From ccea941d612b83113ea639ac2f3ef20aea7e7d12 Mon Sep 17 00:00:00 2001 From: Bryant Biggs Date: Thu, 3 Oct 2024 10:43:01 -0500 Subject: [PATCH] chore: Deprecate the sigV4 proxy in favor of moving to upstream repository --- README.md | 3 +- .../.helmignore | 23 ------- .../Chart.yaml | 12 ---- .../README.md | 42 ------------- .../templates/NOTES.txt | 2 - .../templates/_helpers.tpl | 63 ------------------- .../templates/deployment.yaml | 39 ------------ .../templates/rbac.yaml | 29 --------- .../templates/service.yaml | 14 ----- .../templates/serviceaccount.yaml | 9 --- .../templates/webhook.yaml | 41 ------------ .../values.yaml | 35 ----------- 12 files changed, 2 insertions(+), 310 deletions(-) delete mode 100644 stable/aws-sigv4-proxy-admission-controller/.helmignore delete mode 100644 stable/aws-sigv4-proxy-admission-controller/Chart.yaml delete mode 100644 stable/aws-sigv4-proxy-admission-controller/README.md delete mode 100644 stable/aws-sigv4-proxy-admission-controller/templates/NOTES.txt delete mode 100644 stable/aws-sigv4-proxy-admission-controller/templates/_helpers.tpl delete mode 100644 stable/aws-sigv4-proxy-admission-controller/templates/deployment.yaml delete mode 100644 stable/aws-sigv4-proxy-admission-controller/templates/rbac.yaml delete mode 100644 stable/aws-sigv4-proxy-admission-controller/templates/service.yaml delete mode 100644 stable/aws-sigv4-proxy-admission-controller/templates/serviceaccount.yaml delete mode 100644 stable/aws-sigv4-proxy-admission-controller/templates/webhook.yaml delete mode 100644 stable/aws-sigv4-proxy-admission-controller/values.yaml diff --git a/README.md b/README.md index 1e0139865..f18d362e3 100644 --- a/README.md +++ b/README.md @@ -40,7 +40,8 @@ helm repo add eks https://aws.github.io/eks-charts ### AWS SIGv4 Proxy Admission Controller -* [aws-sigv4-proxy-admission-controller](stable/aws-sigv4-proxy-admission-controller): A helm chart for [AWS SIGv4 Proxy Admission Controller](https://github.com/aws-observability/aws-sigv4-proxy-admission-controller) +> [!WARNING] +> This Helm chart is now deprecated. Please see the current chart located in the [AWS SIGv4 Proxy Admission Controller](https://github.com/aws-observability/aws-sigv4-proxy-admission-controller) repository which is now published on Public ECR ### AWS Secrets Manager and Config Provider for Secret Store CSI Driver diff --git a/stable/aws-sigv4-proxy-admission-controller/.helmignore b/stable/aws-sigv4-proxy-admission-controller/.helmignore deleted file mode 100644 index 0e8a0eb36..000000000 --- a/stable/aws-sigv4-proxy-admission-controller/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/stable/aws-sigv4-proxy-admission-controller/Chart.yaml b/stable/aws-sigv4-proxy-admission-controller/Chart.yaml deleted file mode 100644 index 143e7eed7..000000000 --- a/stable/aws-sigv4-proxy-admission-controller/Chart.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -name: aws-sigv4-proxy-admission-controller -description: AWS SIGv4 Admission Controller Helm Chart for Kubernetes -version: 0.1.2 -appVersion: 1.0 -home: https://github.com/aws/eks-charts -icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png -sources: - - https://github.com/aws/eks-charts -maintainers: - - name: AWS Observability Team - url: https://github.com/aws-observability diff --git a/stable/aws-sigv4-proxy-admission-controller/README.md b/stable/aws-sigv4-proxy-admission-controller/README.md deleted file mode 100644 index 71aea6235..000000000 --- a/stable/aws-sigv4-proxy-admission-controller/README.md +++ /dev/null @@ -1,42 +0,0 @@ -# AWS SIGv4 Admission Controller - -A helm chart for [AWS SIGv4 Admission Controller](https://github.com/aws-observability/aws-sigv4-proxy-admission-controller) - -## Installing the Chart - -Add the EKS repository to Helm: - -```bash -helm repo add eks https://aws.github.io/eks-charts -``` - -Install the AWS SIGv4 Admission Controller chart with default configuration: - -```bash -helm install aws-sigv4-proxy-admission-controller eks/aws-sigv4-proxy-admission-controller --namespace -``` - -## Uninstalling the Chart - -To uninstall/delete the `aws-sigv4-proxy-admission-controller` release: - -```bash -helm uninstall aws-sigv4-proxy-admission-controller --namespace -``` - -## Configuration - -| Parameter | Description | Default -| - | - | - -| `nameOverride` | Used to override name of chart | `""` -| `fullnameOverride` | Used to override the full name of the application | `""` -| `replicaCount` | Number of replicas | `1` -| `image.repository` | Repository of image to pull for deployment | `public.ecr.aws/aws-observability/aws-sigv4-proxy-admission-controller` -| `image.tag` | Tag of image to pull from repository | `1.0` -| `image.pullPolicy` | Policy of how to pull image | `IfNotPresent` -| `env.awsSigV4ProxyImage` | Image URI of sidecar container for AWS SIGv4 Proxy | `public.ecr.aws/aws-observability/aws-sigv4-proxy:1.0` -| `serviceAccount.create` | Whether to create a service account or not | `true` -| `serviceAccount.name` | The name of the service account to create or use | `""` -| `rbac.create` | Whether to create rbac resources or not | `true` -| `webhookService.port` | Incoming port used by webhook service | `443` -| `webhookService.targetPort` | Target port used by webhook service | `443` \ No newline at end of file diff --git a/stable/aws-sigv4-proxy-admission-controller/templates/NOTES.txt b/stable/aws-sigv4-proxy-admission-controller/templates/NOTES.txt deleted file mode 100644 index 71945c69d..000000000 --- a/stable/aws-sigv4-proxy-admission-controller/templates/NOTES.txt +++ /dev/null @@ -1,2 +0,0 @@ -{{ .Release.Name }} has been installed or updated. To check the status of pods, run: -kubectl get pods -n {{ .Release.Namespace }} \ No newline at end of file diff --git a/stable/aws-sigv4-proxy-admission-controller/templates/_helpers.tpl b/stable/aws-sigv4-proxy-admission-controller/templates/_helpers.tpl deleted file mode 100644 index cc3c5d65b..000000000 --- a/stable/aws-sigv4-proxy-admission-controller/templates/_helpers.tpl +++ /dev/null @@ -1,63 +0,0 @@ -{{/* -Expand the name of the chart. -*/}} -{{- define "aws-sigv4-proxy-admission-controller.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "aws-sigv4-proxy-admission-controller.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "aws-sigv4-proxy-admission-controller.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Common labels -*/}} -{{- define "aws-sigv4-proxy-admission-controller.labels" -}} -helm.sh/chart: {{ include "aws-sigv4-proxy-admission-controller.chart" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} - -{{/* -Create the name of the service account to use -*/}} -{{- define "aws-sigv4-proxy-admission-controller.serviceAccountName" -}} - {{ default (include "aws-sigv4-proxy-admission-controller.fullname" .) .Values.serviceAccount.name }} -{{- end -}} - -{{/* -Generate certificates for webhook -*/}} -{{- define "aws-sigv4-proxy-admission-controller.gen-certs" -}} -{{- $fullName := ( include "aws-sigv4-proxy-admission-controller.fullname" . ) -}} -{{- $serviceName := ( printf "%s-%s" $fullName "webhook-service" ) -}} -{{- $altNames := list ( printf "%s.%s" $serviceName .Release.Namespace ) ( printf "%s.%s.svc" $serviceName .Release.Namespace ) -}} -{{- $ca := genCA "aws-sigv4-proxy-admission-controller-ca" 3650 -}} -{{- $cert := genSignedCert $fullName nil $altNames 3650 $ca -}} -caCert: {{ $ca.Cert | b64enc }} -clientCert: {{ $cert.Cert | b64enc }} -clientKey: {{ $cert.Key | b64enc }} -{{- end -}} \ No newline at end of file diff --git a/stable/aws-sigv4-proxy-admission-controller/templates/deployment.yaml b/stable/aws-sigv4-proxy-admission-controller/templates/deployment.yaml deleted file mode 100644 index 48deabba5..000000000 --- a/stable/aws-sigv4-proxy-admission-controller/templates/deployment.yaml +++ /dev/null @@ -1,39 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ template "aws-sigv4-proxy-admission-controller.fullname" . }}-webhook-deployment - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "aws-sigv4-proxy-admission-controller.fullname" . }} -{{ include "aws-sigv4-proxy-admission-controller.labels" . | indent 4 }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ template "aws-sigv4-proxy-admission-controller.fullname" . }} - template: - metadata: - labels: - app: {{ template "aws-sigv4-proxy-admission-controller.fullname" . }} - spec: - serviceAccountName: {{ template "aws-sigv4-proxy-admission-controller.serviceAccountName" . }} - containers: - - name: {{ template "aws-sigv4-proxy-admission-controller.fullname" . }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - args: - - -tlsCertFile=/etc/webhook/certs/cert.pem - - -tlsKeyFile=/etc/webhook/certs/key.pem - ports: - - containerPort: {{ .Values.webhookService.targetPort }} - volumeMounts: - - name: webhook-certs - mountPath: /etc/webhook/certs - readOnly: true - env: - - name: AWS-SIGV4-PROXY-IMAGE - value: {{ .Values.env.awsSigV4ProxyImage }} - volumes: - - name: webhook-certs - secret: - secretName: {{ template "aws-sigv4-proxy-admission-controller.fullname" . }}-webhook-certs \ No newline at end of file diff --git a/stable/aws-sigv4-proxy-admission-controller/templates/rbac.yaml b/stable/aws-sigv4-proxy-admission-controller/templates/rbac.yaml deleted file mode 100644 index d32e62c8f..000000000 --- a/stable/aws-sigv4-proxy-admission-controller/templates/rbac.yaml +++ /dev/null @@ -1,29 +0,0 @@ -{{- if .Values.rbac.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "aws-sigv4-proxy-admission-controller.fullname" . }}-role - namespace: {{ .Release.Namespace }} - labels: -{{ include "aws-sigv4-proxy-admission-controller.labels" . | indent 4 }} -rules: - - apiGroups: [""] - resources: [namespaces] - verbs: [get, list] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ template "aws-sigv4-proxy-admission-controller.fullname" . }}-rolebinding - namespace: {{ .Release.Namespace }} - labels: -{{ include "aws-sigv4-proxy-admission-controller.labels" . | indent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "aws-sigv4-proxy-admission-controller.fullname" . }}-role -subjects: - - kind: ServiceAccount - name: {{ template "aws-sigv4-proxy-admission-controller.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- end }} \ No newline at end of file diff --git a/stable/aws-sigv4-proxy-admission-controller/templates/service.yaml b/stable/aws-sigv4-proxy-admission-controller/templates/service.yaml deleted file mode 100644 index fa9c6d1ee..000000000 --- a/stable/aws-sigv4-proxy-admission-controller/templates/service.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ template "aws-sigv4-proxy-admission-controller.fullname" . }}-webhook-service - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "aws-sigv4-proxy-admission-controller.fullname" . }} -{{ include "aws-sigv4-proxy-admission-controller.labels" . | indent 4 }} -spec: - ports: - - port: {{ .Values.webhookService.port }} - targetPort: {{ .Values.webhookService.targetPort }} - selector: - app: {{ template "aws-sigv4-proxy-admission-controller.fullname" . }} \ No newline at end of file diff --git a/stable/aws-sigv4-proxy-admission-controller/templates/serviceaccount.yaml b/stable/aws-sigv4-proxy-admission-controller/templates/serviceaccount.yaml deleted file mode 100644 index 65e97a060..000000000 --- a/stable/aws-sigv4-proxy-admission-controller/templates/serviceaccount.yaml +++ /dev/null @@ -1,9 +0,0 @@ -{{- if .Values.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ template "aws-sigv4-proxy-admission-controller.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - labels: -{{ include "aws-sigv4-proxy-admission-controller.labels" . | indent 4 }} -{{- end -}} \ No newline at end of file diff --git a/stable/aws-sigv4-proxy-admission-controller/templates/webhook.yaml b/stable/aws-sigv4-proxy-admission-controller/templates/webhook.yaml deleted file mode 100644 index c41e2056a..000000000 --- a/stable/aws-sigv4-proxy-admission-controller/templates/webhook.yaml +++ /dev/null @@ -1,41 +0,0 @@ -{{ $tls := fromYaml ( include "aws-sigv4-proxy-admission-controller.gen-certs" . ) }} ---- -{{- if .Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1" }} -apiVersion: admissionregistration.k8s.io/v1 -{{- else }} -apiVersion: admissionregistration.k8s.io/v1beta1 -{{- end }} -kind: MutatingWebhookConfiguration -metadata: - name: {{ template "aws-sigv4-proxy-admission-controller.fullname" . }}-webhook-config - labels: - app: {{ template "aws-sigv4-proxy-admission-controller.fullname" . }} -{{ include "aws-sigv4-proxy-admission-controller.labels" . | indent 4 }} -webhooks: - - name: {{ template "aws-sigv4-proxy-admission-controller.fullname" . }}.k8s.aws - clientConfig: - service: - name: {{ template "aws-sigv4-proxy-admission-controller.fullname" . }}-webhook-service - namespace: {{ .Release.Namespace }} - path: "/mutate" - caBundle: {{ $tls.caCert }} - rules: - - operations: [ "CREATE" ] - apiGroups: ["apps", ""] - apiVersions: ["v1"] - resources: ["pods"] - sideEffects: None - admissionReviewVersions: - - v1beta1 ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "aws-sigv4-proxy-admission-controller.fullname" . }}-webhook-certs - namespace: {{ .Release.Namespace }} - labels: -{{ include "aws-sigv4-proxy-admission-controller.labels" . | indent 4 }} -type: Opaque -data: - cert.pem: {{ $tls.clientCert }} - key.pem: {{ $tls.clientKey }} diff --git a/stable/aws-sigv4-proxy-admission-controller/values.yaml b/stable/aws-sigv4-proxy-admission-controller/values.yaml deleted file mode 100644 index ed7ab8444..000000000 --- a/stable/aws-sigv4-proxy-admission-controller/values.yaml +++ /dev/null @@ -1,35 +0,0 @@ -# nameOverride: Used to override name of chart -nameOverride: "" -# fullnameOverride: Used to override the full name of the application -fullnameOverride: "" - -# replicaCount: Number of replicas -replicaCount: 1 - -image: - # image.repository: Repository of image to pull for deployment - repository: public.ecr.aws/aws-observability/aws-sigv4-proxy-admission-controller - # image.tag: Tag of image to pull from repository - tag: "1.0" - # image.pullPolicy: Policy of how to pull image - pullPolicy: IfNotPresent - -env: - # env.awsSigV4ProxyImage: Image URI of sidecar container for AWS SIGv4 Proxy - awsSigV4ProxyImage: public.ecr.aws/aws-observability/aws-sigv4-proxy:1.0 - -serviceAccount: - # serviceAccount.create: Whether to create a service account or not - create: true - # serviceAccount.name: The name of the service account to create or use - name: "" - -rbac: - # rbac.create: Whether to create rbac resources or not - create: true - -webhookService: - # webhookService.port: Incoming port used by webhook service - port: 443 - # webhookService.targetPort: Target port used by webhook service - targetPort: 443 \ No newline at end of file