[stable/aws-pod-identity-webhook] Adding chart for AWS' new EKS Pod Identity Webhook

stable/aws-pod-identity-webhook/.helmignore

@@ -0,0 +1,22 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

stable/aws-pod-identity-webhook/Chart.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+appVersion: "1.0"
+description: A Helm chart for the Amazon EKS Pod Identity Webhook
+name: aws-pod-identity-webhook
+version: 0.1.0
+icon: https://github.com/kubernetes/kubernetes/blob/master/logo/logo.png
+home: https://github.com/aws/amazon-eks-pod-identity-webhook
+sources:
+- https://github.com/aws/amazon-eks-pod-identity-webhook
+maintainers:
+- name: micahhausler
+  email: hausler.m@gmail.com
+engine: gotpl

stable/aws-pod-identity-webhook/OWNERS

@@ -0,0 +1,4 @@
+approvers:
+- micahhausler
+reviewers:
+- micahhausler

stable/aws-pod-identity-webhook/README.md

@@ -0,0 +1,66 @@
+# AWS Pod Identity Webhook
+
+This chart will install the [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook). This tool allows you to specify IAM Roles for Kubernetes Service Accounts. This allows a pod to assume a IAM role.
+
+Further details can be found here: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html
+
+## Prerequisites
+
+- Kubernetes 1.12+
+
+For installation into a non-EKS cluster, see [Self-hosted Kubernetes setup](https://github.com/aws/amazon-eks-pod-identity-webhook/blob/master/SELF_HOSTED_SETUP.md)
+
+## Installing the Chart
+
+You first need to retrieve `ca.crt` from your cluster as this is used as a value for the chart:
+
+```shell
+secret_name=$(kubectl get sa default -o jsonpath='{.secrets[0].name}')
+export CA_BUNDLE=$(kubectl get secret/$secret_name -o jsonpath='{.data.ca\.crt}' | tr -d '\n')
+```
+
+Then install the chart:
+
+```shell
+$ helm install --name my-release stable/aws-pod-identity-webhook --set caBundle="${CA_BUNDLE}"
+```
+
+After installation you need to approve the certificate. Follow the chart notes after installation for this step.
+
+The webhook will request a new CSR prior expiry in 1 year. This new CSR will also need to be manually approved.
+
+## Uninstalling the Chart
+
+To delete the chart:
+
+```shell
+$ helm delete my-release
+```
+
+## Configuration
+
+The following table lists the configurable parameters for this chart and their default values.
+
+| Parameter              | Description                           | Default                                                                 |
+| -----------------------|---------------------------------------|-------------------------------------------------------------------------|
+| `tls_secret_name`      | Name of the secret containing the     | `pod-identity-webhook`                                                  |
+| `annotation_prefix`    | Prefix for annotation                 | `eks.amazonaws.com`                                                     |
+| `token_audience`       | Token audience                        | `sts.amazonaws.com`                                                     |
+| `caBundle`             | CA cert bundle data                   | None. Must be provided on chart install                                 |
+| `image.repository`     | Image repository                      | `602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/pod-identity-webhook` |
+| `image.tag`            | Image tag                             | `latest`                                                                |
+| `image.pullPolicy`     | Container pull policy                 | `IfNotPresent`                                                          |
+| `replicas`             | Number of deployment replicas         | `3`                                                                     |
+| `fullnameOverride`     | Override the fullname of the chart    | `nil`                                                                   |
+| `nameOverride`         | Override the name of the chart        | `nil`                                                                   |
+| `priorityClassName`    | Set a priority class for pods         | `nil`                                                                   |
+| `resources`            | Pod resources                         | `{}`                                                                    |
+| `nodeSelector`         | Node labels for pod assignment        | `{}`                                                                    |
+| `tolerations`          | Optional deployment tolerations       | `[]`                                                                    |
+| `affinity`             | Map of node/pod affinities            | `{}`                                                                    |
+
+Specify each parameter using the `--set key=value[,key=value]` argument to `helm install` or provide a YAML file containing the values for the above parameters:
+
+```shell
+$ helm install --name my-release stable/aws-pod-identity-webhook --values values.yaml
+```

stable/aws-pod-identity-webhook/templates/NOTES.txt

@@ -0,0 +1,10 @@
+
+If this is your first installation of {{ .Chart.Name }} then you need to approve the certificate.
+
+Wait until the pod has started:
+
+  kubectl get pods -n {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/name={{ include "aws-pod-identity-webhook.name" . }}
+
+Then approve the certificate:
+
+  kubectl certificate approve $(kubectl get csr -o jsonpath='{.items[?(@.spec.username=="system:serviceaccount:{{ .Release.Namespace }}:{{ include "aws-pod-identity-webhook.fullname" . }}")].metadata.name}')

stable/aws-pod-identity-webhook/templates/_helpers.tpl

@@ -0,0 +1,45 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "aws-pod-identity-webhook.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "aws-pod-identity-webhook.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "aws-pod-identity-webhook.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "aws-pod-identity-webhook.labels" -}}
+app.kubernetes.io/name: {{ include "aws-pod-identity-webhook.name" . }}
+helm.sh/chart: {{ include "aws-pod-identity-webhook.chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}

stable/aws-pod-identity-webhook/templates/clusterrole.yaml

@@ -0,0 +1,24 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "aws-pod-identity-webhook.fullname" . }}
+  labels:
+{{ include "aws-pod-identity-webhook.labels" . | indent 4 }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts
+  verbs:
+  - get
+  - watch
+  - list
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - certificatesigningrequests
+  verbs:
+  - create
+  - get
+  - list
+  - watch

stable/aws-pod-identity-webhook/templates/clusterrolebinding.yaml

@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "aws-pod-identity-webhook.fullname" . }}
+  labels:
+{{ include "aws-pod-identity-webhook.labels" . | indent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "aws-pod-identity-webhook.fullname" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "aws-pod-identity-webhook.fullname" . }}
+  namespace: {{ .Release.Namespace }}

stable/aws-pod-identity-webhook/templates/deployment.yaml

@@ -0,0 +1,60 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "aws-pod-identity-webhook.fullname" . }}
+  labels:
+{{ include "aws-pod-identity-webhook.labels" . | indent 4 }}
+spec:
+  replicas: {{ .Values.replicas }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "aws-pod-identity-webhook.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: {{ include "aws-pod-identity-webhook.name" . }}
+        app.kubernetes.io/instance: {{ .Release.Name }}
+    spec:
+    {{- if .Values.priorityClassName }}
+      priorityClassName: "{{ .Values.priorityClassName }}"
+    {{- end }}
+    {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+      serviceAccountName: {{ include "aws-pod-identity-webhook.fullname" . }}
+      containers:
+      - name: webhook
+        image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        command:
+        - /webhook
+        - --in-cluster
+        - --namespace={{ .Release.Namespace }}
+        - --service-name={{ include "aws-pod-identity-webhook.fullname" . }}
+        - --tls-secret={{ .Values.tls_secret_name }}
+        - --annotation-prefix={{ .Values.annotation_prefix }}
+        - --token-audience={{ .Values.token_audience }}
+        - --logtostderr
+        volumeMounts:
+        - name: webhook-certs
+          mountPath: /var/run/app/certs
+          readOnly: false
+        resources:
+          {{- toYaml .Values.resources | nindent 10 }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+    {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+      volumes:
+      - name: webhook-certs
+        emptyDir: {}

stable/aws-pod-identity-webhook/templates/mutatingwebhook.yaml

@@ -0,0 +1,20 @@
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: {{ include "aws-pod-identity-webhook.fullname" . }}
+  labels:
+{{ include "aws-pod-identity-webhook.labels" . | indent 4 }}
+webhooks:
+- name: pod-identity-webhook.amazonaws.com
+  failurePolicy: Ignore
+  clientConfig:
+    service:
+      name: {{ include "aws-pod-identity-webhook.fullname" . }}
+      namespace: {{ .Release.Namespace }}
+      path: "/mutate"
+    caBundle: {{ .Values.caBundle | quote }}
+  rules:
+  - operations: [ "CREATE" ]
+    apiGroups: [""]
+    apiVersions: ["v1"]
+    resources: ["pods"]

stable/aws-pod-identity-webhook/templates/role.yaml

@@ -0,0 +1,23 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "aws-pod-identity-webhook.fullname" . }}
+  labels:
+{{ include "aws-pod-identity-webhook.labels" . | indent 4 }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - update
+  - patch
+  resourceNames:
+  - "{{ .Values.tls_secret_name }}"

stable/aws-pod-identity-webhook/templates/rolebinding.yaml

@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "aws-pod-identity-webhook.fullname" . }}
+  labels:
+{{ include "aws-pod-identity-webhook.labels" . | indent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "aws-pod-identity-webhook.fullname" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "aws-pod-identity-webhook.fullname" . }}
+  namespace: {{ .Release.Namespace }}

stable/aws-pod-identity-webhook/templates/service.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "aws-pod-identity-webhook.fullname" . }}
+  labels:
+{{ include "aws-pod-identity-webhook.labels" . | indent 4 }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    prometheus.io/port: "443"
+    prometheus.io/scheme: "https"
+    prometheus.io/scrape: "true"
+spec:
+  ports:
+  - port: 443
+    targetPort: 443
+  selector:
+    app.kubernetes.io/name: {{ include "aws-pod-identity-webhook.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}

stable/aws-pod-identity-webhook/templates/serviceaccount.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "aws-pod-identity-webhook.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+{{ include "aws-pod-identity-webhook.labels" . | indent 4 }}

stable/aws-pod-identity-webhook/values.yaml

@@ -0,0 +1,24 @@
+tls_secret_name: pod-identity-webhook
+annotation_prefix: eks.amazonaws.com
+token_audience: sts.amazonaws.com
+
+replicas: 3
+
+image:
+  repository: 602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/pod-identity-webhook
+  tag: latest
+  pullPolicy: IfNotPresent
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+resources: {}
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}
+
+priorityClassName: ""