From 97b94a4ffaf7abb154226b0ef790d71cb46b443a Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Wed, 30 Jun 2021 12:37:05 +0200 Subject: [PATCH] feat: convert all kubezero modules to use service account tokens --- charts/kubezero/bootstrap.sh | 4 +-- .../templates/aws-ebs-csi-driver.yaml | 16 ++++++++---- .../templates/aws-efs-csi-driver.yaml | 18 ++++++------- charts/kubezero/templates/cert-manager.yaml | 23 ++++++++++++++-- charts/kubezero/templates/istio-ingress.yaml | 26 +++++++++++++++++++ 5 files changed, 69 insertions(+), 18 deletions(-) diff --git a/charts/kubezero/bootstrap.sh b/charts/kubezero/bootstrap.sh index ea45a2ef..869f28fd 100755 --- a/charts/kubezero/bootstrap.sh +++ b/charts/kubezero/bootstrap.sh @@ -72,8 +72,8 @@ function delete_ns() { # Extract crds via helm calls and apply delta=crds only function _crds() { - helm template $(chart_location $chart) --namespace $namespace --name-template $release --skip-crds -f $TMPDIR/values.yaml > $TMPDIR/helm-no-crds.yaml - helm template $(chart_location $chart) --namespace $namespace --name-template $release --include-crds -f $TMPDIR/values.yaml > $TMPDIR/helm-crds.yaml + helm template $(chart_location $chart) --namespace $namespace --name-template $release --skip-crds --set ${release}.installCRDs=false > $TMPDIR/helm-no-crds.yaml + helm template $(chart_location $chart) --namespace $namespace --name-template $release --include-crds --set ${release}.installCRDs=true > $TMPDIR/helm-crds.yaml diff -e $TMPDIR/helm-no-crds.yaml $TMPDIR/helm-crds.yaml | head -n-1 | tail -n+2 > $TMPDIR/crds.yaml [ -s $TMPDIR/crds.yaml ] && kubectl apply -f $TMPDIR/crds.yaml } diff --git a/charts/kubezero/templates/aws-ebs-csi-driver.yaml b/charts/kubezero/templates/aws-ebs-csi-driver.yaml index 3f404dbd..a797f6ff 100644 --- a/charts/kubezero/templates/aws-ebs-csi-driver.yaml +++ b/charts/kubezero/templates/aws-ebs-csi-driver.yaml @@ -1,10 +1,16 @@ {{- define "aws-ebs-csi-driver-values" }} aws-ebs-csi-driver: - replicaCount: {{ ternary 2 1 .Values.HighAvailableControlplane }} - podAnnotations: - iam.amazonaws.com/role: {{ index .Values "aws-ebs-csi-driver" "IamArn" | quote }} - extraVolumeTags: - Name: {{ .Values.ClusterName }} + controller: + replicaCount: {{ ternary 2 1 .Values.HighAvailableControlplane }} + k8sTagClusterId: {{ .Values.ClusterName }} + env: + ebsPlugin: + - name: AWS_ROLE_ARN + value: {{ index .Values "aws-ebs-csi-driver" "IamArn" | quote }} + - name: AWS_WEB_IDENTITY_TOKEN_FILE + value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token" + - name: AWS_STS_REGIONAL_ENDPOINTS + value: regional {{- end }} diff --git a/charts/kubezero/templates/aws-efs-csi-driver.yaml b/charts/kubezero/templates/aws-efs-csi-driver.yaml index a3de0f93..1f87e93f 100644 --- a/charts/kubezero/templates/aws-efs-csi-driver.yaml +++ b/charts/kubezero/templates/aws-efs-csi-driver.yaml @@ -1,19 +1,19 @@ {{- define "aws-efs-csi-driver-values" }} -{{- with index .Values "aws-efs-csi-driver" "nodeSelector" }} +{{ with index .Values "aws-efs-csi-driver" "IamArn" }} aws-efs-csi-driver: - nodeSelector: - {{- toYaml . | nindent 4 }} + controller: + extraEnv: + - name: AWS_ROLE_ARN + value: "{{ . }}" + - name: AWS_WEB_IDENTITY_TOKEN_FILE + value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token" + - name: AWS_STS_REGIONAL_ENDPOINTS + value: regional {{- end }} {{- with index .Values "aws-efs-csi-driver" "PersistentVolumes" }} PersistentVolumes: {{- toYaml . | nindent 2 }} {{- end }} -{{- if index .Values "aws-efs-csi-driver" "EfsId" }} -PersistentVolume: - create: true - EfsId: {{ index .Values "aws-efs-csi-driver" "EfsId" }} - Name: {{ default "kubezero-efs-pv" ( index .Values "aws-efs-csi-driver" "PVName" ) }} -{{- end }} {{- end }} diff --git a/charts/kubezero/templates/cert-manager.yaml b/charts/kubezero/templates/cert-manager.yaml index 40f06bea..642b8705 100644 --- a/charts/kubezero/templates/cert-manager.yaml +++ b/charts/kubezero/templates/cert-manager.yaml @@ -4,8 +4,27 @@ localCA: enabled: true {{ with index .Values "cert-manager" "IamArn" }} cert-manager: - podAnnotations: - iam.amazonaws.com/role: "{{ . }}" + extraEnv: + - name: AWS_ROLE_ARN + value: "{{ . }}" + - name: AWS_WEB_IDENTITY_TOKEN_FILE + value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token" + - name: AWS_STS_REGIONAL_ENDPOINTS + value: regional + + volumes: + - name: aws-token + projected: + sources: + - serviceAccountToken: + path: token + expirationSeconds: 86400 + audience: "sts.amazonaws.com" + + volumeMounts: + - name: aws-token + mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/" + readOnly: true {{- end }} {{- with index .Values "cert-manager" "clusterIssuer" }} diff --git a/charts/kubezero/templates/istio-ingress.yaml b/charts/kubezero/templates/istio-ingress.yaml index 0520737a..ccf16218 100644 --- a/charts/kubezero/templates/istio-ingress.yaml +++ b/charts/kubezero/templates/istio-ingress.yaml @@ -16,9 +16,22 @@ istio-ingress: {{- toYaml . | nindent 6 }} {{- end }} {{- with index .Values "istio-ingress" "public" "dnsNames" }} + # Legacy dnsNames: {{- toYaml . | nindent 2 }} + + certificates: + - name: ingress-cert + dnsNames: + {{- toYaml . | nindent 4 }} {{- end }} + # New multi cert gateway + {{- range $cert := (index .Values "istio-ingress" "public" "certificates") }} + - name: {{ $cert.name }} + dnsNames: + {{- toYaml $cert.dnsNames | nindent 4 }} + {{- end }} + proxyProtocol: {{ default false (index .Values "istio-ingress" "public" "proxyProtocol") }} {{- end }} {{- if index .Values "istio-ingress" "private" }} @@ -32,9 +45,22 @@ istio-private-ingress: {{- toYaml . | nindent 6 }} {{- end }} {{- with index .Values "istio-ingress" "private" "dnsNames" }} + # Legacy dnsNames: {{- toYaml . | nindent 2 }} + + certificates: + - name: private-ingress-cert + dnsNames: + {{- toYaml . | nindent 4 }} {{- end }} + # New multi cert gateway + {{- range $cert := (index .Values "istio-ingress" "private" "certificates") }} + - name: {{ $cert.name }} + dnsNames: + {{- toYaml $cert.dnsNames | nindent 4 }} + {{- end }} + proxyProtocol: {{ default false (index .Values "istio-ingress" "private" "proxyProtocol") }} {{- end }} {{- end }}