Adding chart for AWS' new EKS Pod Identity Webhook #28
Conversation
|
Thanks @max-rocket-internet! Working on getting images published for this :D |
| @@ -0,0 +1,20 @@ | |||
| apiVersion: admissionregistration.k8s.io/v1beta1 | |||
| kind: MutatingWebhookConfiguration | |||
| metadata: | |||
There was a problem hiding this comment.
Could support be added here to configure annotations? We've pulled this to use it, but want to use it with self-signed certificates from cert-manager instead.
| - name: webhook | ||
| image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" | ||
| imagePullPolicy: {{ .Values.image.pullPolicy }} | ||
| command: |
There was a problem hiding this comment.
Could this be updated to also templatize the port being used?
--port={{ .Values.port }}
|
thanks a lot for this @max-rocket-internet ! If i could ask for one more change, could it be possible to add a |
| apiVersion: admissionregistration.k8s.io/v1beta1 | ||
| kind: MutatingWebhookConfiguration | ||
| metadata: | ||
| name: {{ include "aws-pod-identity-webhook.fullname" . }} |
There was a problem hiding this comment.
@micahhausler I think this must be pod-identity-webhook? I just checked all our clusters and this already exists in each with a webhook called iam-for-pods.amazonaws.com.
What is supposed to happen here?
There was a problem hiding this comment.
Judging by what the name here I think we are supposed to overwrite the pod-identity-webhook one in the cluster?
There was a problem hiding this comment.
OK now I realise this chart is not to be installed into an EKS cluster because EKS provides this service by default. This chart would be for none-EKS clusters.
|
If anyone wants extra changes, just create a PR after this is merged. @nckturner I think we merge this and just make users build their own docker images. Then if AWS releases docker images, the chart can be updated? |
|
Just personally speaking, I don't know if having a chart published that doesn't just "work" out of the box is the best approach. While I'm eagerly awaiting this awesome work, it doesn't introduce an ideal workflow for consuming something in Helm if there's a multi-step approach to have the chart actually apply. Regardless, thanks for the awesome commitment of work on this @max-rocket-internet |
|
|
||
| tolerations: [] | ||
|
|
||
| affinity: {} |
There was a problem hiding this comment.
Please include the following (and add to README values listing):
serviceAccount:
# serviceAccount.create: Whether to create a service account or not
create: true
# serviceAccount.name: The name of the service account to create or use
name: ""
rbac:
# rbac.create: `true` if rbac resources should be created
create: true
# rbac.pspEnabled: `true` if PodSecurityPolicy resources should be created
pspEnabled: false
This matches other charts.
There was a problem hiding this comment.
Also, for other charts, we've just used a generic podAnnotations value:
https://github.com/aws/eks-charts/blob/master/stable/aws-vpc-cni/values.yaml#L29
eks-charts/stable/aws-vpc-cni/templates/daemonset.yaml
Lines 17 to 21 in 575321f
Maybe do that for this chart as well?
There was a problem hiding this comment.
OK serviceAccount thing is done.
podAnnotations thing is done.
RBAC is not optional any more I believe and I don't know how to write a PSP so perhaps this can follow in a later PR?
There was a problem hiding this comment.
Yup, PSP stuff can ceertainly be done in followup
| @@ -0,0 +1,24 @@ | |||
| tls_secret_name: pod-identity-webhook | |||
| annotation_prefix: eks.amazonaws.com | |||
There was a problem hiding this comment.
As you alluded to, EKS already installs the pod identity webhook by default, so this EKS-specific annotation prefix is probably not appropriate as the default for this chart?
There was a problem hiding this comment.
Happy to change it but I don't know what for?
| prometheus.io/port: "443" | ||
| prometheus.io/scheme: "https" | ||
| prometheus.io/scrape: "true" | ||
| spec: |
There was a problem hiding this comment.
Did you want to templatize the Service's type?
Example:
There was a problem hiding this comment.
Let's add this in a later PR
|
Thanks very much for this submission @max-rocket-internet! Left a few suggestions and comments to address inline but overall, great start. |
|
@jaypipes OK done. |
|
|
||
| image: | ||
| repository: 602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/pod-identity-webhook | ||
| tag: latest |
There was a problem hiding this comment.
The tag should be a a git SHA or sem ver. With latest, the same replica set could run different "versions" of latest. How would a user suppose to upgrade the chart? Helm will see no changes in the image tag and running helm upgrade will not start a rolling update.
There was a problem hiding this comment.
OK I set it to 0.2.0, the latest release. It's cosmetic anyway as the docker images don't exist yet.
|
Any update on this? |
| prometheus.io/port: "443" | ||
| prometheus.io/scheme: "https" |
There was a problem hiding this comment.
These annotations are incorrect.
The metrics endpoint for these pods is using http on port 9999
| prometheus.io/port: "443" | |
| prometheus.io/scheme: "https" | |
| prometheus.io/port: "9999" | |
| prometheus.io/scheme: "http" |
|
I will close due to review process being too slow or stalled. |
|
@max-rocket-internet thow back, but it looks like they have a docker image now: https://hub.docker.com/r/amazon/amazon-eks-pod-identity-webhook |
|
OK I rebased my branch and opened a new PR (can't reopen this one): #286 |
Note the chart won't run yet as we are still waiting on official docker images: aws/amazon-eks-pod-identity-webhook#5
Related issues:
aws/amazon-eks-pod-identity-webhook#4
aws/containers-roadmap#23
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.