diff --git a/addons/iam-chart/helm/Chart.yaml b/addons/iam-chart/helm/Chart.yaml new file mode 100644 index 000000000..9978037b4 --- /dev/null +++ b/addons/iam-chart/helm/Chart.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +name: iam-chart +description: A Helm chart for the ACK service controller for AWS Identity & Access Management (IAM) +version: 1.2.6 +appVersion: 1.2.6 +home: https://github.com/aws-controllers-k8s/iam-controller +icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png +sources: + - https://github.com/aws-controllers-k8s/iam-controller +maintainers: + - name: ACK Admins + url: https://github.com/orgs/aws-controllers-k8s/teams/ack-admin + - name: IAM Admins + url: https://github.com/orgs/aws-controllers-k8s/teams/iam-maintainer +keywords: + - aws + - kubernetes + - iam diff --git a/addons/iam-chart/helm/crds/iam.services.k8s.aws_groups.yaml b/addons/iam-chart/helm/crds/iam.services.k8s.aws_groups.yaml new file mode 100644 index 000000000..f04bb76f1 --- /dev/null +++ b/addons/iam-chart/helm/crds/iam.services.k8s.aws_groups.yaml @@ -0,0 +1,166 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + creationTimestamp: null + name: groups.iam.services.k8s.aws +spec: + group: iam.services.k8s.aws + names: + kind: Group + listKind: GroupList + plural: groups + singular: group + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Group is the Schema for the Groups API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: "GroupSpec defines the desired state of Group. \n Contains + information about an IAM group entity. \n This data type is used as + a response element in the following operations: \n - CreateGroup \n + - GetGroup \n - ListGroups" + properties: + inlinePolicies: + additionalProperties: + type: string + type: object + name: + description: "The name of the group to create. Do not include the + path in this value. \n IAM user, group, role, and policy names must + be unique within the account. Names are not distinguished by case. + For example, you cannot create resources named both \"MyResource\" + and \"myresource\"." + type: string + path: + description: "The path to the group. For more information about paths, + see IAM identifiers (https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) + in the IAM User Guide. \n This parameter is optional. If it is not + included, it defaults to a slash (/). \n This parameter allows (through + its regex pattern (http://wikipedia.org/wiki/regex)) a string of + characters consisting of either a forward slash (/) by itself or + a string that must begin and end with forward slashes. In addition, + it can contain any ASCII character from the ! (\\u0021) through + the DEL character (\\u007F), including most punctuation characters, + digits, and upper and lowercased letters." + type: string + policies: + items: + type: string + type: array + policyRefs: + items: + description: "AWSResourceReferenceWrapper provides a wrapper around + *AWSResourceReference type to provide more user friendly syntax + for references using 'from' field Ex: APIIDRef: \n from: name: + my-api" + properties: + from: + description: AWSResourceReference provides all the values necessary + to reference another k8s resource for finding the identifier(Id/ARN/Name) + properties: + name: + type: string + type: object + type: object + type: array + required: + - name + type: object + status: + description: GroupStatus defines the observed state of Group + properties: + ackResourceMetadata: + description: All CRs managed by ACK have a common `Status.ACKResourceMetadata` + member that is used to contain resource sync state, account ownership, + constructed ARN for the resource + properties: + arn: + description: 'ARN is the Amazon Resource Name for the resource. + This is a globally-unique identifier and is set only by the + ACK service controller once the controller has orchestrated + the creation of the resource OR when it has verified that an + "adopted" resource (a resource where the ARN annotation was + set by the Kubernetes user on the CR) exists and matches the + supplied CR''s Spec field values. TODO(vijat@): Find a better + strategy for resources that do not have ARN in CreateOutputResponse + https://github.com/aws/aws-controllers-k8s/issues/270' + type: string + ownerAccountID: + description: OwnerAccountID is the AWS Account ID of the account + that owns the backend AWS service API resource. + type: string + region: + description: Region is the AWS region in which the resource exists + or will exist. + type: string + required: + - ownerAccountID + - region + type: object + conditions: + description: All CRS managed by ACK have a common `Status.Conditions` + member that contains a collection of `ackv1alpha1.Condition` objects + that describe the various terminal states of the CR and its backend + AWS service API resource + items: + description: Condition is the common struct used by all CRDs managed + by ACK service controllers to indicate terminal states of the + CR and its backend AWS service API resource + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type is the type of the Condition + type: string + required: + - status + - type + type: object + type: array + createDate: + description: The date and time, in ISO 8601 date-time format (http://www.iso.org/iso/iso8601), + when the group was created. + format: date-time + type: string + groupID: + description: The stable and unique string identifying the group. For + more information about IDs, see IAM identifiers (https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) + in the IAM User Guide. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/addons/iam-chart/helm/crds/iam.services.k8s.aws_openidconnectproviders.yaml b/addons/iam-chart/helm/crds/iam.services.k8s.aws_openidconnectproviders.yaml new file mode 100644 index 000000000..79644cb75 --- /dev/null +++ b/addons/iam-chart/helm/crds/iam.services.k8s.aws_openidconnectproviders.yaml @@ -0,0 +1,179 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + creationTimestamp: null + name: openidconnectproviders.iam.services.k8s.aws +spec: + group: iam.services.k8s.aws + names: + kind: OpenIDConnectProvider + listKind: OpenIDConnectProviderList + plural: openidconnectproviders + singular: openidconnectprovider + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: OpenIDConnectProvider is the Schema for the OpenIDConnectProviders + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: OpenIDConnectProviderSpec defines the desired state of OpenIDConnectProvider. + properties: + clientIDs: + description: "Provides a list of client IDs, also known as audiences. + When a mobile or web app registers with an OpenID Connect provider, + they establish a value that identifies the application. This is + the value that's sent as the client_id parameter on OAuth requests. + \n You can register multiple client IDs with the same provider. + For example, you might have multiple applications that use the same + OIDC provider. You cannot register more than 100 client IDs with + a single IAM OIDC provider. \n There is no defined format for a + client ID. The CreateOpenIDConnectProviderRequest operation accepts + client IDs up to 255 characters long." + items: + type: string + type: array + tags: + description: "A list of tags that you want to attach to the new IAM + OpenID Connect (OIDC) provider. Each tag consists of a key name + and an associated value. For more information about tagging, see + Tagging IAM resources (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) + in the IAM User Guide. \n If any one of the tags is invalid or if + you exceed the allowed maximum number of tags, then the entire request + fails and the resource is not created." + items: + description: A structure that represents user-provided metadata + that can be associated with an IAM resource. For more information + about tagging, see Tagging IAM resources (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) + in the IAM User Guide. + properties: + key: + type: string + value: + type: string + type: object + type: array + thumbprints: + description: "A list of server certificate thumbprints for the OpenID + Connect (OIDC) identity provider's server certificates. Typically + this list includes only one entry. However, IAM lets you have up + to five thumbprints for an OIDC provider. This lets you maintain + multiple thumbprints if the identity provider is rotating certificates. + \n The server certificate thumbprint is the hex-encoded SHA-1 hash + value of the X.509 certificate used by the domain where the OpenID + Connect provider makes its keys available. It is always a 40-character + string. \n You must provide at least one thumbprint when creating + an IAM OIDC provider. For example, assume that the OIDC provider + is server.example.com and the provider stores its keys at https://keys.server.example.com/openid-connect. + In that case, the thumbprint string would be the hex-encoded SHA-1 + hash value of the certificate used by https://keys.server.example.com. + \n For more information about obtaining the OIDC provider thumbprint, + see Obtaining the thumbprint for an OpenID Connect provider (https://docs.aws.amazon.com/IAM/latest/UserGuide/identity-providers-oidc-obtain-thumbprint.html) + in the IAM User Guide." + items: + type: string + type: array + url: + description: "The URL of the identity provider. The URL must begin + with https:// and should correspond to the iss claim in the provider's + OpenID Connect ID tokens. Per the OIDC standard, path components + are allowed but query parameters are not. Typically the URL consists + of only a hostname, like https://server.example.org or https://example.com. + The URL should not contain a port number. \n You cannot register + the same provider multiple times in a single Amazon Web Services + account. If you try to submit a URL that has already been used for + an OpenID Connect provider in the Amazon Web Services account, you + will get an error." + type: string + required: + - thumbprints + - url + type: object + status: + description: OpenIDConnectProviderStatus defines the observed state of + OpenIDConnectProvider + properties: + ackResourceMetadata: + description: All CRs managed by ACK have a common `Status.ACKResourceMetadata` + member that is used to contain resource sync state, account ownership, + constructed ARN for the resource + properties: + arn: + description: 'ARN is the Amazon Resource Name for the resource. + This is a globally-unique identifier and is set only by the + ACK service controller once the controller has orchestrated + the creation of the resource OR when it has verified that an + "adopted" resource (a resource where the ARN annotation was + set by the Kubernetes user on the CR) exists and matches the + supplied CR''s Spec field values. TODO(vijat@): Find a better + strategy for resources that do not have ARN in CreateOutputResponse + https://github.com/aws/aws-controllers-k8s/issues/270' + type: string + ownerAccountID: + description: OwnerAccountID is the AWS Account ID of the account + that owns the backend AWS service API resource. + type: string + region: + description: Region is the AWS region in which the resource exists + or will exist. + type: string + required: + - ownerAccountID + - region + type: object + conditions: + description: All CRS managed by ACK have a common `Status.Conditions` + member that contains a collection of `ackv1alpha1.Condition` objects + that describe the various terminal states of the CR and its backend + AWS service API resource + items: + description: Condition is the common struct used by all CRDs managed + by ACK service controllers to indicate terminal states of the + CR and its backend AWS service API resource + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type is the type of the Condition + type: string + required: + - status + - type + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/addons/iam-chart/helm/crds/iam.services.k8s.aws_policies.yaml b/addons/iam-chart/helm/crds/iam.services.k8s.aws_policies.yaml new file mode 100644 index 000000000..efbacb7aa --- /dev/null +++ b/addons/iam-chart/helm/crds/iam.services.k8s.aws_policies.yaml @@ -0,0 +1,221 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + creationTimestamp: null + name: policies.iam.services.k8s.aws +spec: + group: iam.services.k8s.aws + names: + kind: Policy + listKind: PolicyList + plural: policies + singular: policy + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Policy is the Schema for the Policies API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: "PolicySpec defines the desired state of Policy. \n Contains + information about a managed policy. \n This data type is used as a response + element in the CreatePolicy, GetPolicy, and ListPolicies operations. + \n For more information about managed policies, refer to Managed policies + and inline policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/policies-managed-vs-inline.html) + in the IAM User Guide." + properties: + description: + description: "A friendly description of the policy. \n Typically used + to store information about the permissions defined in the policy. + For example, \"Grants access to production DynamoDB tables.\" \n + The policy description is immutable. After a value is assigned, + it cannot be changed." + type: string + name: + description: "The friendly name of the policy. \n IAM user, group, + role, and policy names must be unique within the account. Names + are not distinguished by case. For example, you cannot create resources + named both \"MyResource\" and \"myresource\"." + type: string + path: + description: "The path for the policy. \n For more information about + paths, see IAM identifiers (https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) + in the IAM User Guide. \n This parameter is optional. If it is not + included, it defaults to a slash (/). \n This parameter allows (through + its regex pattern (http://wikipedia.org/wiki/regex)) a string of + characters consisting of either a forward slash (/) by itself or + a string that must begin and end with forward slashes. In addition, + it can contain any ASCII character from the ! (\\u0021) through + the DEL character (\\u007F), including most punctuation characters, + digits, and upper and lowercased letters. \n You cannot use an asterisk + (*) in the path name." + type: string + policyDocument: + description: "The JSON policy document that you want to use as the + content for the new policy. \n You must provide policies in JSON + format in IAM. However, for CloudFormation templates formatted in + YAML, you can provide the policy in JSON or YAML format. CloudFormation + always converts a YAML policy to JSON format before submitting it + to IAM. \n The maximum length of the policy document that you can + pass in this operation, including whitespace, is listed below. To + view the maximum character counts of a managed policy with no whitespaces, + see IAM and STS character quotas (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-quotas-entity-length). + \n To learn more about JSON policy grammar, see Grammar of the IAM + JSON policy language (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html) + in the IAM User Guide. \n The regex pattern (http://wikipedia.org/wiki/regex) + used to validate this parameter is a string of characters consisting + of the following: \n - Any printable ASCII character ranging from + the space character (\\u0020) through the end of the ASCII character + range \n - The printable characters in the Basic Latin and Latin-1 + Supplement character set (through \\u00FF) \n - The special characters + tab (\\u0009), line feed (\\u000A), and carriage return (\\u000D)" + type: string + tags: + description: "A list of tags that you want to attach to the new IAM + customer managed policy. Each tag consists of a key name and an + associated value. For more information about tagging, see Tagging + IAM resources (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) + in the IAM User Guide. \n If any one of the tags is invalid or if + you exceed the allowed maximum number of tags, then the entire request + fails and the resource is not created." + items: + description: A structure that represents user-provided metadata + that can be associated with an IAM resource. For more information + about tagging, see Tagging IAM resources (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) + in the IAM User Guide. + properties: + key: + type: string + value: + type: string + type: object + type: array + required: + - name + - policyDocument + type: object + status: + description: PolicyStatus defines the observed state of Policy + properties: + ackResourceMetadata: + description: All CRs managed by ACK have a common `Status.ACKResourceMetadata` + member that is used to contain resource sync state, account ownership, + constructed ARN for the resource + properties: + arn: + description: 'ARN is the Amazon Resource Name for the resource. + This is a globally-unique identifier and is set only by the + ACK service controller once the controller has orchestrated + the creation of the resource OR when it has verified that an + "adopted" resource (a resource where the ARN annotation was + set by the Kubernetes user on the CR) exists and matches the + supplied CR''s Spec field values. TODO(vijat@): Find a better + strategy for resources that do not have ARN in CreateOutputResponse + https://github.com/aws/aws-controllers-k8s/issues/270' + type: string + ownerAccountID: + description: OwnerAccountID is the AWS Account ID of the account + that owns the backend AWS service API resource. + type: string + region: + description: Region is the AWS region in which the resource exists + or will exist. + type: string + required: + - ownerAccountID + - region + type: object + attachmentCount: + description: The number of entities (users, groups, and roles) that + the policy is attached to. + format: int64 + type: integer + conditions: + description: All CRS managed by ACK have a common `Status.Conditions` + member that contains a collection of `ackv1alpha1.Condition` objects + that describe the various terminal states of the CR and its backend + AWS service API resource + items: + description: Condition is the common struct used by all CRDs managed + by ACK service controllers to indicate terminal states of the + CR and its backend AWS service API resource + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type is the type of the Condition + type: string + required: + - status + - type + type: object + type: array + createDate: + description: The date and time, in ISO 8601 date-time format (http://www.iso.org/iso/iso8601), + when the policy was created. + format: date-time + type: string + defaultVersionID: + description: The identifier for the version of the policy that is + set as the default version. + type: string + isAttachable: + description: Specifies whether the policy can be attached to an IAM + user, group, or role. + type: boolean + permissionsBoundaryUsageCount: + description: "The number of entities (users and roles) for which the + policy is used to set the permissions boundary. \n For more information + about permissions boundaries, see Permissions boundaries for IAM + identities (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) + in the IAM User Guide." + format: int64 + type: integer + policyID: + description: "The stable and unique string identifying the policy. + \n For more information about IDs, see IAM identifiers (https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) + in the IAM User Guide." + type: string + updateDate: + description: "The date and time, in ISO 8601 date-time format (http://www.iso.org/iso/iso8601), + when the policy was last updated. \n When a policy has only one + version, this field contains the date and time when the policy was + created. When a policy has more than one version, this field contains + the date and time when the most recent policy version was created." + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/addons/iam-chart/helm/crds/iam.services.k8s.aws_roles.yaml b/addons/iam-chart/helm/crds/iam.services.k8s.aws_roles.yaml new file mode 100644 index 000000000..858f41c41 --- /dev/null +++ b/addons/iam-chart/helm/crds/iam.services.k8s.aws_roles.yaml @@ -0,0 +1,253 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + creationTimestamp: null + name: roles.iam.services.k8s.aws +spec: + group: iam.services.k8s.aws + names: + kind: Role + listKind: RoleList + plural: roles + singular: role + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Role is the Schema for the Roles API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: "RoleSpec defines the desired state of Role. \n Contains + information about an IAM role. This structure is returned as a response + element in several API operations that interact with roles." + properties: + assumeRolePolicyDocument: + description: "The trust relationship policy document that grants an + entity permission to assume the role. \n In IAM, you must provide + a JSON policy that has been converted to a string. However, for + CloudFormation templates formatted in YAML, you can provide the + policy in JSON or YAML format. CloudFormation always converts a + YAML policy to JSON format before submitting it to IAM. \n The regex + pattern (http://wikipedia.org/wiki/regex) used to validate this + parameter is a string of characters consisting of the following: + \n - Any printable ASCII character ranging from the space character + (\\u0020) through the end of the ASCII character range \n - The + printable characters in the Basic Latin and Latin-1 Supplement character + set (through \\u00FF) \n - The special characters tab (\\u0009), + line feed (\\u000A), and carriage return (\\u000D) \n Upon success, + the response includes the same trust policy in JSON format." + type: string + description: + description: A description of the role. + type: string + inlinePolicies: + additionalProperties: + type: string + type: object + maxSessionDuration: + description: "The maximum session duration (in seconds) that you want + to set for the specified role. If you do not specify a value for + this setting, the default value of one hour is applied. This setting + can have a value from 1 hour to 12 hours. \n Anyone who assumes + the role from the or API can use the DurationSeconds API parameter + or the duration-seconds CLI parameter to request a longer session. + The MaxSessionDuration setting determines the maximum duration that + can be requested using the DurationSeconds parameter. If users don't + specify a value for the DurationSeconds parameter, their security + credentials are valid for one hour by default. This applies when + you use the AssumeRole* API operations or the assume-role* CLI operations + but does not apply when you use those operations to create a console + URL. For more information, see Using IAM roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html) + in the IAM User Guide." + format: int64 + type: integer + name: + description: "The name of the role to create. \n IAM user, group, + role, and policy names must be unique within the account. Names + are not distinguished by case. For example, you cannot create resources + named both \"MyResource\" and \"myresource\"." + type: string + path: + description: "The path to the role. For more information about paths, + see IAM Identifiers (https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) + in the IAM User Guide. \n This parameter is optional. If it is not + included, it defaults to a slash (/). \n This parameter allows (through + its regex pattern (http://wikipedia.org/wiki/regex)) a string of + characters consisting of either a forward slash (/) by itself or + a string that must begin and end with forward slashes. In addition, + it can contain any ASCII character from the ! (\\u0021) through + the DEL character (\\u007F), including most punctuation characters, + digits, and upper and lowercased letters." + type: string + permissionsBoundary: + description: The ARN of the policy that is used to set the permissions + boundary for the role. + type: string + permissionsBoundaryRef: + description: "AWSResourceReferenceWrapper provides a wrapper around + *AWSResourceReference type to provide more user friendly syntax + for references using 'from' field Ex: APIIDRef: \n from: name: my-api" + properties: + from: + description: AWSResourceReference provides all the values necessary + to reference another k8s resource for finding the identifier(Id/ARN/Name) + properties: + name: + type: string + type: object + type: object + policies: + items: + type: string + type: array + policyRefs: + items: + description: "AWSResourceReferenceWrapper provides a wrapper around + *AWSResourceReference type to provide more user friendly syntax + for references using 'from' field Ex: APIIDRef: \n from: name: + my-api" + properties: + from: + description: AWSResourceReference provides all the values necessary + to reference another k8s resource for finding the identifier(Id/ARN/Name) + properties: + name: + type: string + type: object + type: object + type: array + tags: + description: "A list of tags that you want to attach to the new role. + Each tag consists of a key name and an associated value. For more + information about tagging, see Tagging IAM resources (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) + in the IAM User Guide. \n If any one of the tags is invalid or if + you exceed the allowed maximum number of tags, then the entire request + fails and the resource is not created." + items: + description: A structure that represents user-provided metadata + that can be associated with an IAM resource. For more information + about tagging, see Tagging IAM resources (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) + in the IAM User Guide. + properties: + key: + type: string + value: + type: string + type: object + type: array + required: + - assumeRolePolicyDocument + - name + type: object + status: + description: RoleStatus defines the observed state of Role + properties: + ackResourceMetadata: + description: All CRs managed by ACK have a common `Status.ACKResourceMetadata` + member that is used to contain resource sync state, account ownership, + constructed ARN for the resource + properties: + arn: + description: 'ARN is the Amazon Resource Name for the resource. + This is a globally-unique identifier and is set only by the + ACK service controller once the controller has orchestrated + the creation of the resource OR when it has verified that an + "adopted" resource (a resource where the ARN annotation was + set by the Kubernetes user on the CR) exists and matches the + supplied CR''s Spec field values. TODO(vijat@): Find a better + strategy for resources that do not have ARN in CreateOutputResponse + https://github.com/aws/aws-controllers-k8s/issues/270' + type: string + ownerAccountID: + description: OwnerAccountID is the AWS Account ID of the account + that owns the backend AWS service API resource. + type: string + region: + description: Region is the AWS region in which the resource exists + or will exist. + type: string + required: + - ownerAccountID + - region + type: object + conditions: + description: All CRS managed by ACK have a common `Status.Conditions` + member that contains a collection of `ackv1alpha1.Condition` objects + that describe the various terminal states of the CR and its backend + AWS service API resource + items: + description: Condition is the common struct used by all CRDs managed + by ACK service controllers to indicate terminal states of the + CR and its backend AWS service API resource + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type is the type of the Condition + type: string + required: + - status + - type + type: object + type: array + createDate: + description: The date and time, in ISO 8601 date-time format (http://www.iso.org/iso/iso8601), + when the role was created. + format: date-time + type: string + roleID: + description: The stable and unique string identifying the role. For + more information about IDs, see IAM identifiers (https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) + in the IAM User Guide. + type: string + roleLastUsed: + description: Contains information about the last time that an IAM + role was used. This includes the date and time and the Region in + which the role was last used. Activity is only reported for the + trailing 400 days. This period can be shorter if your Region began + supporting these features within the last year. The role might have + been used more than 400 days ago. For more information, see Regions + where data is tracked (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor.html#access-advisor_tracking-period) + in the IAM User Guide. + properties: + lastUsedDate: + format: date-time + type: string + region: + type: string + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/addons/iam-chart/helm/crds/iam.services.k8s.aws_users.yaml b/addons/iam-chart/helm/crds/iam.services.k8s.aws_users.yaml new file mode 100644 index 000000000..dee8f7630 --- /dev/null +++ b/addons/iam-chart/helm/crds/iam.services.k8s.aws_users.yaml @@ -0,0 +1,219 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + creationTimestamp: null + name: users.iam.services.k8s.aws +spec: + group: iam.services.k8s.aws + names: + kind: User + listKind: UserList + plural: users + singular: user + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: User is the Schema for the Users API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: "UserSpec defines the desired state of User. \n Contains + information about an IAM user entity. \n This data type is used as a + response element in the following operations: \n - CreateUser \n - GetUser + \n - ListUsers" + properties: + inlinePolicies: + additionalProperties: + type: string + type: object + name: + description: "The name of the user to create. \n IAM user, group, + role, and policy names must be unique within the account. Names + are not distinguished by case. For example, you cannot create resources + named both \"MyResource\" and \"myresource\"." + type: string + path: + description: "The path for the user name. For more information about + paths, see IAM identifiers (https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) + in the IAM User Guide. \n This parameter is optional. If it is not + included, it defaults to a slash (/). \n This parameter allows (through + its regex pattern (http://wikipedia.org/wiki/regex)) a string of + characters consisting of either a forward slash (/) by itself or + a string that must begin and end with forward slashes. In addition, + it can contain any ASCII character from the ! (\\u0021) through + the DEL character (\\u007F), including most punctuation characters, + digits, and upper and lowercased letters." + type: string + permissionsBoundary: + description: The ARN of the policy that is used to set the permissions + boundary for the user. + type: string + permissionsBoundaryRef: + description: "AWSResourceReferenceWrapper provides a wrapper around + *AWSResourceReference type to provide more user friendly syntax + for references using 'from' field Ex: APIIDRef: \n from: name: my-api" + properties: + from: + description: AWSResourceReference provides all the values necessary + to reference another k8s resource for finding the identifier(Id/ARN/Name) + properties: + name: + type: string + type: object + type: object + policies: + items: + type: string + type: array + policyRefs: + items: + description: "AWSResourceReferenceWrapper provides a wrapper around + *AWSResourceReference type to provide more user friendly syntax + for references using 'from' field Ex: APIIDRef: \n from: name: + my-api" + properties: + from: + description: AWSResourceReference provides all the values necessary + to reference another k8s resource for finding the identifier(Id/ARN/Name) + properties: + name: + type: string + type: object + type: object + type: array + tags: + description: "A list of tags that you want to attach to the new user. + Each tag consists of a key name and an associated value. For more + information about tagging, see Tagging IAM resources (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) + in the IAM User Guide. \n If any one of the tags is invalid or if + you exceed the allowed maximum number of tags, then the entire request + fails and the resource is not created." + items: + description: A structure that represents user-provided metadata + that can be associated with an IAM resource. For more information + about tagging, see Tagging IAM resources (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) + in the IAM User Guide. + properties: + key: + type: string + value: + type: string + type: object + type: array + required: + - name + type: object + status: + description: UserStatus defines the observed state of User + properties: + ackResourceMetadata: + description: All CRs managed by ACK have a common `Status.ACKResourceMetadata` + member that is used to contain resource sync state, account ownership, + constructed ARN for the resource + properties: + arn: + description: 'ARN is the Amazon Resource Name for the resource. + This is a globally-unique identifier and is set only by the + ACK service controller once the controller has orchestrated + the creation of the resource OR when it has verified that an + "adopted" resource (a resource where the ARN annotation was + set by the Kubernetes user on the CR) exists and matches the + supplied CR''s Spec field values. TODO(vijat@): Find a better + strategy for resources that do not have ARN in CreateOutputResponse + https://github.com/aws/aws-controllers-k8s/issues/270' + type: string + ownerAccountID: + description: OwnerAccountID is the AWS Account ID of the account + that owns the backend AWS service API resource. + type: string + region: + description: Region is the AWS region in which the resource exists + or will exist. + type: string + required: + - ownerAccountID + - region + type: object + conditions: + description: All CRS managed by ACK have a common `Status.Conditions` + member that contains a collection of `ackv1alpha1.Condition` objects + that describe the various terminal states of the CR and its backend + AWS service API resource + items: + description: Condition is the common struct used by all CRDs managed + by ACK service controllers to indicate terminal states of the + CR and its backend AWS service API resource + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type is the type of the Condition + type: string + required: + - status + - type + type: object + type: array + createDate: + description: The date and time, in ISO 8601 date-time format (http://www.iso.org/iso/iso8601), + when the user was created. + format: date-time + type: string + passwordLastUsed: + description: "The date and time, in ISO 8601 date-time format (http://www.iso.org/iso/iso8601), + when the user's password was last used to sign in to an Amazon Web + Services website. For a list of Amazon Web Services websites that + capture a user's last sign-in time, see the Credential reports (https://docs.aws.amazon.com/IAM/latest/UserGuide/credential-reports.html) + topic in the IAM User Guide. If a password is used more than once + in a five-minute span, only the first use is returned in this field. + If the field is null (no value), then it indicates that they never + signed in with a password. This can be because: \n * The user never + had a password. \n * A password exists but has not been used since + IAM started tracking this information on October 20, 2014. \n A + null value does not mean that the user never had a password. Also, + if the user does not currently have a password but had one in the + past, then this field contains the date and time the most recent + password was used. \n This value is returned only in the GetUser + and ListUsers operations." + format: date-time + type: string + userID: + description: The stable and unique string identifying the user. For + more information about IDs, see IAM identifiers (https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) + in the IAM User Guide. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/addons/iam-chart/helm/crds/services.k8s.aws_adoptedresources.yaml b/addons/iam-chart/helm/crds/services.k8s.aws_adoptedresources.yaml new file mode 100644 index 000000000..d8d512618 --- /dev/null +++ b/addons/iam-chart/helm/crds/services.k8s.aws_adoptedresources.yaml @@ -0,0 +1,229 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + creationTimestamp: null + name: adoptedresources.services.k8s.aws +spec: + group: services.k8s.aws + names: + kind: AdoptedResource + listKind: AdoptedResourceList + plural: adoptedresources + singular: adoptedresource + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: AdoptedResource is the schema for the AdoptedResource API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AdoptedResourceSpec defines the desired state of the AdoptedResource. + properties: + aws: + description: AWSIdentifiers provide all unique ways to reference an + AWS resource. + properties: + additionalKeys: + additionalProperties: + type: string + description: AdditionalKeys represents any additional arbitrary + identifiers used when describing the target resource. + type: object + arn: + description: ARN is the AWS Resource Name for the resource. It + is a globally unique identifier. + type: string + nameOrID: + description: NameOrId is a user-supplied string identifier for + the resource. It may or may not be globally unique, depending + on the type of resource. + type: string + type: object + kubernetes: + description: ResourceWithMetadata provides the values necessary to + create a Kubernetes resource and override any of its metadata values. + properties: + group: + type: string + kind: + type: string + metadata: + description: "ObjectMeta is metadata that all persisted resources + must have, which includes all objects users must create. It + is not possible to use `metav1.ObjectMeta` inside spec, as the + controller-gen automatically converts this to an arbitrary string-string + map. https://github.com/kubernetes-sigs/controller-tools/issues/385 + \n Active discussion about inclusion of this field in the spec + is happening in this PR: https://github.com/kubernetes-sigs/controller-tools/pull/395 + \n Until this is allowed, or if it never is, we will produce + a subset of the object meta that contains only the fields which + the user is allowed to modify in the metadata." + properties: + annotations: + additionalProperties: + type: string + description: 'Annotations is an unstructured key value map + stored with a resource that may be set by external tools + to store and retrieve arbitrary metadata. They are not queryable + and should be preserved when modifying objects. More info: + http://kubernetes.io/docs/user-guide/annotations' + type: object + generateName: + description: "GenerateName is an optional prefix, used by + the server, to generate a unique name ONLY IF the Name field + has not been provided. If this field is used, the name returned + to the client will be different than the name passed. This + value will also be combined with a unique suffix. The provided + value has the same validation rules as the Name field, and + may be truncated by the length of the suffix required to + make the value unique on the server. \n If this field is + specified and the generated name exists, the server will + NOT return a 409 - instead, it will either return 201 Created + or 500 with Reason ServerTimeout indicating a unique name + could not be found in the time allotted, and the client + should retry (optionally after the time indicated in the + Retry-After header). \n Applied only if Name is not specified. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency" + type: string + labels: + additionalProperties: + type: string + description: 'Map of string keys and values that can be used + to organize and categorize (scope and select) objects. May + match selectors of replication controllers and services. + More info: http://kubernetes.io/docs/user-guide/labels' + type: object + name: + description: 'Name must be unique within a namespace. Is required + when creating resources, although some resources may allow + a client to request the generation of an appropriate name + automatically. Name is primarily intended for creation idempotence + and configuration definition. Cannot be updated. More info: + http://kubernetes.io/docs/user-guide/identifiers#names' + type: string + namespace: + description: "Namespace defines the space within each name + must be unique. An empty namespace is equivalent to the + \"default\" namespace, but \"default\" is the canonical + representation. Not all objects are required to be scoped + to a namespace - the value of this field for those objects + will be empty. \n Must be a DNS_LABEL. Cannot be updated. + More info: http://kubernetes.io/docs/user-guide/namespaces" + type: string + ownerReferences: + description: List of objects depended by this object. If ALL + objects in the list have been deleted, this object will + be garbage collected. If this object is managed by a controller, + then an entry in this list will point to this controller, + with the controller field set to true. There cannot be more + than one managing controller. + items: + description: OwnerReference contains enough information + to let you identify an owning object. An owning object + must be in the same namespace as the dependent, or be + cluster-scoped, so there is no namespace field. + properties: + apiVersion: + description: API version of the referent. + type: string + blockOwnerDeletion: + description: If true, AND if the owner has the "foregroundDeletion" + finalizer, then the owner cannot be deleted from the + key-value store until this reference is removed. See + https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion + for how the garbage collector interacts with this + field and enforces the foreground deletion. Defaults + to false. To set this field, a user needs "delete" + permission of the owner, otherwise 422 (Unprocessable + Entity) will be returned. + type: boolean + controller: + description: If true, this reference points to the managing + controller. + type: boolean + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#names' + type: string + uid: + description: 'UID of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#uids' + type: string + required: + - apiVersion + - kind + - name + - uid + type: object + x-kubernetes-map-type: atomic + type: array + type: object + required: + - group + - kind + type: object + required: + - aws + - kubernetes + type: object + status: + description: AdoptedResourceStatus defines the observed status of the + AdoptedResource. + properties: + conditions: + description: A collection of `ackv1alpha1.Condition` objects that + describe the various terminal states of the adopted resource CR + and its target custom resource + items: + description: Condition is the common struct used by all CRDs managed + by ACK service controllers to indicate terminal states of the + CR and its backend AWS service API resource + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type is the type of the Condition + type: string + required: + - status + - type + type: object + type: array + required: + - conditions + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/addons/iam-chart/helm/crds/services.k8s.aws_fieldexports.yaml b/addons/iam-chart/helm/crds/services.k8s.aws_fieldexports.yaml new file mode 100644 index 000000000..4a7ab61b3 --- /dev/null +++ b/addons/iam-chart/helm/crds/services.k8s.aws_fieldexports.yaml @@ -0,0 +1,134 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + creationTimestamp: null + name: fieldexports.services.k8s.aws +spec: + group: services.k8s.aws + names: + kind: FieldExport + listKind: FieldExportList + plural: fieldexports + singular: fieldexport + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: FieldExport is the schema for the FieldExport API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: FieldExportSpec defines the desired state of the FieldExport. + properties: + from: + description: ResourceFieldSelector provides the values necessary to + identify an individual field on an individual K8s resource. + properties: + path: + type: string + resource: + description: NamespacedResource provides all the values necessary + to identify an ACK resource of a given type (within the same + namespace as the custom resource containing this type). + properties: + group: + type: string + kind: + type: string + name: + type: string + required: + - group + - kind + - name + type: object + required: + - path + - resource + type: object + to: + description: FieldExportTarget provides the values necessary to identify + the output path for a field export. + properties: + key: + description: Key overrides the default value (`.`) + for the FieldExport target + type: string + kind: + description: FieldExportOutputType represents all types that can + be produced by a field export operation + enum: + - configmap + - secret + type: string + name: + type: string + namespace: + description: Namespace is marked as optional, so we cannot compose + `NamespacedName` + type: string + required: + - kind + - name + type: object + required: + - from + - to + type: object + status: + description: FieldExportStatus defines the observed status of the FieldExport. + properties: + conditions: + description: A collection of `ackv1alpha1.Condition` objects that + describe the various recoverable states of the field CR + items: + description: Condition is the common struct used by all CRDs managed + by ACK service controllers to indicate terminal states of the + CR and its backend AWS service API resource + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type is the type of the Condition + type: string + required: + - status + - type + type: object + type: array + required: + - conditions + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/addons/iam-chart/helm/templates/NOTES.txt b/addons/iam-chart/helm/templates/NOTES.txt new file mode 100644 index 000000000..efe1cb632 --- /dev/null +++ b/addons/iam-chart/helm/templates/NOTES.txt @@ -0,0 +1,16 @@ +{{ .Chart.Name }} has been installed. +This chart deploys "public.ecr.aws/aws-controllers-k8s/iam-controller:1.2.6". + +Check its status by running: + kubectl --namespace {{ .Release.Namespace }} get pods -l "app.kubernetes.io/instance={{ .Release.Name }}" + +You are now able to create AWS Identity & Access Management (IAM) resources! + +The controller is running in "{{ .Values.installScope }}" mode. +The controller is configured to manage AWS resources in region: "{{ .Values.aws.region }}" + +Visit https://aws-controllers-k8s.github.io/community/reference/ for an API +reference of all the resources that can be created using this controller. + +For more information on the AWS Controllers for Kubernetes (ACK) project, visit: +https://aws-controllers-k8s.github.io/community/ diff --git a/addons/iam-chart/helm/templates/_helpers.tpl b/addons/iam-chart/helm/templates/_helpers.tpl new file mode 100644 index 000000000..391d5de33 --- /dev/null +++ b/addons/iam-chart/helm/templates/_helpers.tpl @@ -0,0 +1,48 @@ +{{/* The name of the application this chart installs */}} +{{- define "app.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "app.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* The name and version as used by the chart label */}} +{{- define "chart.name-version" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* The name of the service account to use */}} +{{- define "service-account.name" -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} + +{{- define "watch-namespace" -}} +{{- if eq .Values.installScope "namespace" -}} +{{ .Values.watchNamespace | default .Release.Namespace }} +{{- end -}} +{{- end -}} + +{{/* The mount path for the shared credentials file */}} +{{- define "aws.credentials.secret_mount_path" -}} +{{- "/var/run/secrets/aws" -}} +{{- end -}} + +{{/* The path the shared credentials file is mounted */}} +{{- define "aws.credentials.path" -}} +{{- printf "%s/%s" (include "aws.credentials.secret_mount_path" .) .Values.aws.credentials.secretKey -}} +{{- end -}} diff --git a/addons/iam-chart/helm/templates/cluster-role-binding.yaml b/addons/iam-chart/helm/templates/cluster-role-binding.yaml new file mode 100644 index 000000000..2b49a8a7c --- /dev/null +++ b/addons/iam-chart/helm/templates/cluster-role-binding.yaml @@ -0,0 +1,21 @@ +apiVersion: rbac.authorization.k8s.io/v1 +{{ if eq .Values.installScope "cluster" }} +kind: ClusterRoleBinding +metadata: + name: {{ include "app.fullname" . }} +roleRef: + kind: ClusterRole +{{ else }} +kind: RoleBinding +metadata: + name: {{ include "app.fullname" . }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: Role +{{ end }} + apiGroup: rbac.authorization.k8s.io + name: ack-iam-controller +subjects: +- kind: ServiceAccount + name: {{ include "service-account.name" . }} + namespace: {{ .Release.Namespace }} diff --git a/addons/iam-chart/helm/templates/cluster-role-controller.yaml b/addons/iam-chart/helm/templates/cluster-role-controller.yaml new file mode 100644 index 000000000..3bd6fa645 --- /dev/null +++ b/addons/iam-chart/helm/templates/cluster-role-controller.yaml @@ -0,0 +1,188 @@ +apiVersion: rbac.authorization.k8s.io/v1 +{{ if eq .Values.installScope "cluster" }} +kind: ClusterRole +metadata: + creationTimestamp: null + name: ack-iam-controller + labels: + {{- range $key, $value := .Values.role.labels }} + {{ $key }}: {{ $value | quote }} + {{- end }} +{{ else }} +kind: Role +metadata: + creationTimestamp: null + name: ack-iam-controller + labels: + {{- range $key, $value := .Values.role.labels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + namespace: {{ .Release.Namespace }} +{{ end }} +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - patch + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - patch + - watch +- apiGroups: + - iam.services.k8s.aws + resources: + - groups + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - iam.services.k8s.aws + resources: + - groups/status + verbs: + - get + - patch + - update +- apiGroups: + - iam.services.k8s.aws + resources: + - openidconnectproviders + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - iam.services.k8s.aws + resources: + - openidconnectproviders/status + verbs: + - get + - patch + - update +- apiGroups: + - iam.services.k8s.aws + resources: + - policies + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - iam.services.k8s.aws + resources: + - policies/status + verbs: + - get + - patch + - update +- apiGroups: + - iam.services.k8s.aws + resources: + - roles + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - iam.services.k8s.aws + resources: + - roles/status + verbs: + - get + - patch + - update +- apiGroups: + - iam.services.k8s.aws + resources: + - users + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - iam.services.k8s.aws + resources: + - users/status + verbs: + - get + - patch + - update +- apiGroups: + - services.k8s.aws + resources: + - adoptedresources + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - services.k8s.aws + resources: + - adoptedresources/status + verbs: + - get + - patch + - update +- apiGroups: + - services.k8s.aws + resources: + - fieldexports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - services.k8s.aws + resources: + - fieldexports/status + verbs: + - get + - patch + - update diff --git a/addons/iam-chart/helm/templates/deployment.yaml b/addons/iam-chart/helm/templates/deployment.yaml new file mode 100644 index 000000000..f40b5f22a --- /dev/null +++ b/addons/iam-chart/helm/templates/deployment.yaml @@ -0,0 +1,161 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "app.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "app.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} + k8s-app: {{ include "app.name" . }} + helm.sh/chart: {{ include "chart.name-version" . }} +spec: + replicas: {{ .Values.deployment.replicas }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "app.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: +{{- if .Values.deployment.annotations }} + annotations: + {{- range $key, $value := .Values.deployment.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +{{- end }} + labels: + app.kubernetes.io/name: {{ include "app.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: Helm + k8s-app: {{ include "app.name" . }} +{{- range $key, $value := .Values.deployment.labels }} + {{ $key }}: {{ $value | quote }} +{{- end }} + spec: + serviceAccountName: {{ include "service-account.name" . }} + {{- if .Values.image.pullSecrets }} + imagePullSecrets: + {{- range .Values.image.pullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} + containers: + - command: + - ./bin/controller + args: + - --aws-region + - "$(AWS_REGION)" + - --aws-endpoint-url + - "$(AWS_ENDPOINT_URL)" +{{- if .Values.log.enable_development_logging }} + - --enable-development-logging +{{- end }} + - --log-level + - "$(ACK_LOG_LEVEL)" + - --resource-tags + - "$(ACK_RESOURCE_TAGS)" + - --watch-namespace + - "$(ACK_WATCH_NAMESPACE)" + - --deletion-policy + - "$(DELETION_POLICY)" +{{- if .Values.leaderElection.enabled }} + - --enable-leader-election + - --leader-election-namespace + - "$(LEADER_ELECTION_NAMESPACE)" +{{- end }} +{{- if gt .Values.reconcile.defaultResyncPeriod 0.0 }} + - --reconcile-default-resync-seconds + - "$(RECONCILE_DEFAULT_RESYNC_SECONDS)" +{{- end }} +{{- range $key, $value := .Values.reconcile.resourceResyncPeriods }} + - --reconcile-resource-resync-seconds + - "$(RECONCILE_RESOURCE_RESYNC_SECONDS_{{ $key | upper }})" +{{- end }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + name: controller + ports: + - name: http + containerPort: {{ .Values.deployment.containerPort }} + resources: + {{- toYaml .Values.resources | nindent 10 }} + env: + - name: ACK_SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: AWS_REGION + value: {{ .Values.aws.region }} + - name: AWS_ENDPOINT_URL + value: {{ .Values.aws.endpoint_url | quote }} + - name: ACK_WATCH_NAMESPACE + value: {{ include "watch-namespace" . }} + - name: DELETION_POLICY + value: {{ .Values.deletionPolicy }} + - name: LEADER_ELECTION_NAMESPACE + value: {{ .Values.leaderElection.namespace | quote }} + - name: ACK_LOG_LEVEL + value: {{ .Values.log.level | quote }} + - name: ACK_RESOURCE_TAGS + value: {{ join "," .Values.resourceTags | quote }} +{{- if gt .Values.reconcile.defaultResyncPeriod 0.0 }} + - name: RECONCILE_DEFAULT_RESYNC_SECONDS + value: {{ .Values.reconcile.defaultResyncPeriod | quote }} +{{- end }} +{{- range $key, $value := .Values.reconcile.resourceResyncPeriods }} + - name: RECONCILE_RESOURCE_RESYNC_SECONDS_{{ $key | upper }} + value: {{ $key }}={{ $value }} +{{- end }} + {{- if .Values.aws.credentials.secretName }} + - name: AWS_SHARED_CREDENTIALS_FILE + value: {{ include "aws.credentials.path" . }} + - name: AWS_PROFILE + value: {{ .Values.aws.credentials.profile }} + {{- end }} + {{- if .Values.deployment.extraEnvVars -}} + {{ toYaml .Values.deployment.extraEnvVars | nindent 8 }} + {{- end }} + volumeMounts: + {{- if .Values.aws.credentials.secretName }} + - name: {{ .Values.aws.credentials.secretName }} + mountPath: {{ include "aws.credentials.secret_mount_path" . }} + readOnly: true + {{- end }} + {{- if .Values.deployment.extraVolumeMounts -}} + {{ toYaml .Values.deployment.extraVolumeMounts | nindent 12 }} + {{- end }} + securityContext: + allowPrivilegeEscalation: false + privileged: false + runAsNonRoot: true + capabilities: + drop: + - ALL + securityContext: + seccompProfile: + type: RuntimeDefault + terminationGracePeriodSeconds: 10 + nodeSelector: {{ toYaml .Values.deployment.nodeSelector | nindent 8 }} + {{ if .Values.deployment.tolerations -}} + tolerations: {{ toYaml .Values.deployment.tolerations | nindent 8 }} + {{ end -}} + {{ if .Values.deployment.affinity -}} + affinity: {{ toYaml .Values.deployment.affinity | nindent 8 }} + {{ end -}} + {{ if .Values.deployment.priorityClassName -}} + priorityClassName: {{ .Values.deployment.priorityClassName }} + {{ end -}} + hostIPC: false + hostPID: false + hostNetwork: {{ .Values.deployment.hostNetwork }} + dnsPolicy: {{ .Values.deployment.dnsPolicy }} + volumes: + {{- if .Values.aws.credentials.secretName -}} + - name: {{ .Values.aws.credentials.secretName }} + secret: + secretName: {{ .Values.aws.credentials.secretName }} + {{ end -}} +{{- if .Values.deployment.extraVolumes }} +{{ toYaml .Values.deployment.extraVolumes | indent 8}} +{{- end }} diff --git a/addons/iam-chart/helm/templates/leader-election-role-binding.yaml b/addons/iam-chart/helm/templates/leader-election-role-binding.yaml new file mode 100644 index 000000000..1fa03ab3c --- /dev/null +++ b/addons/iam-chart/helm/templates/leader-election-role-binding.yaml @@ -0,0 +1,18 @@ +{{ if .Values.leaderElection.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: iam-leader-election-rolebinding +{{ if .Values.leaderElection.namespace }} + namespace: {{ .Values.leaderElection.namespace }} +{{ else }} + namespace: {{ .Release.Namespace }} +{{ end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: iam-leader-election-role +subjects: +- kind: ServiceAccount + name: {{ include "service-account.name" . }} + namespace: {{ .Release.Namespace }}{{- end }} diff --git a/addons/iam-chart/helm/templates/leader-election-role.yaml b/addons/iam-chart/helm/templates/leader-election-role.yaml new file mode 100644 index 000000000..bd19834c9 --- /dev/null +++ b/addons/iam-chart/helm/templates/leader-election-role.yaml @@ -0,0 +1,30 @@ +{{ if .Values.leaderElection.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: iam-leader-election-role +{{ if .Values.leaderElection.namespace }} + namespace: {{ .Values.leaderElection.namespace }} +{{ else }} + namespace: {{ .Release.Namespace }} +{{ end }} +rules: +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch{{- end }} diff --git a/addons/iam-chart/helm/templates/metrics-service.yaml b/addons/iam-chart/helm/templates/metrics-service.yaml new file mode 100644 index 000000000..638858a38 --- /dev/null +++ b/addons/iam-chart/helm/templates/metrics-service.yaml @@ -0,0 +1,29 @@ +{{- if .Values.metrics.service.create }} +apiVersion: v1 +kind: Service +metadata: + name: {{ .Chart.Name | trimSuffix "-chart" | trunc 44 }}-controller-metrics + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "app.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} + k8s-app: {{ include "app.name" . }} + helm.sh/chart: {{ include "chart.name-version" . }} +spec: + selector: + app.kubernetes.io/name: {{ include "app.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: Helm + k8s-app: {{ include "app.name" . }} +{{- range $key, $value := .Values.deployment.labels }} + {{ $key }}: {{ $value | quote }} +{{- end }} + type: {{ .Values.metrics.service.type }} + ports: + - name: metricsport + port: 8080 + targetPort: http + protocol: TCP +{{- end }} diff --git a/addons/iam-chart/helm/templates/role-reader.yaml b/addons/iam-chart/helm/templates/role-reader.yaml new file mode 100644 index 000000000..185c4b80b --- /dev/null +++ b/addons/iam-chart/helm/templates/role-reader.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + name: ack-iam-reader + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: + - iam.services.k8s.aws + resources: + - groups + - openidconnectproviders + - policies + - roles + - users + verbs: + - get + - list + - watch diff --git a/addons/iam-chart/helm/templates/role-writer.yaml b/addons/iam-chart/helm/templates/role-writer.yaml new file mode 100644 index 000000000..15ffe32f9 --- /dev/null +++ b/addons/iam-chart/helm/templates/role-writer.yaml @@ -0,0 +1,41 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + name: ack-iam-writer + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: + - iam.services.k8s.aws + resources: + - groups + + - openidconnectproviders + + - policies + + - roles + + - users + + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - iam.services.k8s.aws + resources: + - groups + - openidconnectproviders + - policies + - roles + - users + verbs: + - get + - patch + - update diff --git a/addons/iam-chart/helm/templates/service-account.yaml b/addons/iam-chart/helm/templates/service-account.yaml new file mode 100644 index 000000000..73306395f --- /dev/null +++ b/addons/iam-chart/helm/templates/service-account.yaml @@ -0,0 +1,18 @@ +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/name: {{ include "app.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} + k8s-app: {{ include "app.name" . }} + helm.sh/chart: {{ include "chart.name-version" . }} + name: {{ include "service-account.name" . }} + namespace: {{ .Release.Namespace }} + annotations: + {{- range $key, $value := .Values.serviceAccount.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +{{- end }} diff --git a/addons/iam-chart/helm/values.schema.json b/addons/iam-chart/helm/values.schema.json new file mode 100644 index 000000000..ac28b6808 --- /dev/null +++ b/addons/iam-chart/helm/values.schema.json @@ -0,0 +1,277 @@ +{ + "$schema": "https://json-schema.org/draft-07/schema#", + "properties": { + "image": { + "description": "Container Image", + "properties": { + "repository": { + "type": "string", + "minLength": 1 + }, + "tag": { + "type": "string", + "minLength": 1 + }, + "pullPolicy": { + "type": "string", + "enum": ["IfNotPresent", "Always", "Never"] + }, + "pullSecrets": { + "type": "array" + } + }, + "required": [ + "repository", + "tag", + "pullPolicy" + ], + "type": "object" + }, + "nameOverride": { + "type": "string" + }, + "fullNameOverride": { + "type": "string" + }, + "deployment": { + "description": "Deployment settings", + "properties": { + "annotations": { + "type": "object" + }, + "labels": { + "type": "object" + }, + "containerPort": { + "type": "integer", + "minimum": 1, + "maximum": 65535 + }, + "replicas": { + "type": "integer" + }, + "nodeSelector": { + "type": "object" + }, + "tolerations": { + "type": "array" + }, + "affinity": { + "type": "object" + }, + "priorityClassName": { + "type": "string" + }, + "extraVolumeMounts": { + "type": "array" + }, + "extraVolumes": { + "type": "array" + }, + "extraEnvVars": { + "type": "array" + } + }, + "required": [ + "containerPort" + ], + "type": "object" + }, + "role": { + "description": "Role settings", + "properties": { + "labels": { + "type": "object" + } + } + }, + "metrics": { + "description": "Metrics settings", + "properties": { + "service": { + "description": "Kubernetes service settings", + "properties": { + "create": { + "type": "boolean" + }, + "type": { + "type": "string", + "enum": ["ClusterIP", "NodePort", "LoadBalancer", "ExternalName"] + } + }, + "required": [ + "create", + "type" + ], + "type": "object" + } + }, + "required": [ + "service" + ], + "type": "object" + }, + "resources": { + "description": "Kubernetes resources settings", + "properties": { + "requests": { + "description": "Kubernetes resource requests", + "properties": { + "memory": { + "oneOf": [ + { "type": "number" }, + { "type": "string" } + ] + }, + "cpu": { + "oneOf": [ + { "type": "number" }, + { "type": "string" } + ] + } + }, + "required": [ + "memory", + "cpu" + ], + "type": "object" + }, + "limits": { + "description": "Kubernetes resource limits", + "properties": { + "memory": { + "oneOf": [ + { "type": "number" }, + { "type": "string" } + ] + }, + "cpu": { + "oneOf": [ + { "type": "number" }, + { "type": "string" } + ] + } + }, + "required": [ + "memory", + "cpu" + ], + "type": "object" + } + }, + "required": [ + "requests", + "limits" + ], + "type": "object" + }, + "aws": { + "description": "AWS API settings", + "properties": { + "region": { + "type": "string" + }, + "endpoint": { + "type": "string" + }, + "credentials": { + "description": "AWS credentials information", + "properties": { + "secretName": { + "type": "string" + }, + "secretKey": { + "type": "string" + }, + "profile": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "log": { + "description": "Logging settings", + "properties": { + "enable_development_logging": { + "type": "boolean" + }, + "level": { + "type": "string" + } + }, + "type": "object" + }, + "installScope": { + "type": "string", + "enum": ["cluster", "namespace"] + }, + "watchNamespace": { + "type": "string" + }, + "resourceTags": { + "type": "array", + "items": { + "type": "string", + "pattern": "(^$|^.*=.*$)" + } + }, + "deletionPolicy": { + "type": "string", + "enum": ["delete", "retain"] + }, + "reconcile": { + "description": "Reconcile resync settings. Parameters to tune the controller's drift remediation period.", + "properties": { + "defaultResyncPeriod": { + "type": "number" + }, + "resourceResyncPeriods": { + "type": "object" + } + }, + "type": "object" + }, + "leaderElection": { + "description": "Parameter to configure the controller's leader election system.", + "properties": { + "enabled": { + "type": "boolean" + }, + "namespace": { + "type": "string" + } + }, + "type": "object" + }, + "serviceAccount": { + "description": "ServiceAccount settings", + "properties": { + "create": { + "type": "boolean" + }, + "name": { + "type": "string" + }, + "annotations": { + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "image", + "deployment", + "metrics", + "resources", + "log", + "installScope", + "resourceTags", + "serviceAccount" + ], + "title": "Values", + "type": "object" +} diff --git a/addons/iam-chart/helm/values.yaml b/addons/iam-chart/helm/values.yaml new file mode 100644 index 000000000..456c27b38 --- /dev/null +++ b/addons/iam-chart/helm/values.yaml @@ -0,0 +1,148 @@ +# Default values for ack-iam-controller. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +image: + repository: public.ecr.aws/aws-controllers-k8s/iam-controller + tag: 1.2.6 + pullPolicy: IfNotPresent + pullSecrets: [] + +nameOverride: "" +fullnameOverride: "" + +deployment: + annotations: {} + labels: {} + containerPort: 8080 + # Number of Deployment replicas + # This determines how many instances of the controller will be running. It's recommended + # to enable leader election if you need to increase the number of replicas > 1 + replicas: 1 + # Which nodeSelector to set? + # See: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector + nodeSelector: + kubernetes.io/os: linux + # Which tolerations to set? + # See: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ + tolerations: [] + # What affinity to set? + # See: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity + affinity: {} + # Which priorityClassName to set? + # See: https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#pod-priority + priorityClassName: "" + # Specifies the hostname of the Pod. + # If not specified, the pod's hostname will be set to a system-defined value. + hostNetwork: false + # Set DNS policy for the pod. + # Defaults to "ClusterFirst". + # Valid values are 'ClusterFirstWithHostNet', 'ClusterFirst', 'Default' or 'None'. + # To have DNS options set along with hostNetwork, you have to specify DNS policy + # explicitly to 'ClusterFirstWithHostNet'. + dnsPolicy: ClusterFirst + extraVolumes: [] + extraVolumeMounts: [] + + # Additional server container environment variables + # + # You specify this manually like you would a raw deployment manifest. + # This means you can bind in environment variables from secrets. + # + # e.g. static environment variable: + # - name: DEMO_GREETING + # value: "Hello from the environment" + # + # e.g. secret environment variable: + # - name: USERNAME + # valueFrom: + # secretKeyRef: + # name: mysecret + # key: username + extraEnvVars: [] + + +# If "installScope: cluster" then these labels will be applied to ClusterRole +role: + labels: {} + +metrics: + service: + # Set to true to automatically create a Kubernetes Service resource for the + # Prometheus metrics server endpoint in controller + create: false + # Which Type to use for the Kubernetes Service? + # See: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types + type: "ClusterIP" + +resources: + requests: + memory: "64Mi" + cpu: "50m" + limits: + memory: "128Mi" + cpu: "100m" + +aws: + # If specified, use the AWS region for AWS API calls + region: "" + endpoint_url: "" + credentials: + # If specified, Secret with shared credentials file to use. + secretName: "" + # Secret stringData key that contains the credentials + secretKey: "credentials" + # Profile used for AWS credentials + profile: "default" + +# log level for the controller +log: + enable_development_logging: false + level: info + +# Set to "namespace" to install the controller in a namespaced scope, will only +# watch for object creation in the namespace. By default installScope is +# cluster wide. +installScope: cluster + +# Set the value of the "namespace" to be watched by the controller +# This value is only used when the `installScope` is set to "namespace". If left empty, the default value is the release namespace for the chart. +watchNamespace: "" + +resourceTags: + # Configures the ACK service controller to always set key/value pairs tags on + # resources that it manages. + - services.k8s.aws/controller-version=%CONTROLLER_SERVICE%-%CONTROLLER_VERSION% + - services.k8s.aws/namespace=%K8S_NAMESPACE% + +# Set to "retain" to keep all AWS resources intact even after the K8s resources +# have been deleted. By default, the ACK controller will delete the AWS resource +# before the K8s resource is removed. +deletionPolicy: delete + +# controller reconciliation configurations +reconcile: + # The default duration, in seconds, to wait before resyncing desired state of custom resources. + defaultResyncPeriod: 36000 # 10 Hours + # An object representing the reconcile resync configuration for each specific resource. + resourceResyncPeriods: {} + +serviceAccount: + # Specifies whether a service account should be created + create: true + # The name of the service account to use. + name: ack-iam-controller + annotations: {} + # eks.amazonaws.com/role-arn: arn:aws:iam::AWS_ACCOUNT_ID:role/IAM_ROLE_NAME + +# Configuration of the leader election. Required for running multiple instances of the +# controller within the same cluster. +# See https://kubernetes.io/docs/concepts/architecture/leases/#leader-election +leaderElection: + # Enable Controller Leader Election. Set this to true to enable leader election + # for this controller. + enabled: false + # Leader election can be scoped to a specific namespace. By default, the controller + # will attempt to use the namespace of the service account mounted to the Controller + # pod. + namespace: ""