feat: new chart for aws marketplace product. The product supports lic…

…ense checkout and option to replicate the chart for free product

.vscode/launch.json

@@ -0,0 +1,28 @@
+{
+  // Use IntelliSense to learn about possible attributes.
+  // Hover to view descriptions of existing attributes.
+  // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
+  "version": "0.2.0",
+  "configurations": [
+    {
+      "name": "Launch Package",
+      "type": "go",
+      "request": "launch",
+      "mode": "auto",
+      "program": "${fileDirname}"
+    },
+    {
+      "name": "staging",
+      "type": "go",
+      "request": "launch",
+      "mode": "auto",
+      "program": "${workspaceFolder}/main.go",
+      "args": ["upgrade"],
+      "buildFlags": "-tags=staging",
+      "env": {
+        "AWS_MP_ENABLE_CHECKOUT_LICENSE": "true",
+        "AWS_MP_PRODUCT_SKU": "ad0ee0c8-f50f-464a-9bc4-d6270592dd36"
+      }
+    }
+  ]
+}

charts/awsmp-datree-admission-webhook/Chart.yaml

@@ -0,0 +1,26 @@
+apiVersion: v2
+name: awsmp-datree-admission-webhook
+description: A Helm chart for Datree admission webhook for Kubernetes clusters
+icon: https://github.com/datreeio/admission-webhook-datree/blob/main/internal/images/diagram.png
+type: application
+keywords:
+  - awsmp-datree-admission-webhook
+  - policy agent
+  - validating webhook
+  - admissions controller
+home: datree.io
+sources:
+  - https://github.com/datreeio/admission-webhook-datree
+
+kubeVersion: ">=1.16.0-0"
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "0.1.21"

charts/awsmp-datree-admission-webhook/README.md

@@ -0,0 +1,62 @@
+# Datree Admission Webhook
+
+A Kubernetes validating webhook for policy enforcement within the cluster, on every CREATE, APPLY and UPDATE operation on a resource.
+
+## TL;DR
+
+```bash
+  # Install and create namespace with Helm
+  helm repo add datree-webhook https://datreeio.github.io/admission-webhook-datree/
+  helm repo update
+
+  # Already existing `datree` namespace
+  kubectl create ns datree
+  helm install -n datree datree-webhook datree-webhook/datree-admission-webhook --set datree.token=<DATREE_TOKEN>
+```
+
+### Prerequisites
+
+Helm v3.0.0+
+
+## Configuration Options
+
+Datree admission webhook can be configured via the helm values file under `datree` key:
+
+### Datree Configuration options
+
+```
+datree:
+  token: <DATREE_TOKEN>     # The token used to link the CLI to your dashboard.
+  policy: ""                # The name of the policy to check, e.g: staging. (string, optional)
+  verbose: ""               # Display 'How to Fix' link for failed rules in output. (boolean ,optional)
+  output: ""                # The format output of the policy check results: yaml, json, xml, simple, JUnit. (string ,optional)
+  noRecord: ""              # Don’t send policy checks metadata to the backend. (boolean ,optional)
+```
+
+For further information about Datree flags see [CLI arguments](https://hub.datree.io/setup/cli-arguments).
+
+### Parameters
+
+| Parameter                             | Description                                                                               | Default                                                                                                                                   |     |     |
+| ------------------------------------- | ----------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | --- | --- |
+| namespace                             | The name of the namespace all resources will be created in.                               | datree                                                                                                                                    |     |     |
+| replicaCount                          | The number of Datree webhook-server replicas to deploy for the webhook.                   | 2                                                                                                                                         |     |     |
+| customLabels                          | Additional labels for Datree webhook-server pods.                                         | {}                                                                                                                                        |     |     |
+| customAnnotations                     | Additional annotations to add to all resources.                                           | {}                                                                                                                                        |     |     |
+| rbac.serviceAccount.create            | Create a ServiceAccount                                                                   | true                                                                                                                                      |     |     |
+| rbac.serviceAccount.name              | The ServiceAccount name                                                                   | webhook-server-datree                                                                                                                     |     |     |
+| rbac.clusterRole.create               | Create a ClusterRole                                                                      | true                                                                                                                                      |     |     |
+| rbac.clusterRole.name                 | The ClusterRole name                                                                      | webhook-server-datree                                                                                                                     |     |     |
+| image.repository                      | Image repository.                                                                         | datree/admission-webhook                                                                                                                  |     |     |
+| image.tag                             | The image release tag to use.                                                             | Defaults to Chart appVersion                                                                                                              |     |     |
+| image.pullPolicy                      | Image pull policy                                                                         | Always                                                                                                                                    |     |     |
+| securityContext                       | Security context applied on the container.                                                | {"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true, "runAsNonRoot":true,"runAsUser":25000}                                   |     |     |
+| resources                             | The resource request/limits for the container image.                                      | limits :cpu: 1000m, memory: 512Mi requests: cpu:100m, memory:256Mi                                                                        |     |     |
+| datree.token                          | The token used to link the CLI to your dashboard. (required)                              | nil                                                                                                                                       |     |     |
+| datree.policy                         | The name of the policy to check, e.g: staging. (optional)                                 | "" (i.e "default")                                                                                                                        |     |     |
+| datree.verbose                        | Display 'How to Fix' link for failed rules in output. (optional)                          | false                                                                                                                                     |     |     |
+| datree.output                         | The format output of the policy check results: yaml, json, xml, simple, JUnit. (optional) | "" (i.e beautiful😊)                                                                                                                      |     |     |
+| datree.noRecord                       | Don’t send policy checks metadata to the backend. (optional)                              | false                                                                                                                                     |     |     |
+| hooks.waitForServerRollout.sleepyTime | The waiting time before the webhook-server is ready to receive requests.                  | nil                                                                                                                                       |     |     |
+| hooks.waitForServerRollout.image      | An image for running sleep command                                                        | {"repository": "alpine", "sha":"sha256:1304f174557314a7ed9eddb4eab12fed12cb0cd9809e4c28f29af86979a3c870", "pullPolicy":"Always"}          |     |     |
+| hooks.labelNamespace.image.           | An image for running kubectl label command                                                | {"repository": "bitnami/kubectl", "sha":"sha256:d3c17f1dc6e665dcc78e8c14a83ae630bc3d65b07ea11c5f1a012c2c6786d039", "pullPolicy":"Always"} |     |     |

charts/awsmp-datree-admission-webhook/templates/_helpers.tpl

@@ -0,0 +1,25 @@
+{{/* Create chart name and version as used by the chart label. */}}
+{{- define "datree.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+
+{{/* Helm and Kubernetes required labels */}}
+{{- define "datree.labels" -}}
+app.kubernetes.io/name: {{.Chart.Name}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+app.kubernetes.io/version: {{ .Chart.AppVersion }}
+app.kubernetes.io/part-of: "datree"
+meta.helm.sh/release-name: "{{ .Chart.Name }}"
+meta.helm.sh/release-namespace: "{{ .Release.Namespace}}" 
+helm.sh/chart: {{ template "datree.chart" . }}
+    {{- if .Values.customLabels -}}
+        {{ toYaml .Values.customLabels }}
+    {{- end -}}
+{{- end -}}
+
+{{/* The namespace name. */}}
+{{- define "datree.namespace" -}}
+{{- default .Release.Namespace .Values.namespace  -}}
+{{- end -}}

charts/awsmp-datree-admission-webhook/templates/clusterrole.yaml

@@ -0,0 +1,64 @@
+{{- if .Values.rbac.clusterRole.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{.Values.rbac.clusterRole.name}}
+  labels: {{ include "datree.labels" . | nindent 4 }}
+  {{- if .Values.customAnnotations }}
+  annotations: {{- toYaml .Values.customAnnotations | nindent 4 }}
+  {{- end }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - "nodes"
+      - "namespaces"
+    verbs:
+      - "get"
+      - "list"
+{{- end}}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: datree-namespaces-update
+  labels: {{include "datree.labels" . | nindent 4}}
+  {{- if .Values.customAnnotations }}
+  annotations: {{- toYaml .Values.customAnnotations | nindent 4 }}
+  {{- end }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces
+    verbs:
+      - get
+      - update
+      - patch
+    resourceNames:
+      - kube-system
+      - {{template "datree.namespace" .}}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: datree-validationwebhook-delete
+  labels: {{include "datree.labels" . | nindent 4}}
+  {{- if .Values.customAnnotations }}
+  annotations: {{- toYaml .Values.customAnnotations | nindent 4 }}
+  {{- end }}
+rules:
+  - apiGroups:
+      - "admissionregistration.k8s.io"
+    resources:
+      - validatingwebhookconfigurations
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+    resourceNames:
+      - datree-webhook

charts/awsmp-datree-admission-webhook/templates/clusterrolebinding.yaml

@@ -0,0 +1,55 @@
+{{- if .Values.rbac.clusterRole.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{.Values.rbac.clusterRole.name}} 
+  labels: {{include "datree.labels" . | nindent 4}}
+  {{- if .Values.customAnnotations }}
+  annotations: {{- toYaml .Values.customAnnotations | nindent 4 }}
+  {{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{.Values.rbac.clusterRole.name}} # datree-webhook-server-read
+subjects:
+  - kind: ServiceAccount
+    name: {{.Values.rbac.serviceAccount.name}} # datree-webhook-server
+    namespace: {{template "datree.namespace" .}}
+---
+{{- end }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: datree-namespaces-update
+  labels: {{include "datree.labels" . | nindent 4}}
+  {{- if .Values.customAnnotations }}
+  annotations: {{- toYaml .Values.customAnnotations | nindent 4 }}
+  {{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: datree-namespaces-update
+subjects:
+  - kind: ServiceAccount
+    name: "datree-label-namespaces-hook-post-install"
+    namespace: "{{template "datree.namespace" .}}"
+  - kind: ServiceAccount
+    name: "datree-cleanup-namespaces-hook-pre-delete"
+    namespace: "{{template "datree.namespace" .}}"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: datree-validationwebhook-delete
+  labels: {{include "datree.labels" . | nindent 4}}
+  {{- if .Values.customAnnotations }}
+  annotations: {{- toYaml .Values.customAnnotations | nindent 4 }}
+  {{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: datree-validationwebhook-delete
+subjects:
+  - kind: ServiceAccount
+    name: "datree-cleanup-namespaces-hook-pre-delete"
+    namespace: "{{template "datree.namespace" .}}"

charts/awsmp-datree-admission-webhook/templates/deployment.yaml

@@ -0,0 +1,92 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: datree-webhook-server
+  namespace: {{ template "datree.namespace" . }}
+  labels: {{ include "datree.labels" . | nindent 4 }}
+    owner: datree
+    app: "datree-webhook-server"
+  {{- if .Values.customAnnotations }}
+  annotations: {{- toYaml .Values.customAnnotations | nindent 4 }}
+  {{- end }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels: 
+      app: "datree-webhook-server"
+  template:
+    metadata:
+      labels: {{ include "datree.labels" . | nindent 8 }}
+        app: "datree-webhook-server"
+      {{- if .Values.customAnnotations }}
+      annotations: {{- toYaml .Values.customAnnotations | nindent 4 }}
+      {{- end }}
+    spec:
+      serviceAccountName: {{.Values.rbac.serviceAccount.name}}
+      containers:
+        - name: server
+          securityContext: {{- toYaml .Values.securityContext | nindent 12 }}
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: 8443
+              scheme: HTTPS
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          readinessProbe:
+            httpGet:
+              path: /ready
+              port: 8443
+              scheme: HTTPS
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          resources: {{- toYaml .Values.resources | nindent 12 }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{.Values.image.pullPolicy}}
+          ports:
+            - containerPort: 8443
+              name: webhook-api
+          # caution: don't change the order of the environment variables
+          # changing the order will harm resource patching
+          env:
+            - name: DATREE_TOKEN
+              value: {{.Values.datree.token}}
+            - name: DATREE_POLICY
+              value: {{.Values.datree.policy}}
+            - name: DATREE_VERBOSE
+              value: {{.Values.datree.verbose}}
+            - name: DATREE_OUTPUT
+              value: {{.Values.datree.output}}
+            - name: DATREE_NO_RECORD
+              value: {{.Values.datree.noRecord}}
+            - name: AWS_MP_PRODUCT_SKU
+              value: {{.Values.aws.productSku}}
+            - name: AWS_MP_ENABLE_CHECKOUT_LICENSE
+              value: {{.Values.aws.enableCheckoutLicense}}
+            {{- if .Values.aws.mpLicenseSecretName }}
+            - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE
+              value: "/var/run/secrets/awsmp-product-license/license_token"
+            - name: AWS_ROLE_ARN
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.aws.mpLicenseSecretName }}
+                  key: iam_role
+            {{- end}}
+          # add aws marketplace license config to the licensed container application env
+          volumeMounts:
+            - name: webhook-tls-certs
+              mountPath: /run/secrets/tls
+              readOnly: true
+          {{- if .Values.aws.mpLicenseSecretName }}
+            - name: awsmp-product-license
+              mountPath: "/var/run/secrets/awsmp-product-license"
+          {{- end}}
+      volumes:
+        - name: webhook-tls-certs
+          secret:
+            secretName: webhook-server-tls
+      {{- if .Values.aws.mpLicenseSecretName }}
+        - name: awsmp-product-license
+          secret:
+            secretName: {{ .Values.aws.mpLicenseSecretName }}
+      {{- end}}

charts/awsmp-datree-admission-webhook/templates/namespace-post-delete.yaml

@@ -0,0 +1,34 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: datree-cleanup-namespaces-hook-pre-delete
+  labels: {{include "datree.labels" . | nindent 4}}
+  namespace: {{template "datree.namespace" .}}
+  annotations: 
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": hook-succeeded, hook-failed
+  {{- if .Values.customAnnotations }}
+    {{- toYaml .Values.customAnnotations }}
+  {{- end }}
+spec:
+  template:
+    metadata:
+      labels: {{include "datree.labels" . | nindent 8}}
+      {{- if .Values.customAnnotations }}
+      annotations: {{- toYaml .Values.customAnnotations | nindent 4 }}
+      {{- end }}
+    spec:
+      restartPolicy: OnFailure
+      serviceAccount: datree-cleanup-namespaces-hook-pre-delete
+      nodeSelector:
+        kubernetes.io/os: linux
+      containers:
+        - name: kubectl-label
+          image: "{{ .Values.hooks.image.repository }}@{{ .Values.hooks.image.sha }}"
+          imagePullPolicy: {{.Values.hooks.image.pullPolicy}}
+          command:
+            - sh
+            - "-c"
+            - >-
+              kubectl delete validatingwebhookconfigurations.admissionregistration.k8s.io datree-webhook -n {{template "datree.namespace" .}};
+              kubectl label ns kube-system {{template "datree.namespace" .}} datree.io/skip-;