ira-controller

command module
v1.1.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 20, 2024 License: Apache-2.0 Imports: 1 Imported by: 0

README

ira-controller

Latest Release CLA assistant Build Status codecov Go Report Card GoDoc

ira-controler is a mutating webhook and pod controller for Kubernetes, facilitating the use of aws/rolesanywhere-credential-helper as a sidecar for your application that needs to use IAM Roles Anywhere to access AWS resources.

Description

Before you begin using this project you should be familiar with the concepts of IAM Roles Anywhere and have configured the required AWS resources.

Mutating Webhook

The mutating webhook provided by this project is watching the creation/updating of pods and will inject a rolesanywhere credential helper sidecar if the required annotations are provided. This sidecar will be configured based on the following annotations on the pod.

Annotation Description
ira.ontsys.com/trust-anchor The ARN of the IAM Roles Anywhere trust anchor to use for obtaining credentials.
ira.ontsys.com/profile The ARN of the IAM Roles Anywhere profile to use for obtaining credentials. This profile must contain the IAM role specified in ira.ontsys.com/role
ira.ontsys.com/role The ARN of the IAM role to be assumed to gain credentials.
ira.ontsys.com/cert Either the name of a TLS secret containing a certificate that was issued by the CA configured in trust anchor or when used in conjunction with the controller the optional name to use to create a cert-manager certificate that will be created by the controller.
Pod Controller

The pod controller is optional and if desired must be turned on using the --generate-cert command-line flag. Once enabled the controller will trigger based on the same annotations as the webhook and create a certificate resource. The CA behind the cert-manager issuer needs to be the CA that is configured in the trust anchor in order to successfully obtain credentials. The TLS secret that is generated from this certificate will then be the one used to by the webhook for authentication.

Annotation Description
ira.ontsys.com/issuer-kind The kind of cert-manager issuer that should be used to issue the certificate. If not provided the value of --default-issuer-kind will be used.
ira.ontsys.com/issuer-name The name of the issuer that should be used to issue the certificate. If not provided the value of --default-issuer-name will be used.
ira.ontsys.com/cert The optional name to use when creating a cert-manager certificate. If not provided the certificate name will be generated based on the controlling resource of the pod.

NOTE: If neither the ira.ontsys.com/issuer-name annotation or the --default-issuer-name command line flag are provided then the certificate will fail to be created.

Getting Started

Prerequisites
  • go version v1.22.0+
  • docker version 26.1+.
  • kubectl version v1.29.0+.
  • helm version v3.15.2+.
  • Access to a Kubernetes v1.29.0+ cluster.

This project may work on older versions but has not been tested.

Command Line Options

The command line is self documenting. For a full list of options run ira-controller --help.

The options that start with credential-helper are all related to the rolesanywhere-credential-helper that is being injected. The --credential-helper-image flag is required as the project currently doesn't publish an official image. They have a GitHub issue for discussing the possibility of adding one.

To Deploy on the cluster

Install with helm

Add the ira-controller Helm repository:

helm repo add ira-controller https://ontariosystems.github.io/ira-controller
helm repo update

Then install a release using the chart. The charts default values file provides some commented out examples for setting some of the values. There are several required values, but helm should fail with messages that indicate which value is missing.

helm upgrade --install --namespace ira-controller-system ira-controller \
    ira-controller/ira-controller --values <<name_of_your_values_file>>.yaml
Build an image and deploy using kustomize

Build and push your image to the location specified by IMG:

make docker-build docker-push IMG=<some-registry>/ira-controller:tag

NOTE: This image ought to be published in the personal registry you specified. And it is required to have access to pull the image from the working environment. Make sure you have the proper permission to the registry if the above commands don’t work.

Deploy the Manager to the cluster with the image specified by IMG:

make deploy IMG=<some-registry>/ira-controller:tag

UnDeploy the controller from the cluster:

make undeploy

Project Distribution

Following are the steps to build the installer and distribute this project to users.

  1. Build the installer for the image built and published in the registry:
make build-installer IMG=<some-registry>/ira-controller:tag

NOTE: The makefile target mentioned above generates an 'install.yaml' file in the dist directory. This file contains all the resources built with Kustomize, which are necessary to install this project without its dependencies.

  1. Using the installer

Users can just run kubectl apply -f to install the project, i.e.:

kubectl apply -f dist/install.yaml

Contributing

View our contributing policy.

Additional Information

NOTE: Run make help for more information on all potential make targets

More information can be found via the Kubebuilder Documentation

License

Copyright 2024 Ontario Systems.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Documentation

The Go Gopher

There is no documentation for this package.

Directories

Path Synopsis
api
v1
internal

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL