Merge branch 'shavit/intents-op-aws-agent' of ssh://github.com/otteri…

…ze/helm-charts into shavit/intents-op-aws-agent
otterize · Nov 6, 2023 · 35ccd9d · 35ccd9d
2 parents dd939ed + b3046f0
commit 35ccd9d
Show file tree

Hide file tree

Showing 7 changed files with 22 additions and 3 deletions.
diff --git a/credentials-operator/templates/credentials-operator-manager-clusterrole.yaml b/credentials-operator/templates/credentials-operator-manager-clusterrole.yaml
@@ -18,13 +18,16 @@ rules:
     - ""
     resources:
     - events
+    - serviceaccount
+    - serviceaccounts
     verbs:
     - create
     - get
     - list
     - patch
     - update
     - watch
+    - delete
   - apiGroups:
     - ""
     resources:
@@ -82,4 +85,4 @@ rules:
       - patch
       - update
       - create
-{{ end }}
+{{ end }}
diff --git a/credentials-operator/templates/deployment.yaml b/credentials-operator/templates/deployment.yaml
@@ -90,6 +90,10 @@ spec:
         - --cert-manager-approve-requests
           {{- end }}
         {{- end }}
+        {{ if eq true .Values.global.aws.enabled }}
+        - --aws-serviceaccount-binding=true
+        - --eks-oidc-url={{.Values.global.aws.oidcUrl | quote }}
+        {{ end }}
         - --leader-elect
         command:
         - /manager

diff --git a/credentials-operator/templates/serviceAccount.yaml b/credentials-operator/templates/serviceAccount.yaml
@@ -12,4 +12,7 @@ metadata:
     {{- with .Values.global.commonAnnotations }}
     {{- toYaml . | nindent 4 }}
     {{- end }}
-    app.kubernetes.io/version: {{ .Chart.Version }}
+    app.kubernetes.io/version: {{ .Chart.Version }}
+    {{ if .Values.global.aws.enabled }}
+    "eks.amazonaws.com/role-arn": {{ .Values.aws.iamRole }}
+    {{ end }}
diff --git a/credentials-operator/values.yaml b/credentials-operator/values.yaml
@@ -24,6 +24,9 @@ certManager:
   useClusterIssuer: true
   autoApprove: false
 
+aws:
+  iamRole:
+
 global:
   # Extra annotations for deployed pods
   podAnnotations: {}

diff --git a/intents-operator/templates/intents-operator-controller-manager-serviceaccount.yaml b/intents-operator/templates/intents-operator-controller-manager-serviceaccount.yaml
@@ -13,3 +13,6 @@ metadata:
     {{- toYaml . | nindent 4 }}
     {{- end }}
     app.kubernetes.io/version: {{ .Chart.Version }}
+    {{ if .Values.global.aws.enabled }}
+    "eks.amazonaws.com/role-arn": {{ .Values.aws.iamRole }}
+    {{ end }}
diff --git a/intents-operator/templates/intents-operator-deployment.yaml b/intents-operator/templates/intents-operator-deployment.yaml
@@ -149,7 +149,7 @@ spec:
           {{ end }}
           - name: OTTERIZE_AWS_INTENTS_ENABLED
             value: {{ .Values.global.aws.enabled | quote }}
-          - name: OTTERIZE_OIDC_URL
+          - name: OTTERIZE_EKS_OIDC_URL
             value: {{ .Values.global.aws.oidcUrl | quote }}
         volumeMounts:
         - mountPath: /controller_manager_config.yaml

diff --git a/intents-operator/values.yaml b/intents-operator/values.yaml
@@ -33,6 +33,9 @@ operator:
   #   cpu: 100m
   #   memory: 128Mi
 
+aws:
+  iamRole:
+
 # allowGetAllResources gives get permission to watch on all resources. If disabled, the operator will only
 # be able to resolve pods up to their built-in owners. For example, a Pod is owned by a ReplicaSet that is owned by a Deployment.
 # If that Deployment is owned by a custom resource, the operator will not be able to resolve it.