# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: apps/v1 kind: Deployment metadata: name: {{ include "amazon-eks-pod-identity-webhook.fullname" . }} labels: {{- include "amazon-eks-pod-identity-webhook.labels" . | nindent 4 }} spec: replicas: {{ .Values.replicaCount }} selector: matchLabels: {{- include "amazon-eks-pod-identity-webhook.selectorLabels" . | nindent 6 }} template: metadata: labels: {{- include "amazon-eks-pod-identity-webhook.selectorLabels" . | nindent 8 }} spec: serviceAccountName: {{ include "amazon-eks-pod-identity-webhook.fullname" . }} {{- if .Values.fargate }} initContainers: - name: sleep image: {{ .Values.baseImage }} imagePullPolicy: Always command: - sleep - {{ .Values.sleep | quote }} {{- end }} containers: - name: webhook image: {{ .Values.image }} imagePullPolicy: Always command: - /webhook - --in-cluster=false - --namespace={{ .Release.Namespace }} - --service-name={{ include "amazon-eks-pod-identity-webhook.fullname" . }} - --tls-secret={{ include "amazon-eks-pod-identity-webhook.fullname" . }} - --annotation-prefix=eks.amazonaws.com - --token-audience=sts.amazonaws.com - --token-expiration={{ .Values.webhook.tokenExpiration }} - --aws-default-region={{ .Values.webhook.defaultRegion }} - --sts-regional-endpoint={{ .Values.webhook.stsRegionalEndpoint }} - --metrics-port={{ .Values.webhook.metricsPort }} - --port={{ .Values.webhook.port }} - --logtostderr volumeMounts: - name: cert mountPath: /etc/webhook/certs readOnly: true volumes: - name: cert secret: secretName: {{ include "amazon-eks-pod-identity-webhook.secretName" . }} {{- with .Values.affinity }} affinity: {{ toYaml . | indent 8 }} {{- end }} --- apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: selfsigned spec: selfSigned: {} --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: {{ include "amazon-eks-pod-identity-webhook.fullname" . }} namespace: {{ .Release.Namespace }} spec: secretName: {{ include "amazon-eks-pod-identity-webhook.secretName" . }} commonName: "pod-identity-webhook.default.svc" dnsNames: - "eks-distro-pod-identity-webhook" - "eks-distro-pod-identity-webhook.default" - "eks-distro-pod-identity-webhook.default.svc" - "eks-distro-pod-identity-webhook.default.svc.local" isCA: true duration: 2160h # 90d renewBefore: 360h # 15d issuerRef: name: selfsigned kind: ClusterIssuer