ||
# This supports shell glob matching, relative path matching, and | ||
# negation (prefixed with !). Only one pattern per line. | ||
.DS_Store | ||
# Common VCS dirs | ||
.git/ | ||
.gitignore | ||
.bzr/ | ||
.bzrignore | ||
.hg/ | ||
.hgignore | ||
.svn/ | ||
# Common backup files | ||
*.swp | ||
*.bak | ||
*.tmp | ||
*~ | ||
# Various IDEs | ||
.project | ||
.idea/ | ||
*.tmproj | ||
.vscode/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
apiVersion: v1 | ||
appVersion: "c0431e1" | ||
description: A Helm chart for the Amazon EKS Pod Identity Webhook | ||
name: aws-pod-identity-webhook | ||
version: "1.0" | ||
icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png | ||
home: https://github.com/aws/amazon-eks-pod-identity-webhook | ||
sources: | ||
- https://github.com/aws/amazon-eks-pod-identity-webhook | ||
maintainers: | ||
- name: Micah Hausler | ||
email: micahhausler@users.noreply.github.com | ||
- name: Nicholas Turner | ||
url: https://github.com/nckturner | ||
email: nckturner@users.noreply.github.com | ||
- name: Stefan Prodan | ||
url: https://github.com/stefanprodan | ||
email: stefanprodan@users.noreply.github.com |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,76 @@ | ||
# AWS Pod Identity Webhook | ||
|
||
This chart will install the [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook). This tool allows you to specify IAM Roles for Kubernetes Service Accounts. This allows a pod to assume a IAM role. | ||
max-rocket-internet marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
Further details can be found here: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html | ||
|
||
## Prerequisites | ||
|
||
- Kubernetes 1.12+ | ||
|
||
For installation into a non-EKS cluster, see [Self-hosted Kubernetes setup](https://github.com/aws/amazon-eks-pod-identity-webhook/blob/master/SELF_HOSTED_SETUP.md) | ||
|
||
## Installing the Chart | ||
|
||
You first need to retrieve `ca.crt` from your cluster as this is used as a value for the chart: | ||
|
||
```sh | ||
secret_name=$(kubectl get sa default -o jsonpath='{.secrets[0].name}') | ||
export CA_BUNDLE=$(kubectl get secret/$secret_name -o jsonpath='{.data.ca\.crt}' | tr -d '\n') | ||
``` | ||
max-rocket-internet marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
And add the EKS repository to Helm: | ||
|
||
```sh | ||
helm repo add eks https://aws.github.io/eks-charts | ||
``` | ||
|
||
Then install the chart: | ||
|
||
```sh | ||
helm upgrade -i pod-identity-webhook eks/aws-pod-identity-webhook \ | ||
--namespace kube-system --set caBundle="${CA_BUNDLE}" | ||
``` | ||
|
||
After installation you need to approve the certificate. Follow the chart notes after installation for this step. | ||
|
||
The webhook will request a new CSR prior to expiration. This new CSR will also need to be manually approved. | ||
|
||
## Uninstalling the Chart | ||
|
||
To delete the chart: | ||
|
||
```sh | ||
helm delete --purge pod-identity-webhook | ||
``` | ||
|
||
## Configuration | ||
|
||
The following table lists the configurable parameters for this chart and their default values. | ||
|
||
| Parameter | Description | Default | | ||
| ----------------------------|---------------------------------------|-------------------------------------------------------------------------| | ||
| `tlsSecretName` | Name of the secret containing the | `pod-identity-webhook` | | ||
| `annotationPrefix` | Prefix for annotation | `eks.amazonaws.com` | | ||
| `tokenAudience` | Token audience | `sts.amazonaws.com` | | ||
| `caBundle` | CA cert bundle data | None. Must be provided on chart install | | ||
| `image.repository` | Image repository | `602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/pod-identity-webhook` | | ||
| `image.tag` | Image tag | `latest` | | ||
| `image.pullPolicy` | Container pull policy | `IfNotPresent` | | ||
| `replicas` | Number of deployment replicas | `3` | | ||
| `fullnameOverride` | Override the fullname of the chart | `nil` | | ||
| `nameOverride` | Override the name of the chart | `nil` | | ||
| `priorityClassName` | Set a priority class for pods | `nil` | | ||
| `resources.requests.cpu` | pod CPU request | `100m` | | ||
| `resources.requests.memory` | pod memory request | `64Mi` | | ||
| `resources.limits.cpu` | pod CPU limit | `2000m` | | ||
| `resources.limits.memory` | pod memory limit | `1Gi` | | ||
| `nodeSelector` | Node labels for pod assignment | `{}` | | ||
| `tolerations` | Optional deployment tolerations | `[]` | | ||
| `affinity` | Map of node/pod affinities | `{}` | | ||
|
||
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install` or provide a YAML file containing the values for the above parameters: | ||
|
||
```sh | ||
helm update -i pod-identity-webhook eks/aws-pod-identity-webhook --namespace kube-system --values values.yaml | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
|
||
If this is your first installation of {{ .Chart.Name }} then you need to approve the certificate. | ||
|
||
Wait until the pod has started: | ||
|
||
kubectl get pods -n {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/name={{ include "aws-pod-identity-webhook.name" . }} | ||
|
||
Then approve the certificate: | ||
|
||
kubectl certificate approve $(kubectl get csr -o jsonpath='{.items[?(@.spec.username=="system:serviceaccount:{{ .Release.Namespace }}:{{ include "aws-pod-identity-webhook.fullname" . }}")].metadata.name}') |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
{{/* vim: set filetype=mustache: */}} | ||
{{/* | ||
Expand the name of the chart. | ||
*/}} | ||
{{- define "aws-pod-identity-webhook.name" -}} | ||
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} | ||
{{- end -}} | ||
|
||
{{/* | ||
Create a default fully qualified app name. | ||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). | ||
If release name contains chart name it will be used as a full name. | ||
*/}} | ||
{{- define "aws-pod-identity-webhook.fullname" -}} | ||
{{- if .Values.fullnameOverride -}} | ||
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} | ||
{{- else -}} | ||
{{- $name := default .Chart.Name .Values.nameOverride -}} | ||
{{- if contains $name .Release.Name -}} | ||
{{- .Release.Name | trunc 63 | trimSuffix "-" -}} | ||
{{- else -}} | ||
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} | ||
{{- end -}} | ||
{{- end -}} | ||
{{- end -}} | ||
|
||
{{/* | ||
Create chart name and version as used by the chart label. | ||
*/}} | ||
{{- define "aws-pod-identity-webhook.chart" -}} | ||
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} | ||
{{- end -}} | ||
|
||
{{/* | ||
Common labels | ||
*/}} | ||
{{- define "aws-pod-identity-webhook.labels" -}} | ||
app.kubernetes.io/name: {{ include "aws-pod-identity-webhook.name" . }} | ||
helm.sh/chart: {{ include "aws-pod-identity-webhook.chart" . }} | ||
app.kubernetes.io/instance: {{ .Release.Name }} | ||
{{- if .Chart.AppVersion }} | ||
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} | ||
{{- end }} | ||
app.kubernetes.io/managed-by: {{ .Release.Service }} | ||
{{- end -}} | ||
|
||
{{/* | ||
Create the name of the service account to use | ||
*/}} | ||
{{- define "aws-pod-identity-webhook.serviceAccountName" -}} | ||
{{- if .Values.serviceAccount.create -}} | ||
{{ default (include "aws-pod-identity-webhook.fullname" .) .Values.serviceAccount.name }} | ||
{{- else -}} | ||
{{ default "default" .Values.serviceAccount.name }} | ||
{{- end -}} | ||
{{- end -}} |
24 changes: 24 additions & 0 deletions
24
stable/aws-pod-identity-webhook/templates/clusterrole.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRole | ||
metadata: | ||
name: {{ include "aws-pod-identity-webhook.fullname" . }} | ||
labels: | ||
{{ include "aws-pod-identity-webhook.labels" . | indent 4 }} | ||
rules: | ||
- apiGroups: | ||
- "" | ||
resources: | ||
- serviceaccounts | ||
verbs: | ||
- get | ||
- watch | ||
- list | ||
- apiGroups: | ||
- certificates.k8s.io | ||
resources: | ||
- certificatesigningrequests | ||
verbs: | ||
- create | ||
- get | ||
- list | ||
- watch |
14 changes: 14 additions & 0 deletions
14
stable/aws-pod-identity-webhook/templates/clusterrolebinding.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRoleBinding | ||
metadata: | ||
name: {{ include "aws-pod-identity-webhook.fullname" . }} | ||
labels: | ||
{{ include "aws-pod-identity-webhook.labels" . | indent 4 }} | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: ClusterRole | ||
name: {{ include "aws-pod-identity-webhook.fullname" . }} | ||
subjects: | ||
- kind: ServiceAccount | ||
name: {{ include "aws-pod-identity-webhook.fullname" . }} | ||
namespace: {{ .Release.Namespace }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: {{ include "aws-pod-identity-webhook.fullname" . }} | ||
labels: | ||
{{ include "aws-pod-identity-webhook.labels" . | indent 4 }} | ||
spec: | ||
replicas: {{ .Values.replicas }} | ||
selector: | ||
matchLabels: | ||
app.kubernetes.io/name: {{ include "aws-pod-identity-webhook.name" . }} | ||
app.kubernetes.io/instance: {{ .Release.Name }} | ||
template: | ||
metadata: | ||
{{- if .Values.podAnnotations }} | ||
annotations: | ||
{{- range $key, $value := .Values.podAnnotations }} | ||
{{ $key }}: {{ $value | quote }} | ||
{{- end }} | ||
{{- end }} | ||
labels: | ||
app.kubernetes.io/name: {{ include "aws-pod-identity-webhook.name" . }} | ||
app.kubernetes.io/instance: {{ .Release.Name }} | ||
spec: | ||
{{- if .Values.priorityClassName }} | ||
priorityClassName: "{{ .Values.priorityClassName }}" | ||
{{- end }} | ||
{{- with .Values.imagePullSecrets }} | ||
imagePullSecrets: | ||
{{- toYaml . | nindent 8 }} | ||
{{- end }} | ||
serviceAccountName: {{ include "aws-pod-identity-webhook.fullname" . }} | ||
containers: | ||
- name: webhook | ||
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" | ||
imagePullPolicy: {{ .Values.image.pullPolicy }} | ||
command: | ||
- /webhook | ||
- --in-cluster | ||
- --namespace={{ .Release.Namespace }} | ||
- --service-name={{ include "aws-pod-identity-webhook.fullname" . }} | ||
- --tls-secret={{ .Values.tlsSecretName }} | ||
- --annotation-prefix={{ .Values.annotationPrefix }} | ||
- --token-audience={{ .Values.tokenAudience }} | ||
- --logtostderr | ||
volumeMounts: | ||
- name: webhook-certs | ||
mountPath: /var/run/app/certs | ||
readOnly: false | ||
resources: | ||
{{- toYaml .Values.resources | nindent 10 }} | ||
{{- with .Values.nodeSelector }} | ||
nodeSelector: | ||
{{- toYaml . | nindent 8 }} | ||
{{- end }} | ||
{{- with .Values.affinity }} | ||
affinity: | ||
{{- toYaml . | nindent 8 }} | ||
{{- end }} | ||
{{- with .Values.tolerations }} | ||
tolerations: | ||
{{- toYaml . | nindent 8 }} | ||
{{- end }} | ||
volumes: | ||
- name: webhook-certs | ||
emptyDir: {} |
20 changes: 20 additions & 0 deletions
20
stable/aws-pod-identity-webhook/templates/mutatingwebhook.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
apiVersion: admissionregistration.k8s.io/v1beta1 | ||
kind: MutatingWebhookConfiguration | ||
metadata: | ||
name: {{ include "aws-pod-identity-webhook.fullname" . }} | ||
labels: | ||
{{ include "aws-pod-identity-webhook.labels" . | indent 4 }} | ||
webhooks: | ||
- name: pod-identity-webhook.amazonaws.com | ||
failurePolicy: Ignore | ||
clientConfig: | ||
service: | ||
name: {{ include "aws-pod-identity-webhook.fullname" . }} | ||
namespace: {{ .Release.Namespace }} | ||
path: "/mutate" | ||
caBundle: {{ .Values.caBundle | quote }} | ||
rules: | ||
- operations: [ "CREATE" ] | ||
apiGroups: [""] | ||
apiVersions: ["v1"] | ||
resources: ["pods"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: Role | ||
metadata: | ||
name: {{ include "aws-pod-identity-webhook.fullname" . }} | ||
labels: | ||
{{ include "aws-pod-identity-webhook.labels" . | indent 4 }} | ||
rules: | ||
- apiGroups: | ||
- "" | ||
resources: | ||
- secrets | ||
verbs: | ||
- create | ||
- apiGroups: | ||
- "" | ||
resources: | ||
- secrets | ||
verbs: | ||
- get | ||
- update | ||
- patch | ||
resourceNames: | ||
- "{{ .Values.tlsSecretName }}" |
14 changes: 14 additions & 0 deletions
14
stable/aws-pod-identity-webhook/templates/rolebinding.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: RoleBinding | ||
metadata: | ||
name: {{ include "aws-pod-identity-webhook.fullname" . }} | ||
labels: | ||
{{ include "aws-pod-identity-webhook.labels" . | indent 4 }} | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: Role | ||
name: {{ include "aws-pod-identity-webhook.fullname" . }} | ||
subjects: | ||
- kind: ServiceAccount | ||
name: {{ include "aws-pod-identity-webhook.fullname" . }} | ||
namespace: {{ .Release.Namespace }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
apiVersion: v1 | ||
kind: Service | ||
metadata: | ||
name: {{ include "aws-pod-identity-webhook.fullname" . }} | ||
labels: | ||
{{ include "aws-pod-identity-webhook.labels" . | indent 4 }} | ||
namespace: {{ .Release.Namespace }} | ||
annotations: | ||
prometheus.io/port: "443" | ||
prometheus.io/scheme: "https" | ||
max-rocket-internet marked this conversation as resolved.
Show resolved
Hide resolved
|
||
prometheus.io/scrape: "true" | ||
spec: | ||
ports: | ||
- port: 443 | ||
targetPort: 443 | ||
selector: | ||
app.kubernetes.io/name: {{ include "aws-pod-identity-webhook.name" . }} | ||
app.kubernetes.io/instance: {{ .Release.Name }} |
8 changes: 8 additions & 0 deletions
8
stable/aws-pod-identity-webhook/templates/serviceaccount.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
{{- if .Values.serviceAccount.create -}} | ||
apiVersion: v1 | ||
kind: ServiceAccount | ||
metadata: | ||
name: {{ template "aws-pod-identity-webhook.serviceAccountName" . }} | ||
labels: | ||
{{ include "aws-pod-identity-webhook.labels" . | indent 4 }} | ||
{{- end -}} |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please put the
appVersion
directly below theversion
field to keep them together, like the n-t-h chart does:https://github.com/aws/eks-charts/blob/master/stable/aws-node-termination-handler/Chart.yaml#L4-L5
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, the latest semver release of pod identity webhook is
v0.2.0
. Did you want the above specific Git commit for some reason?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes because this PR (including the identical previous PR) has dragging on over a year so it's probably from when it wasn't released on docker hub
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Edit: there isn't proper tags pushed to docker hub: https://hub.docker.com/r/amazon/amazon-eks-pod-identity-webhook/tags