Support for AWS IAM RolesAnywhere mode

credentials-operator/templates/credentials-operator-deployment.yaml

@@ -189,6 +189,16 @@ spec:
           - name: OTTERIZE_TELEMETRY_ERRORS_API_KEY
             value: {{ .Values.global.telemetry.errors.credentialsOperatorApiKey | quote }}
           {{- end }}
+          {{- if .Values.global.aws.rolesAnywhere.enabled }}
+          - name: OTTERIZE_TRUST_DOMAIN
+            value: {{ .Values.global.aws.rolesAnywhere.trustDomain | quote }}
+          - name: OTTERIZE_TRUST_ANCHOR_ARN
+            value: {{ .Values.global.aws.rolesAnywhere.trustAnchorARN | quote }}
+          - name: AWS_SHARED_CREDENTIALS_FILE
+            value: "/aws-config/credentials"
+          - name: AWS_REGION
+            value: {{ .Values.global.aws.region | quote }}
+          {{- end }}
         livenessProbe:
           httpGet:
             path: /healthz
@@ -206,12 +216,21 @@ spec:
           {{- toYaml .Values.resources | nindent 10 }}
         securityContext:
           allowPrivilegeEscalation: false
+# Only runAsNonRoot when not using rolesAnywhere
+{{- if ne true (default .Values.global.aws.rolesAnywhere.enabled false) }}
+          runAsNonRoot: true
+{{- end }}
           capabilities:
             drop:
              - "ALL"
         volumeMounts:
         - mountPath: /tmp/k8s-webhook-server/serving-certs
           name: webhook-cert
+{{- if .Values.global.aws.rolesAnywhere.enabled }}
+        - mountPath: /aws-config
+          name: spiffe
+          readOnly: true
+{{- end }}
 {{- if eq "false" (.Values.global.otterizeCloud.useCloudToGenerateTLSCredentials | toString) }}
         - mountPath: {{ .Values.spire.socketsPath }}
           name: spire-agent-socket
@@ -222,15 +241,24 @@ spec:
           name: api-extra-ca-pem
           readOnly: true
         {{- end }}
-      securityContext:
-        runAsNonRoot: true
       terminationGracePeriodSeconds: 10
       volumes:
 {{- if eq "false" (.Values.global.otterizeCloud.useCloudToGenerateTLSCredentials | toString) }}
       - hostPath:
           path: {{ .Values.spire.socketsPath }}
           type: Directory
         name: spire-agent-socket
+{{- end }}
+{{- if .Values.global.aws.rolesAnywhere.enabled }}
+      - name: spiffe
+        csi:
+          driver: spiffe.csi.cert-manager.io
+          readOnly: true
+          volumeAttributes:
+            aws.spiffe.csi.cert-manager.io/trust-profile: {{ .Values.global.aws.rolesAnywhere.credentialsOperatorTrustProfileARN | quote }}
+            aws.spiffe.csi.cert-manager.io/trust-anchor: {{ .Values.global.aws.rolesAnywhere.trustAnchorARN | quote }}
+            aws.spiffe.csi.cert-manager.io/role: {{ .Values.aws.roleARN | quote }}
+            aws.spiffe.csi.cert-manager.io/enable: "true"
 {{- end }}
       {{ if .Values.global.otterizeCloud.apiExtraCAPEMSecret }}
       - name: api-extra-ca-pem

credentials-operator/templates/credentials-operator-mutating-webhook-configuration.yaml

@@ -4,6 +4,11 @@ kind: MutatingWebhookConfiguration
 metadata:
   creationTimestamp: null
   name: otterize-credentials-operator-mutating-webhook-configuration
+{{- if .Values.global.aws.rolesAnywhere.enabled }}
+  labels:
+    app.kubernetes.io/part-of: otterize
+    app.kubernetes.io/component: credentials-operator
+{{- end }}
 webhooks:
   - admissionReviewVersions:
     - v1

credentials-operator/templates/rbac-certmgr.yaml

@@ -0,0 +1,26 @@
+{{- if .Values.global.aws.rolesAnywhere.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: creds-operator-certificaterequest-creator
+  namespace: otterize-system
+rules:
+  - apiGroups: ["cert-manager.io"]
+    resources: ["certificaterequests"]
+    verbs: ["create"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: credentials-operator-certificaterequest
+  namespace: otterize-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: creds-operator-certificaterequest-creator
+subjects:
+  - kind: ServiceAccount
+    name: credentials-operator-controller-manager
+    namespace: otterize-system
+---
+{{- end }}

credentials-operator/values.yaml

@@ -46,6 +46,8 @@ global:
   aws:
     enabled: false
     useSoftDelete: false
+    rolesAnywhere:
+      enabled: false
     eksClusterNameOverride:
     roleARN:
 

intents-operator/templates/intents-operator-deployment.yaml

@@ -198,7 +198,22 @@ spec:
           - name: OTTERIZE_EXP_ENABLE_EGRESS_NETWORK_POLICIES
             value: "true"
           {{- end }}
+          {{- if .Values.global.aws.rolesAnywhere.enabled }}
+          - name: OTTERIZE_TRUST_DOMAIN
+            value: {{ .Values.global.aws.rolesAnywhere.trustDomain | quote }}
+          - name: OTTERIZE_TRUST_ANCHOR_ARN
+            value: {{ .Values.global.aws.rolesAnywhere.trustAnchorARN | quote }}
+          - name: AWS_SHARED_CREDENTIALS_FILE
+            value: "/aws-config/credentials"
+          - name: AWS_REGION
+            value: {{ .Values.global.aws.region | quote }}
+          {{- end }}
         volumeMounts:
+{{- if .Values.global.aws.rolesAnywhere.enabled }}
+        - mountPath: /aws-config
+          name: spiffe
+          readOnly: true
+{{- end }}
         - mountPath: /controller_manager_config.yaml
           name: manager-config
           subPath: controller_manager_config.yaml
@@ -234,8 +249,10 @@ spec:
             memory: 64Mi
         securityContext:
           allowPrivilegeEscalation: false
-      securityContext:
-        runAsNonRoot: true
+# Only runAsNonRoot when not using rolesAnywhere
+{{- if ne true (default .Values.global.aws.rolesAnywhere.enabled false) }}
+          runAsNonRoot: true
+{{- end }}
       serviceAccountName: intents-operator-controller-manager
       terminationGracePeriodSeconds: 10
       volumes:
@@ -261,4 +278,15 @@ spec:
         secret:
           secretName: {{ .Values.global.otterizeCloud.apiExtraCAPEMSecret }}
       {{ end }}
-      - name: cert
+{{- if .Values.global.aws.rolesAnywhere.enabled }}
+      - name: spiffe
+        csi:
+          driver: spiffe.csi.cert-manager.io
+          readOnly: true
+          volumeAttributes:
+            aws.spiffe.csi.cert-manager.io/trust-profile: {{ .Values.global.aws.rolesAnywhere.intentsOperatorTrustProfileARN | quote }}
+            aws.spiffe.csi.cert-manager.io/trust-anchor: {{ .Values.global.aws.rolesAnywhere.trustAnchorARN | quote }}
+            aws.spiffe.csi.cert-manager.io/role: {{ .Values.aws.roleARN | quote }}
+            aws.spiffe.csi.cert-manager.io/enable: "true"
+{{- end }}
+      - name: cert

intents-operator/templates/rbac-certmgr.yaml

@@ -0,0 +1,25 @@
+{{- if .Values.global.aws.rolesAnywhere.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: intents-operator-certificaterequest-creator
+  namespace: otterize-system
+rules:
+  - apiGroups: ["cert-manager.io"]
+    resources: ["certificaterequests"]
+    verbs: ["create"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: intents-operator-certificaterequest
+  namespace: otterize-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: intents-operator-certificaterequest-creator
+subjects:
+  - kind: ServiceAccount
+    name: intents-operator-controller-manager
+    namespace: otterize-system
+{{- end }}

intents-operator/values.yaml

@@ -70,6 +70,8 @@ global:
 
   aws:
     enabled: false
+    rolesAnywhere:
+      enabled: false
     eksClusterNameOverride:
 
   azure:

otterize-kubernetes/values.yaml

@@ -7,6 +7,8 @@ global:
 
   aws:
     enabled: false
+    rolesAnywhere:
+      enabled: false
     useSoftDelete: false
     eksClusterNameOverride: