-
Notifications
You must be signed in to change notification settings - Fork 28
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Adding Credential Provider Package with source and helm chart (#829)
* Adding Credential Package with source and helm chart * Adding new line to end of Dockerfile and Makefile * Changed matchImages to take array instead of one repository. Change Initialize interface to remove socketpath and add that to bottlerocket constructor, Removed Notes from chart, moved from Deployment to Daemonset * Namespacing serviceaccount.yaml and removing comments from values.yaml * Copy binaries always to cover update case. Update references to docker to Amazon Linux 2 * Adding AWS Profile to be configurable * Update go version to 1.19, cleanup chart, cleanup bottlerocket tests * Move util to pkg/log. Update to go 1.19 in makefile * Removing time from log and updating global reads to group reads * Updating Gosec * Update Makefile for go version * Formatting fixes * Allowed arm builds for linux * Moving constants to individual files. Moved BR socket logic to BR constructor itself. * Removing unused replicas in values.yaml * Adding new lines to partialyaml and updated tests
- Loading branch information
Showing
47 changed files
with
2,787 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
FROM golang:1.19-buster | ||
ENV GOTRACEBACK=single | ||
ENV GOPROXY=direct | ||
WORKDIR /app | ||
COPY go.mod . | ||
COPY go.sum . | ||
COPY cmd/ cmd/ | ||
COPY ecr-credential-provider /eksa-binaries/ | ||
COPY aws_signing_helper /eksa-binaries/ | ||
COPY pkg/ pkg/ | ||
ARG SKAFFOLD_GO_GCFLAGS | ||
RUN go build -gcflags="${SKAFFOLD_GO_GCFLAGS}" -o app cmd/aws-credential-provider/*.go | ||
|
||
CMD ["/app/app"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
SHELL = /usr/bin/env bash -o pipefail | ||
.SHELLFLAGS = -ec | ||
|
||
REPO_ROOT=$(shell git rev-parse --show-toplevel) | ||
PROJECT_ROOT=$(REPO_ROOT)/credentialproviderpackage | ||
GOLANG_VERSION?="1.19" | ||
GO ?= $(shell source $(REPO_ROOT)/scripts/common.sh && build::common::get_go_path $(GOLANG_VERSION))/go | ||
|
||
# Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set) | ||
ifeq (,$(shell go env GOBIN)) | ||
GOBIN=$(shell go env GOPATH)/bin | ||
else | ||
GOBIN=$(shell go env GOBIN) | ||
endif | ||
|
||
all: build | ||
|
||
help: ## Display this help. | ||
@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf " \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST) | ||
|
||
clean: ## Clean output directory, and the built binary | ||
rm -rf output/ | ||
rm -rf bin/* | ||
rm cover.out | ||
|
||
##@ Build | ||
|
||
build: ## Build Binary | ||
mkdir -p $(PROJECT_ROOT)/bin | ||
$(GO) mod tidy -compat=$(GOLANG_VERSION) | ||
$(GO) build -o $(PROJECT_ROOT)/bin/aws-credential-provider $(PROJECT_ROOT)/cmd/aws-credential-provider/*.go | ||
|
||
build-linux: | ||
[ -d bin ] || mkdir bin | ||
env CGO_ENABLED=0 GOOS=linux $(MAKE) build | ||
|
||
run: | ||
$(GO) run . | ||
|
||
test: build | ||
$(GO) test ./... `$(GO) list $(GOTESTS) | grep -v mocks | grep -v fake | grep -v testutil` -coverprofile cover.out |
23 changes: 23 additions & 0 deletions
23
credentialproviderpackage/charts/credential-provider-package/.helmignore
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
# Patterns to ignore when building packages. | ||
# This supports shell glob matching, relative path matching, and | ||
# negation (prefixed with !). Only one pattern per line. | ||
.DS_Store | ||
# Common VCS dirs | ||
.git/ | ||
.gitignore | ||
.bzr/ | ||
.bzrignore | ||
.hg/ | ||
.hgignore | ||
.svn/ | ||
# Common backup files | ||
*.swp | ||
*.bak | ||
*.tmp | ||
*.orig | ||
*~ | ||
# Various IDEs | ||
.project | ||
.idea/ | ||
*.tmproj | ||
.vscode/ |
7 changes: 7 additions & 0 deletions
7
credentialproviderpackage/charts/credential-provider-package/Chart.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
apiVersion: v2 | ||
name: credential-provider-package | ||
description: A Helm chart for credential-provider-package, an application for configuring credentials via Kubelet Credential Provider | ||
type: application | ||
version: 0.1.0 | ||
sources: | ||
- https://github.com/aws/eks-anywhere-packages/credentialproviderpackage |
88 changes: 88 additions & 0 deletions
88
credentialproviderpackage/charts/credential-provider-package/templates/_helpers.tpl
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,88 @@ | ||
{{/* | ||
Expand the name of the chart. | ||
*/}} | ||
{{- define "credential-provider.name" -}} | ||
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} | ||
{{- end }} | ||
|
||
{{/* | ||
Create a default fully qualified app name. | ||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). | ||
If release name contains chart name it will be used as a full name. | ||
*/}} | ||
{{- define "credential-provider.fullname" -}} | ||
{{- if .Values.fullnameOverride }} | ||
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} | ||
{{- else }} | ||
{{- $name := default .Chart.Name .Values.nameOverride }} | ||
{{- if contains $name .Release.Name }} | ||
{{- .Release.Name | trunc 63 | trimSuffix "-" }} | ||
{{- else }} | ||
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} | ||
{{- end }} | ||
{{- end }} | ||
{{- end }} | ||
|
||
{{/* | ||
Create chart name and version as used by the chart label. | ||
*/}} | ||
{{- define "credential-provider.chart" -}} | ||
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} | ||
{{- end }} | ||
|
||
{{/* | ||
Common labels | ||
*/}} | ||
{{- define "credential-provider.labels" -}} | ||
helm.sh/chart: {{ include "credential-provider.chart" . }} | ||
{{ include "credential-provider.selectorLabels" . }} | ||
{{- if .Chart.AppVersion }} | ||
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} | ||
{{- end }} | ||
app.kubernetes.io/managed-by: {{ .Release.Service }} | ||
{{- end }} | ||
|
||
{{/* | ||
Selector labels | ||
*/}} | ||
{{- define "credential-provider.selectorLabels" -}} | ||
app.kubernetes.io/name: {{ include "credential-provider.name" . }} | ||
app.kubernetes.io/instance: {{ .Release.Name }} | ||
{{- end }} | ||
|
||
{{/* | ||
Create the name of the service account to use | ||
*/}} | ||
{{- define "credential-provider.serviceAccountName" -}} | ||
{{- if .Values.serviceAccount.create }} | ||
{{- default (include "credential-provider.fullname" .) .Values.serviceAccount.name }} | ||
{{- else }} | ||
{{- default "default" .Values.serviceAccount.name }} | ||
{{- end }} | ||
{{- end }} | ||
|
||
{{/* | ||
Create image name | ||
*/}} | ||
{{- define "template.image" -}} | ||
{{- if eq (substr 0 7 .tag) "sha256:" -}} | ||
{{- printf "/%s@%s" .repository .tag -}} | ||
{{- else -}} | ||
{{- printf "/%s:%s" .repository .tag -}} | ||
{{- end -}} | ||
{{- end -}} | ||
|
||
{{/* | ||
Function to figure out os name | ||
*/}} | ||
{{- define "template.getOSName" -}} | ||
{{- with first ((lookup "v1" "Node" "" "").items) -}} | ||
{{- if contains "Bottlerocket" .status.nodeInfo.osImage -}} | ||
{{- printf "bottlerocket" -}} | ||
{{- else if contains "Amazon Linux" .status.nodeInfo.osImage -}} | ||
{{- printf "amazonlinux" -}} | ||
{{- else -}} | ||
{{- printf "other" -}} | ||
{{- end }} | ||
{{- end }} | ||
{{- end }} |
95 changes: 95 additions & 0 deletions
95
credentialproviderpackage/charts/credential-provider-package/templates/daemonset.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,95 @@ | ||
apiVersion: apps/v1 | ||
kind: DaemonSet | ||
metadata: | ||
name: {{ include "credential-provider.fullname" . }} | ||
namespace: {{ .Release.Namespace | default .Values.defaultNamespace | quote }} | ||
labels: | ||
{{- include "credential-provider.labels" . | nindent 4 }} | ||
spec: | ||
selector: | ||
matchLabels: | ||
{{- include "credential-provider.selectorLabels" . | nindent 6 }} | ||
template: | ||
metadata: | ||
{{- with .Values.podAnnotations }} | ||
annotations: | ||
{{- toYaml . | nindent 8 }} | ||
{{- end }} | ||
labels: | ||
{{- include "credential-provider.selectorLabels" . | nindent 8 }} | ||
spec: | ||
{{- with .Values.imagePullSecrets }} | ||
imagePullSecrets: | ||
{{- toYaml . | nindent 8 }} | ||
{{- end }} | ||
serviceAccountName: {{ include "credential-provider.serviceAccountName" . }} | ||
securityContext: | ||
{{- toYaml .Values.podSecurityContext | nindent 8 }} | ||
containers: | ||
- name: credential-provider | ||
image: {{ .Values.sourceRegistry }}/{{ .Values.image.repository }}@{{ .Values.image.digest }} | ||
imagePullPolicy: {{ .Values.image.pullPolicy }} | ||
securityContext: | ||
privileged: true | ||
resources: | ||
{{- toYaml .Values.resources | nindent 12 }} | ||
volumeMounts: | ||
- name: aws-creds | ||
mountPath: /secrets/aws-creds | ||
{{ $os := include "template.getOSName" .}} | ||
{{- if eq $os "bottlerocket" }} | ||
- mountPath: /run/api.sock | ||
name: socket | ||
{{- else}} | ||
- mountPath: /node-files/kubelet-extra-args | ||
name: kubelet-extra-args | ||
- name: package-mounts | ||
mountPath: /eksa-packages | ||
{{- end}} | ||
env: | ||
- name: OS_TYPE | ||
value: {{ $os }} | ||
- name: AWS_PROFILE | ||
value: {{.Values.application.profile}} | ||
- name: MATCH_IMAGES | ||
value: '{{ join "," .Values.application.matchImages }}' | ||
- name: DEFAULT_CACHE_DURATION | ||
value: {{.Values.application.defaultCacheDuration}} | ||
volumes: | ||
- name: aws-creds | ||
secret: | ||
secretName: {{.Values.application.secretName}} | ||
optional: false | ||
{{- if eq $os "bottlerocket" }} | ||
- name: socket | ||
hostPath: | ||
path: /run/api.sock | ||
{{- else if eq $os "amazonlinux"}} | ||
- name: kubelet-extra-args | ||
hostPath: | ||
path: /etc/default/kubelet | ||
type: FileOrCreate | ||
{{- else}} | ||
- name: kubelet-extra-args | ||
hostPath: | ||
path: /etc/sysconfig/kubelet | ||
type: FileOrCreate | ||
{{- end }} | ||
{{- if ne $os "bottlerocket" }} | ||
- name: package-mounts | ||
hostPath: | ||
path: /eksa-packages | ||
{{- end }} | ||
{{- with .Values.nodeSelector }} | ||
nodeSelector: | ||
{{- toYaml . | nindent 8 }} | ||
{{- end }} | ||
{{- with .Values.affinity }} | ||
affinity: | ||
{{- toYaml . | nindent 8 }} | ||
{{- end }} | ||
{{- with .Values.tolerations }} | ||
tolerations: | ||
{{- toYaml . | nindent 8 }} | ||
{{- end }} | ||
hostPID: true |
13 changes: 13 additions & 0 deletions
13
credentialproviderpackage/charts/credential-provider-package/templates/serviceaccount.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
{{- if .Values.serviceAccount.create -}} | ||
apiVersion: v1 | ||
kind: ServiceAccount | ||
metadata: | ||
name: {{ include "credential-provider.serviceAccountName" . }} | ||
namespace: {{ .Release.Namespace | default .Values.defaultNamespace | quote }} | ||
labels: | ||
{{- include "credential-provider.labels" . | nindent 4 }} | ||
{{- with .Values.serviceAccount.annotations }} | ||
annotations: | ||
{{- toYaml . | nindent 4 }} | ||
{{- end }} | ||
{{- end }} |
46 changes: 46 additions & 0 deletions
46
credentialproviderpackage/charts/credential-provider-package/values.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
# Default values for credential-provider. | ||
# This is a YAML-formatted file. | ||
|
||
# -- sourceRegistry for all container images in chart. | ||
sourceRegistry: public.ecr.aws/eks-anywhere | ||
defaultNamespace: eksa-packages | ||
|
||
image: | ||
repository: "credential-provider-package" | ||
tag: "{{credential-provider-package-tag}}" | ||
digest: "{{credential-provider-package-digest}}" | ||
pullPolicy: IfNotPresent | ||
|
||
# application values | ||
application: | ||
secretName: aws-cred | ||
matchImages: [] | ||
defaultCacheDuration: "" | ||
profile: "" | ||
|
||
imagePullSecrets: [] | ||
nameOverride: "" | ||
fullnameOverride: "" | ||
|
||
serviceAccount: | ||
# Specifies whether a service account should be created | ||
create: true | ||
# Annotations to add to the service account | ||
annotations: {} | ||
# The name of the service account to use. | ||
# If not set and create is true, a name is generated using the fullname template | ||
name: "" | ||
|
||
podAnnotations: {} | ||
|
||
podSecurityContext: {} | ||
|
||
securityContext: {} | ||
|
||
resources: {} | ||
|
||
nodeSelector: {} | ||
|
||
tolerations: [] | ||
|
||
affinity: {} |
Oops, something went wrong.