feat: AWS marketplace & EKS add on integration (WIP)

.gitignore

@@ -6,4 +6,6 @@
 
 webhook-datree
 
+.idea/*
+
 .DS_STORE

.vscode/launch.json

@@ -0,0 +1,7 @@
+{
+    // Use IntelliSense to learn about possible attributes.
+    // Hover to view descriptions of existing attributes.
+    // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
+    "version": "0.2.0",
+    "configurations": []
+}

Makefile

@@ -1,30 +1,112 @@
-start-watch:
-	gow run -tags $(or $(datree_build_env),staging) -ldflags="-X github.com/datreeio/admission-webhook-datree/pkg/config.WebhookVersion=0.0.1" main.go
-
-start:
-	go run -tags $(or $(datree_build_env),staging) -ldflags="-X github.com/datreeio/admission-webhook-datree/pkg/config.WebhookVersion=0.0.1" main.go
-start-dev:
-	make datree_build_env=dev start
-start-staging:
-	make datree_build_env=staging start
-start-production:
-	make datree_build_env=main start
-
-build:
-	go build -tags $(or $(datree_build_env),staging) -ldflags="-X github.com/datreeio/admission-webhook-datree/pkg/config.WebhookVersion=0.0.1" -o webhook-datree
-build-dev:
-	make datree_build_env=dev build
-build-staging:
-	make datree_build_env=staging build
-build-production:
-	make datree_build_env=main build
+
+#################
+#    DEFAULTS   #
+#################
+
+CMD_DIR        := ./cmd
+INIT_WEBHOOK_DIR    := $(CMD_DIR)/init-webhook
+CERT_GENERATOR_DIR := $(CMD_DIR)/cert-generator
+WEBHOOK_SERVER_DIR := $(CMD_DIR)/webhook-server
+WEBHOOK_VERSION := 0.0.1
+LD_FLAGS := "-X github.com/datreeio/admission-webhook-datree/pkg/config.WebhookVersion=$(WEBHOOK_VERSION)"
+BUILD_ARGS_ENV ?= staging
+BUILD_ARGS_DIR ?= $(WEBHOOK_SERVER_DIR)
+BUILD_ARGS_OUTPUT ?= webhook-server
+
+#################
+#   BUILD CODE  #
+#################
+_builder:
+	go build -o ${BUILD_ARGS_OUTPUT} -tags ${BUILD_ARGS_ENV} -ldflags=$(LD_FLAGS) $(BUILD_ARGS_DIR)
+
+build-cert-generator-%:
+	 $(MAKE) _builder \
+  		-e BUILD_ARGS_DIR=$(CERT_GENERATOR_DIR) \
+  		-e BUILD_ARGS_ENV="$*"	 \
+		-e BUILD_ARGS_OUTPUT="cert-generator"
+
+build-init-webhook-%:
+	 $(MAKE) _builder \
+  		-e BUILD_ARGS_DIR=$(INIT_WEBHOOK_DIR) \
+  		-e BUILD_ARGS_ENV="$*"	 \
+		-e BUILD_ARGS_OUTPUT="init-webhook"
+
+build-webhook-server-%:
+	 $(MAKE) _builder \
+  		-e BUILD_ARGS_DIR=$(WEBHOOK_SERVER_DIR) \
+  		-e BUILD_ARGS_ENV="$*"	 \
+		-e BUILD_ARGS_OUTPUT="webhook-server"			
+
+#################
+#      RUN      #
+#################
+
+_runner: 
+	go run -tags ${BUILD_ARGS_ENV} -ldflags=$(LD_FLAGS) $(BUILD_ARGS_DIR)
+
+run-cert-generator-%:
+	 $(MAKE) _runner \
+		-e BUILD_ARGS_DIR=$(CERT_GENERATOR_DIR) \
+		-e BUILD_ARGS_ENV="$*"
+
+run-init-webhook-%:
+	 $(MAKE) _runner \
+  		-e BUILD_ARGS_DIR=$(INIT_WEBHOOK_DIR) \
+  		-e BUILD_ARGS_ENV="$*"
+
+run-webhook-server-%:
+	 $(MAKE) _runner \
+  		-e BUILD_ARGS_DIR=$(WEBHOOK_SERVER_DIR) \
+  		-e BUILD_ARGS_ENV="$*"
+
+
+
+#################
+#      TEST     #
+#################
 
 test:
 	go test ./...
 
+
+##################
+#   BUILD IMAGE  #
+##################
+_image_builder:
+	docker build -t ${BUILD_ARGS_OUTPUT} -f $(BUILD_ARGS_DIR)/Dockerfile . --build-arg BUILD_ENVIRONMENT=${BUILD_ARGS_ENV}
+
+build-image-cert-generator-%:
+	 $(MAKE) _image_builder \
+  		-e BUILD_ARGS_DIR=$(CERT_GENERATOR_DIR) \
+  		-e BUILD_ARGS_ENV="$*"	 \
+		-e BUILD_ARGS_OUTPUT="cert-generator"
+
+build-image-init-webhook-%:
+	 $(MAKE) _image_builder \
+  		-e BUILD_ARGS_DIR=$(INIT_WEBHOOK_DIR) \
+  		-e BUILD_ARGS_ENV="$*"	 \
+		-e BUILD_ARGS_OUTPUT="init-webhook"
+
+build-image-webhook-server-%:
+	 $(MAKE) _image_builder \
+  		-e BUILD_ARGS_DIR=$(WEBHOOK_SERVER_DIR) \
+  		-e BUILD_ARGS_ENV="$*"	 \
+		-e BUILD_ARGS_OUTPUT="webhook-server"		
+
+#################
+#      DEPLOY   #
+#################
+
+.PHONY: deploy-in-minikube
 deploy-in-minikube:
 	bash ./scripts/deploy-in-minikube.sh
+
+.PHONY: run-in-minikube
 run-in-minikube:
 	bash ./scripts/run-in-minikube.sh
+
+.PHONY: test-in-minikube
 test-in-minikube:
 	bash ./scripts/test-in-minikube.sh
+
+# to be continued...

charts/datree-admission-webhook-awsmp/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: datree-lib
+  repository: file://../datree-lib
+  version: 0.1.1
+digest: sha256:a65b157f4e3e466bfc9a80df08a319a3f61abdb84e4a29dfbe18127dd11edac6
+generated: "2022-10-18T15:06:55.309464+03:00"

charts/datree-admission-webhook-awsmp/Chart.yaml

@@ -0,0 +1,31 @@
+apiVersion: v2
+name: datree-admission-webhook-awsmp
+description: A Helm chart for Datree admission webhook for Kubernetes clusters
+icon: https://github.com/datreeio/admission-webhook-datree/blob/main/internal/images/diagram.png
+type: application
+keywords:
+  - datree-admission-webhook
+  - policy agent
+  - validating webhook
+  - admissions controller
+home: datree.io
+sources:
+  - https://github.com/datreeio/admission-webhook-datree
+
+kubeVersion: ">=1.16.0-0"
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 1.0.2-rc.1
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "0.1.24-rc.2"
+
+dependencies:
+  - name: datree-lib
+    version: 0.1.1
+    repository: file://../datree-lib

charts/datree-admission-webhook-awsmp/templates/_helpers.tpl

@@ -0,0 +1,25 @@
+{{/* Create chart name and version as used by the chart label. */}}
+{{- define "datree.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+
+{{/* Helm and Kubernetes required labels */}}
+{{- define "datree.labels" -}}
+app.kubernetes.io/name: {{.Chart.Name}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+app.kubernetes.io/version: {{ .Chart.AppVersion }}
+app.kubernetes.io/part-of: "datree"
+meta.helm.sh/release-name: "{{ .Chart.Name }}"
+meta.helm.sh/release-namespace: "{{ .Release.Namespace}}" 
+helm.sh/chart: {{ template "datree.chart" . }}
+    {{- if .Values.customLabels -}}
+        {{ toYaml .Values.customLabels }}
+    {{- end -}}
+{{- end -}}
+
+{{/* The namespace name. */}}
+{{- define "datree.namespace" -}}
+{{- default .Release.Namespace .Values.namespace  -}}
+{{- end -}}

charts/datree-admission-webhook-awsmp/templates/clusterrole.yaml

@@ -0,0 +1 @@
+{{- include "datree-lib.clusterrole" .}}

charts/datree-admission-webhook-awsmp/templates/clusterrolebinding.yaml

@@ -0,0 +1 @@
+{{- include "datree-lib.clusterrolebinding" .}}

charts/datree-admission-webhook-awsmp/templates/deployment.yaml

@@ -0,0 +1,130 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: datree-webhook-server
+  namespace: {{ template "datree.namespace" . }}
+  labels: {{ include "datree.labels" . | nindent 4 }}
+    owner: datree
+    app: "datree-webhook-server"
+  annotations: 
+    "helm.sh/hook": post-install
+    "helm.sh/hook-weight": "5"
+  {{- if .Values.customAnnotations }}
+    {{- toYaml .Values.customAnnotations | nindent 4 }}
+  {{- end }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels: 
+      app: "datree-webhook-server"
+  template:
+    metadata:
+      labels: {{ include "datree.labels" . | nindent 8 }}
+        app: "datree-webhook-server"
+      {{- if .Values.customAnnotations }}
+      annotations: {{- toYaml .Values.customAnnotations | nindent 4 }}
+      {{- end }}
+    spec:
+      serviceAccountName: {{.Values.rbac.serviceAccount.name}}
+      containers:
+      - name: webhook-init
+        image: "{{ .Values.imageWebhook.repository }}:{{ .Values.imageWebhook.tag | default .Chart.AppVersion }}"
+        imagePullPolicy: IfNotPresent
+        volumeMounts:
+            - mountPath: /etc/webhook/certs
+              name: webhook-certs
+        env:
+        - name: WEBHOOK_NAMESPACE
+          value: {{ template "datree.namespace" . }}
+        - name: WEBHOOK_SERVICE
+          value: "datree-webhook-server"
+        - name: WEBHOOK_SELECTOR
+          value: "admission.datree/validate"
+        - name: WEBHOOK_SERVER_REPLICAS
+          value: "{{ .Values.replicaCount }}"
+      - name: server
+        securityContext: {{- toYaml .Values.securityContext | nindent 12 }}
+        livenessProbe:
+            httpGet:
+                path: /health
+                port: 8443
+                scheme: HTTPS
+            initialDelaySeconds: 5
+            periodSeconds: 10
+        readinessProbe:
+            httpGet:
+                path: /ready
+                port: 8443
+                scheme: HTTPS
+            initialDelaySeconds: 5
+            periodSeconds: 10
+        resources: {{- toYaml .Values.resources | nindent 12 }}
+        image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+        imagePullPolicy: {{.Values.image.pullPolicy}}
+        ports:
+        - containerPort: 8443
+          name: webhook-api
+        # caution: don't change the order of the environment variables
+        # changing the order will harm resource patching
+        env:
+        - name: DEBUG
+          value: "{{ .Values.debug }}"
+        # Datree webhook varaibles
+        - name: DATREE_TOKEN
+          value: {{.Values.datree.token}}
+        - name: DATREE_POLICY
+          value: {{.Values.datree.policy}}
+        - name: DATREE_VERBOSE
+          value: {{.Values.datree.verbose}}
+        - name: DATREE_OUTPUT
+          value: {{.Values.datree.output}}
+        - name: DATREE_NO_RECORD
+          value: {{.Values.datree.noRecord}}
+         # AWS Marketplace varaibles
+        - name: AWS_MP_PRODUCT_ID
+          value: {{ .Values.aws.productId }}
+        - name: AWS_MP_KEY_FINGERPRINT
+          value: {{ .Values.aws.issuerKey }}
+        - name: AWS_MP_ENABLE_CHECK_ENTITLEMENT
+          value: "{{.Values.aws.enableCheckEntitlement}}"
+        - name: AWS_MP_REGION
+          value: {{.Values.aws.region}}
+        {{- if .Values.aws.licenseConfigSecretName }}
+        - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE
+          value: "/var/run/secrets/awsmp-product-license/license_token"
+        - name: AWS_ROLE_ARN
+          valueFrom:
+            secretKeyRef:
+                name: {{ .Values.aws.licenseConfigSecretName }}
+                key: iam_role
+        {{- end}}
+        # add aws marketplace license config to the licensed container application env
+        volumeMounts:
+        - mountPath: /etc/webhook/certs
+          name: webhook-certs
+          readOnly: true
+        {{- if .Values.aws.licenseConfigSecretName }}
+        - name: awsmp-product-license
+          mountPath: "/var/run/secrets/awsmp-product-license"
+        {{- end}}
+      volumes:
+        - name: webhook-certs
+          emptyDir: {}
+        {{- if .Values.aws.licenseConfigSecretName }}
+        - name: awsmp-product-license
+          secret:
+            secretName: {{ .Values.aws.licenseConfigSecretName }}
+        {{- end}}
+      initContainers:
+        - name: generate-cert
+          image: "{{ .Values.initContainer.repository }}:{{ .Values.initContainer.tag }}"
+          imagePullPolicy: IfNotPresent
+          volumeMounts:
+            - mountPath: /etc/webhook/certs
+              name: webhook-certs
+          env:
+          - name: WEBHOOK_CERTS_DIR
+            value: /etc/webhook/certs
+          - name: WEBHOOK_SERVER_DNS
+            value: {{ printf "datree-webhook-server.%s.svc" (include "datree.namespace" .)}}
+