Modernize chart (#66)

charts/amazon-eks-pod-identity-webhook/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: amazon-eks-pod-identity-webhook
 description: A Kubernetes webhook for pods that need AWS IAM access
-version: 2.3.2
+version: 2.4.0
 type: application
 # renovate: image=amazon/amazon-eks-pod-identity-webhook
 appVersion: "v0.6.1"

charts/amazon-eks-pod-identity-webhook/templates/_helpers.tpl

@@ -50,7 +50,6 @@ helm.sh/chart: {{ include "amazon-eks-pod-identity-webhook.chart" . }}
 {{- if .Chart.AppVersion }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end }}
 
 {{/*
@@ -72,8 +71,8 @@ Create the name of the service account to use
 {{- end }}
 {{- end }}
 
-{{/* 
-Get PodDisruptionBudget API Version 
+{{/*
+Get PodDisruptionBudget API Version
 */}}
 {{- define "amazon-eks-pod-identity-webhook.pdb.apiVersion" -}}
   {{- if and (.Capabilities.APIVersions.Has "policy/v1") (semverCompare ">= 1.21-0" .Capabilities.KubeVersion.Version) -}}

charts/amazon-eks-pod-identity-webhook/templates/certificate.yaml

@@ -1,25 +1,26 @@
 {{- if .Values.pki.certManager.enabled }}
+{{- $fullName := include "amazon-eks-pod-identity-webhook.fullname" . }}
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: {{ include "amazon-eks-pod-identity-webhook.fullname" . }}
+  name: {{ $fullName }}
   namespace: {{ include "amazon-eks-pod-identity-webhook.namespace" . }}
 spec:
-  secretName: "{{ include "amazon-eks-pod-identity-webhook.fullname" . }}-cert"
-  commonName: "{{ include "amazon-eks-pod-identity-webhook.fullname" . }}"
+  secretName: "{{ $fullName }}-cert"
+  commonName: "{{ $fullName }}"
   dnsNames:
-    - "{{ include "amazon-eks-pod-identity-webhook.fullname" . }}"
-    - "{{ include "amazon-eks-pod-identity-webhook.fullname" . }}.{{ include "amazon-eks-pod-identity-webhook.namespace" . }}"
-    - "{{ include "amazon-eks-pod-identity-webhook.fullname" . }}.{{ include "amazon-eks-pod-identity-webhook.namespace" . }}.svc"
-    - "{{ include "amazon-eks-pod-identity-webhook.fullname" . }}.{{ include "amazon-eks-pod-identity-webhook.namespace" . }}.svc.local"
+    - "{{ $fullName }}"
+    - "{{ $fullName }}.{{ include "amazon-eks-pod-identity-webhook.namespace" . }}"
+    - "{{ $fullName }}.{{ include "amazon-eks-pod-identity-webhook.namespace" . }}.svc"
+    - "{{ $fullName }}.{{ include "amazon-eks-pod-identity-webhook.namespace" . }}.svc.local"
   duration: "{{ .Values.pki.certManager.certificate.duration }}"
   renewBefore: "{{ .Values.pki.certManager.certificate.renewBefore }}"
   issuerRef:
     {{- if .Values.pki.certManager.existingIssuer.enabled }}
     name: {{ .Values.pki.certManager.existingIssuer.name }}
     kind: {{ .Values.pki.certManager.existingIssuer.kind }}
     {{- else }}
-    name: {{ include "amazon-eks-pod-identity-webhook.fullname" . }}
+    name: {{ $fullName }}
     kind: Issuer
     {{- end }}
 {{- end }}

charts/amazon-eks-pod-identity-webhook/templates/clusterrole.yaml

@@ -14,3 +14,12 @@ rules:
       - get
       - watch
       - list
+  - apiGroups:
+      - certificates.k8s.io
+    resources:
+      - certificatesigningrequests
+    verbs:
+      - create
+      - get
+      - list
+      - watch

charts/amazon-eks-pod-identity-webhook/templates/deployment.yaml

@@ -31,13 +31,11 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- if .Values.priorityClassName }}
-      priorityClassName: "{{ .Values.priorityClassName }}"
+      {{- with .Values.priorityClassName }}
+      priorityClassName: {{ . | quote }}
       {{- end }}
       containers:
         - name: {{ .Chart.Name }}
-          securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
           image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           command:
@@ -46,9 +44,10 @@ spec:
             - --aws-default-region={{ .Values.config.defaultAwsRegion }}
             - --in-cluster=false
             - --logtostderr
-            - --namespace={{ include "amazon-eks-pod-identity-webhook.namespace" . }}
+            - --namespace=$(POD_NAMESPACE)
             - --metrics-port={{ .Values.config.ports.metrics }}
             - --port={{ .Values.config.ports.webhook }}
+            - --service-name={{ include "amazon-eks-pod-identity-webhook.fullname" . }}
             - --sts-regional-endpoint={{ .Values.config.stsRegionalEndpoint }}
             - --token-audience={{ .Values.config.tokenAudience }}
             - --token-expiration={{ .Values.config.tokenExpiration }}
@@ -61,27 +60,56 @@ spec:
             {{- if .Values.config.extraArgs }}
             {{- toYaml .Values.config.extraArgs | nindent 12 }}
             {{- end }}
-          volumeMounts:
-            - name: cert
-              mountPath: "/etc/webhook/certs"
-              readOnly: true
           ports:
             - name: https
               containerPort: {{ .Values.config.ports.webhook }}
               protocol: TCP
             - name: metrics
               containerPort: {{ .Values.config.ports.metrics }}
               protocol: TCP
+          env:
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          {{- with .Values.livenessProbe }}
           livenessProbe:
-            {{- toYaml .Values.livenessProbe | nindent 12 }}
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.readinessProbe }}
           readinessProbe:
-            {{- toYaml .Values.readinessProbe | nindent 12 }}
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.resources }}
           resources:
-            {{- toYaml .Values.resources | nindent 12 }}
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          volumeMounts:
+            - name: cert
+              mountPath: "/etc/webhook/certs"
+              readOnly: true
       hostNetwork: {{ .Values.hostNetwork }}
       serviceAccountName: {{ include "amazon-eks-pod-identity-webhook.serviceAccountName" . }}
+      {{- with .Values.podSecurityContext }}
       securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- tpl (toYaml .) $  | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- tpl (toYaml .) $  | nindent 8 }}
+      {{- end }}
       volumes:
         - name: cert
           secret:
@@ -90,15 +118,3 @@ spec:
             {{- else }}
             secretName: "{{ include "amazon-eks-pod-identity-webhook.fullname" . }}-cert"
             {{- end }}
-      {{- if .Values.nodeSelector }}
-      nodeSelector:
-        {{- tpl (toYaml .Values.nodeSelector) . | nindent 8 }}
-      {{- end }}
-      {{- if .Values.affinity }}
-      affinity:
-        {{- tpl (toYaml .Values.affinity ) . | nindent 8 }}
-      {{- end }}
-      {{- if .Values.tolerations }}
-      tolerations:
-        {{- tpl (toYaml .Values.tolerations) . | nindent 8 }}
-      {{- end }}

charts/amazon-eks-pod-identity-webhook/templates/mutatingwebhook.yaml

@@ -33,15 +33,18 @@ webhooks:
     {{- end }}
     objectSelector:
       matchExpressions:
+        - key: "eks.amazonaws.com/skip-pod-identity-webhook"
+          operator: "DoesNotExist"
+          values: []
         - key: "app.kubernetes.io/name"
           operator: "NotIn"
           values:
             - "{{ include "amazon-eks-pod-identity-webhook.name" . }}"
-      {{- if .Values.mutatingWebhook.objectSelector.matchExpressions }}
-      {{- toYaml .Values.mutatingWebhook.objectSelector.matchExpressions | nindent 8 }}
+      {{- with .Values.mutatingWebhook.objectSelector.matchExpressions }}
+      {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- if .Values.mutatingWebhook.objectSelector.matchLabels }}
-      matchLabels: {{- toYaml .Values.mutatingWebhook.objectSelector.matchLabels | nindent 8 }}
+      {{- with .Values.mutatingWebhook.objectSelector.matchLabels }}
+      matchLabels: {{- toYaml . | nindent 8 }}
       {{- end }}
     sideEffects: None
     admissionReviewVersions:

charts/amazon-eks-pod-identity-webhook/templates/role.yaml

@@ -1,35 +1,45 @@
 ---
 {{- if .Values.config.podIdentityWebhookMap.enabled }}
+{{- $fullName := include "amazon-eks-pod-identity-webhook.fullname" . }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: {{ include "amazon-eks-pod-identity-webhook.fullname" . }}
+  name: {{ $fullName }}
   namespace: {{ include "amazon-eks-pod-identity-webhook.namespace" . }}
   labels:
     {{- include "amazon-eks-pod-identity-webhook.labels" . | nindent 4 }}
 rules:
   - apiGroups:
       - ""
     resources:
-      - configmaps
+      - secrets
+    verbs:
+      - create
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
     verbs:
       - get
-      - watch
-      - list
+      - update
+      - patch
+    resourceNames:
+      {{- /* This is the service account name, ref: https://github.com/aws/amazon-eks-pod-identity-webhook/blob/ac3554488585c1a35bea552f771ef3bd4e6e0ddd/pkg/handler/handler.go#L436 */}}
+      - "{{ include "amazon-eks-pod-identity-webhook.serviceAccountName" . }}"
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: {{ include "amazon-eks-pod-identity-webhook.fullname" . }}
+  name: {{ $fullName }}
   namespace: {{ include "amazon-eks-pod-identity-webhook.namespace" . }}
   labels:
     {{- include "amazon-eks-pod-identity-webhook.labels" . | nindent 4 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
-  name: {{ include "amazon-eks-pod-identity-webhook.fullname" . }}
+  name: {{ $fullName }}
 subjects:
   - kind: ServiceAccount
-    name: {{ include "amazon-eks-pod-identity-webhook.fullname" . }}
+    name: {{ $fullName }}
     namespace: {{ include "amazon-eks-pod-identity-webhook.namespace" . }}
 {{- end }}

charts/amazon-eks-pod-identity-webhook/templates/service.yaml

@@ -6,7 +6,10 @@ metadata:
   namespace: {{ include "amazon-eks-pod-identity-webhook.namespace" . }}
   labels:
     {{- include "amazon-eks-pod-identity-webhook.labels" . | nindent 4 }}
-  {{- with .Values.serviceAnnotations }}
+    {{- with .Values.service.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.service.annotations }}
   annotations:
     {{- toYaml . | nindent 4 }}
   {{- end }}
@@ -16,9 +19,11 @@ spec:
     - port: {{ .Values.config.ports.webhook }}
       targetPort: https
       protocol: TCP
+      appProtocol: https
       name: https
     - port: {{ .Values.config.ports.metrics }}
       targetPort: metrics
+      appProtocol: http
       protocol: TCP
       name: metrics
   selector:

charts/amazon-eks-pod-identity-webhook/templates/servicemonitor.yaml

@@ -30,7 +30,10 @@ spec:
       {{- if .Values.metrics.serviceMonitor.honorLabels }}
       honorLabels: {{ .Values.metrics.serviceMonitor.honorLabels }}
       {{- end }}
-      {{- if .Values.metrics.serviceMonitor.relabelings }}
-      relabelings: {{- toYaml .Values.metrics.serviceMonitor.relabelings | nindent 6 }}
+      {{- with .Values.metrics.serviceMonitor.relabelings }}
+      relabelings: {{- toYaml . | nindent 6 }}
+      {{- end }}
+      {{- with .Values.metrics.serviceMonitor.endpointAdditionalProperties }}
+      {{- toYaml . | nindent 6 }}
       {{- end }}
 {{- end -}}

charts/amazon-eks-pod-identity-webhook/values.yaml

@@ -133,6 +133,8 @@ metrics:
     honorLabels: false
     # -- RelabelConfigs to apply to samples before scraping.
     relabelings: []
+    # -- More properties for the endpoint configuration of the service monitor.
+    endpointAdditionalProperties: {}
 
 readinessProbe:
   httpGet:
@@ -169,20 +171,33 @@ resources:
   requests: {}
 
 securityContext:
-  # -- Pod securityContext: Enable read-only root filesystem
+  # -- Container securityContext: Allow privilege escalation
+  allowPrivilegeEscalation: false
+  # -- Container securityContext: Enable read-only root filesystem
   readOnlyRootFilesystem: true
-  # -- Pod securityContext: Run primary group id
+  # -- Container securityContext: Run primary group id
   runAsGroup: 1
-  # -- Pod securityContext: Disable root user
+  # -- Container securityContext: Disable root user
   runAsNonRoot: false
-  # -- Pod securityContext: Run user id
+  # -- Container securityContext: Run user id
   runAsUser: 65534
+  # -- Container securityContext: Drop capabilities
+  capabilities:
+    drop: ["ALL"]
+
+
+podSecurityContext:
+  # -- Pod securityContext: Seccomp profile
+  seccompProfile:
+    type: RuntimeDefault
 
 service:
   # -- Service type
   type: ClusterIP
   # -- Service annotations
   annotations: {}
+  # -- Service labels.
+  labels: {}
 
 serviceAccount:
   # -- Enable creation of ServiceAccount for nginx pod
@@ -202,10 +217,6 @@ podAnnotations: {}
 #  prometheus.io/scheme: "http"
 #  prometheus.io/scrape: "true"
 
-# -- amazon-eks-pod-identity-webhook pods' Security Context.
-podSecurityContext: {}
-#  fsGroup: 2000
-
 # -- Affinity for pod assignment
 affinity: {}