[stable/aws-pod-identity-webhook] Adding chart for AWS' new EKS Pod Identity Webhook #17099
Conversation
Signed-off-by: Max Williams <max.williams@deliveryhero.com>
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: max-rocket-internet The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
helm-bot
added
the
Contribution Allowed
helm-bot
added
the
size/L
|
Hi @max-rocket-internet. Thanks for your PR. I'm waiting for a helm member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
needs-ok-to-test
Signed-off-by: Max Williams <max.williams@deliveryhero.com>
Signed-off-by: Max Williams <max.williams@deliveryhero.com>
|
I'll review this PR later today, but for the record I'm happy to be a maintainer/OWNER and join the helm GitHub org. Looks like membership isn't yet automated |
|
Also happy to be maintainer/member of the helm org. |
|
Thanks for the PR! |
| {{- end }} | ||
| serviceAccountName: {{ include "aws-pod-identity-webhook.fullname" . }} | ||
| containers: | ||
| - name: {{ .Chart.Name }} |
There was a problem hiding this comment.
I think the container name can probably be a stable name. Any objections?
There was a problem hiding this comment.
This name is stable, it's the name of the chart, i.e. aws-pod-identity-webhook. But I agree with you, I would rather simply app or something else totally generic but this is the default name that comes from helm create. I've had objections in other PRs where things deviated from these defaults. Up to you, just say what you want it to be.
There was a problem hiding this comment.
I'd lean toward something stable, that way you could compare apples to apples when looking at Prometheus metrics by container name
There was a problem hiding this comment.
OK, I'll make it webhook. Cool?
| - --in-cluster | ||
| - --namespace=default | ||
| - --service-name={{ include "aws-pod-identity-webhook.fullname" . }} | ||
| - --tls-secret=pod-identity-webhook |
There was a problem hiding this comment.
Can you make this a configurable value that defaults to pod-identity-webhook?
There was a problem hiding this comment.
Done.
Would it be better to use {{ include "aws-pod-identity-webhook.fullname" . }} though? Would this ever been installed multiple times in the same cluster?
| command: | ||
| - /webhook | ||
| - --in-cluster | ||
| - --namespace=default |
There was a problem hiding this comment.
This should be the release namespace
| - --namespace=default | ||
| - --service-name={{ include "aws-pod-identity-webhook.fullname" . }} | ||
| - --tls-secret=pod-identity-webhook | ||
| - --annotation-prefix=eks.amazonaws.com |
There was a problem hiding this comment.
This should be configurable in the values
| - --service-name={{ include "aws-pod-identity-webhook.fullname" . }} | ||
| - --tls-secret=pod-identity-webhook | ||
| - --annotation-prefix=eks.amazonaws.com | ||
| - --token-audience=sts.amazonaws.com |
There was a problem hiding this comment.
This should be configurable in the values
| labels: | ||
| {{ include "aws-pod-identity-webhook.labels" . | indent 4 }} | ||
| spec: | ||
| replicas: 1 |
There was a problem hiding this comment.
We should set the default replicas to 2 for HA and make this tunable in the values
There was a problem hiding this comment.
Cool. I wasn't sure if it stored stateful information or not so wasn't sure if we could run more than 1 pod.
I've set it to 3 like CoreDNS. OK?
| metadata: | ||
| labels: | ||
| app.kubernetes.io/name: {{ include "aws-pod-identity-webhook.name" . }} | ||
| app.kubernetes.io/instance: {{ .Release.Name }} |
There was a problem hiding this comment.
The {{ include "aws-pod-identity-webhook.labels" . | indent 4 }} should also be added
There was a problem hiding this comment.
helm create doesn't add this here. Are you sure?
There was a problem hiding this comment.
I'm surprised this isn't the default. I'm take it or leave it on adding it here
| - update | ||
| - patch | ||
| resourceNames: | ||
| - "{{ include "aws-pod-identity-webhook.fullname" . }}" |
There was a problem hiding this comment.
This should be the same value as the --tls-secret flag on the webhook
| $ helm install --name my-release stable/aws-pod-identity-webhook --set caBundle="${CA_BUNDLE}" | ||
| ``` | ||
|
|
||
| After installation you need to approve the certificate. Follow the chart notes after installation for this step. |
There was a problem hiding this comment.
Can you note that the webhook will request a new CSR prior to its expiry in 1 year, and it will need to be approved either by an operator or by some other automated process?
There was a problem hiding this comment.
Cool. I added a note.
Would be great to have something better here in the chart itself. Perhaps a cronjob. Or something in the webhook itself?
There was a problem hiding this comment.
I'd lean toward a cronjob that can only approve rather than something in the webhook. Its pretty scary to grant something the ability to create and approve certs
There was a problem hiding this comment.
I'd lean toward a cronjob that can only approve
Makes sense. I'll leave this for a later PR though.
|
|
||
| ## Prerequisites | ||
|
|
||
| - Kubernetes 1.13+ |
There was a problem hiding this comment.
Technically this works with 1.12+. It might also be worth saying that if you're not using EKS, you will need your cluster configured according to the SELF_HOSTED_SETUP.md
There was a problem hiding this comment.
Nice. Added.
helm-bot
removed
the
Contribution Allowed
- fix namespace in command - add options for annotation_prefix / token_audience - updating doc and note about k8s version - fix quote - fix indentation - fix resourcename in role - add note about CSR expiry Signed-off-by: Max Williams <max.williams@deliveryhero.com>
helm-bot
added
the
Contribution Allowed
|
@lachie83, @unguiculus, @cpanato or @maorfr: these cats from AWS (@jqmichael, @nckturner, @micahhausler) want to be owners/maintainers of this chart. What's the process here? Can you add them to the Helm github org? |
|
@max-rocket-internet they need to follow this: https://github.com/helm/charts#trusted-collaborator |
|
/verify-owners |
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
and removed
needs-ok-to-test
| home: https://github.com/aws/amazon-eks-pod-identity-webhook | ||
| sources: | ||
| - https://github.com/aws/amazon-eks-pod-identity-webhook | ||
| maintainers: |
There was a problem hiding this comment.
Can you add me as well here?
There was a problem hiding this comment.
I had you there in the beginning but read the message here: #17099 (comment)
So I think we just have @micahhausler there for now as they are already a member of the kubernetes org.
And then you guys can create a PR later to add yourself when you become a trusted-collaborator
Signed-off-by: Max Williams <max.williams@deliveryhero.com>
|
@micahhausler the |
|
If we want to merge this sooner rather than later, and sort the org membership thing in the future, how do we remove this |
|
Thanks for getting this in place so fast! I certainly don't want to delay this chart from being added, but I do have a small feature request: would it be possible to make the RBAC resources optional and have the service account passed in? E.g the Use case: We are still using Helm 2 with Tiller and our Tiller does not have the permissions to create RBAC resources. We rely on a separate system to create the RBAC roles/service accounts which we then pass into the charts. EDITED: I can also wait until this version is merged, and open the PR afterwards. Also happy to open a PR against your fork, assuming it might take more time before this PR is ready. |
I think we get this merged first, then make changes like you mention. The process for merging PRs after a chart has been added can be quite fast 🙂 |
| @@ -0,0 +1,24 @@ | |||
| tls_secret_name: pod-identity-webhook | |||
There was a problem hiding this comment.
Can you document these added fields in the REAME?
There was a problem hiding this comment.
Ah yes, I forgot to add these.
Signed-off-by: Max Williams <max.williams@deliveryhero.com>
|
The following users are mentioned in OWNERS file(s) but are not members of the helm org. Once all users have been added as members of the org, you can trigger verification by writing
|
|
@micahhausler still waiting on a docker image to be available 😄 |
|
@max-rocket-internet: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions. |
stale
bot
added
the
lifecycle/stale
|
@micahhausler any update here? Waiting on you or someone in your team to:
|
stale
bot
removed
the
lifecycle/stale
|
@max-rocket-internet I can take a look at the images. Also, I believe I was added to trusted collaborators in #17126, if you can add me to maintainer of this chart.
Can you explain a little more--do you mean someone needs to join the helm github organization? The one I see doesn't have very many people in it. |
Nice! The e2e job will fail until this is resolved.
🎉
It's just in reference so this comment by |
|
Or we move this PR to https://github.com/aws/eks-charts ? |
|
Yeah I was going to suggest that as an alternative. I think it will be
easier to manage and easier for users to find everything eks related in one
place.
…On Mon, Oct 28, 2019 at 7:42 AM Max Williams ***@***.***> wrote:
Or we move this PR to https://github.com/aws/eks-charts ?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#17099?email_source=notifications&email_token=AAJGJEJTE7TV57PH5Y3ZWADQQ326BA5CNFSM4IWF5EYKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOECNDSPQ#issuecomment-546978110>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAJGJEIBK2OQC3ZFDWZ2SJTQQ326BANCNFSM4IWF5EYA>
.
|
|
OK cool. Please review my new PR: aws/eks-charts#28 |
What this PR does / why we need it:
This chart will install the Amazon EKS Pod Identity Webhook. This tool allows you to specify IAM Roles for Kubernetes Service Accounts. This allows a pod to assume a IAM role.
Further details can be found here: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html
Related issues:
Checklist
[Place an '[x]' (no spaces) in all applicable fields. Please remove unrelated fields.]
[stable/chart])