diff --git a/Makefile b/Makefile index b655a4e45..a30b1ab15 100644 --- a/Makefile +++ b/Makefile @@ -17,7 +17,7 @@ endif REGISTRY_ID?=602401143452 IMAGE_NAME?=eks/pod-identity-webhook REGION?=us-west-2 -IMAGE?=$(REGISTRY_ID).dkr.ecr.$(REGION).amazonaws.com/$(IMAGE_NAME) +IMAGE?=$(REGISTRY_ID).dkr.ecr.$(REGION).amazonaws.com/$(IMAGE_NAME):latest test: go test -coverprofile=coverage.out ./... @@ -70,30 +70,16 @@ cluster-up: deploy-config cluster-down: delete-config prep-config: - @echo 'Generating certs and deploying into active cluster...' - cat deploy/deployment-base.yaml | sed -e "s|IMAGE|${IMAGE}|g" | tee deploy/deployment.yaml - cat deploy/mutatingwebhook.yaml | hack/webhook-patch-ca-bundle.sh > deploy/mutatingwebhook-ca-bundle.yaml + @echo 'Overriding specified docker image...' + cd deploy && kustomize edit set image "eks-pod-identity-webhook-image=${IMAGE}" deploy-config: prep-config @echo 'Applying configuration to active cluster...' - kubectl apply -f deploy/auth.yaml - kubectl apply -f deploy/deployment.yaml - kubectl apply -f deploy/service.yaml - kubectl apply -f deploy/mutatingwebhook-ca-bundle.yaml - until kubectl get csr -o \ - jsonpath='{.items[?(@.spec.username=="system:serviceaccount:default:pod-identity-webhook")].metadata.name}' | \ - grep -m 1 "csr-"; \ - do echo "Waiting for CSR to be created" && sleep 1 ; \ - done - kubectl certificate approve $$(kubectl get csr -o jsonpath='{.items[?(@.spec.username=="system:serviceaccount:default:pod-identity-webhook")].metadata.name}') + kubectl apply -k deploy delete-config: @echo 'Tearing down mutating controller and associated resources...' - kubectl delete -f deploy/mutatingwebhook-ca-bundle.yaml - kubectl delete -f deploy/service.yaml - kubectl delete -f deploy/deployment.yaml - kubectl delete -f deploy/auth.yaml - kubectl delete secret pod-identity-webhook + kubectl delete -k deploy clean:: rm -rf ./amazon-eks-pod-identity-webhook diff --git a/deploy/auth.yaml b/deploy/auth.yaml index 369436c24..99dc0c48f 100644 --- a/deploy/auth.yaml +++ b/deploy/auth.yaml @@ -5,43 +5,6 @@ metadata: namespace: default --- apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: pod-identity-webhook - namespace: default -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - create -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - update - - patch - resourceNames: - - "pod-identity-webhook" ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: pod-identity-webhook - namespace: default -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: pod-identity-webhook -subjects: -- kind: ServiceAccount - name: pod-identity-webhook - namespace: default ---- -apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: pod-identity-webhook @@ -54,15 +17,6 @@ rules: - get - watch - list -- apiGroups: - - certificates.k8s.io - resources: - - certificatesigningrequests - verbs: - - create - - get - - list - - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/deploy/certificate.yaml b/deploy/certificate.yaml new file mode 100644 index 000000000..7abae41c1 --- /dev/null +++ b/deploy/certificate.yaml @@ -0,0 +1,26 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: selfsigned +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: pod-identity-webhook + namespace: default +spec: + secretName: pod-identity-webhook-cert + commonName: "pod-identity-webhook.default.svc" + dnsNames: + - "pod-identity-webhook" + - "pod-identity-webhook.default" + - "pod-identity-webhook.default.svc" + - "pod-identity-webhook.default.svc.local" + isCA: true + duration: 2160h # 90d + renewBefore: 360h # 15d + issuerRef: + name: selfsigned + kind: ClusterIssuer diff --git a/deploy/deployment-base.yaml b/deploy/deployment-base.yaml deleted file mode 100644 index 22712f694..000000000 --- a/deploy/deployment-base.yaml +++ /dev/null @@ -1,63 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: pod-identity-webhook - namespace: default -spec: - replicas: 1 - selector: - matchLabels: - app: pod-identity-webhook - template: - metadata: - labels: - app: pod-identity-webhook - spec: - serviceAccountName: pod-identity-webhook - containers: - - name: pod-identity-webhook - image: IMAGE - imagePullPolicy: Always - command: - - /webhook - - --in-cluster=false - - --namespace=default - - --service-name=pod-identity-webhook - - --annotation-prefix=eks.amazonaws.com - - --token-audience=sts.amazonaws.com - - --logtostderr - volumeMounts: - - name: cert - mountPath: "/etc/webhook/certs" - readOnly: true - volumes: - - name: cert - secret: - secretName: pod-identity-webhook-cert ---- -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: selfsigned -spec: - selfSigned: {} ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: pod-identity-webhook - namespace: default -spec: - secretName: pod-identity-webhook-cert - commonName: "pod-identity-webhook.default.svc" - dnsNames: - - "pod-identity-webhook" - - "pod-identity-webhook.default" - - "pod-identity-webhook.default.svc" - - "pod-identity-webhook.default.svc.local" - isCA: true - duration: 2160h # 90d - renewBefore: 360h # 15d - issuerRef: - name: selfsigned - kind: ClusterIssuer diff --git a/deploy/kustomization.yaml b/deploy/kustomization.yaml new file mode 100644 index 000000000..e048bdc09 --- /dev/null +++ b/deploy/kustomization.yaml @@ -0,0 +1,16 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: default + +resources: +- auth.yaml +- certificate.yaml +- deployment.yaml +- mutatingwebhook.yaml +- service.yaml + +images: +- name: eks-pod-identity-webhook-image + newName: amazon/amazon-eks-pod-identity-webhook + newTag: latest