Merge pull request #11 from doitintl/gke-autopilot

deploy on GKE autopilot

Author: alexei-led

README.md

@@ -2,8 +2,6 @@
 
 # Securely access AWS Services from GKE cluster
 
-> :attention: GKE Autopilot deployment is not supported due to the [limitations](https://cloud.google.com/kubernetes-engine/docs/concepts/autopilot-overview#webhooks_limitations)
-
 Ever wanted to access AWS services from Google Kubernetes cluster (GKE) without using AWS IAM credentials?
 
 This solution can help you to get and exchange Google OIDC token for temporary AWS IAM security credentials are generated by AWS STS service. This approach allows you to access AWS services form a GKE cluster without pre-generated long-living AWS credentials.
@@ -89,6 +87,19 @@ certificatesigningrequest.certificates.k8s.io/gtoken-webhook-svc.default approve
 secret/gtoken-webhook-certs configured
 ```
 
+**Note** Gor GKE Autopilot, run the [webhook-create-self-signed-cert.sh](https://github.com/doitintl/gtoken/blob/master/deployment/webhook-create-self-signed-cert.sh) script to generate a self-signed certificate.
+
+Export CA Bundle as environment variable:
+
+```sh
+export CA_BUNDLE=[output value of the previous script "Encoded CA:"]
+```
+
+Then, we’ll create the webhook service and deployment:
+
+```yaml
+```
+
 Create Kubernetes Service Account to be used with `gtoken-webhook`:
 
 ```sh

deployment/deployment.yaml

@@ -18,6 +18,10 @@ spec:
         - name: gtoken-webhook
           image: doitintl/gtoken-webhook
           imagePullPolicy: Always
+          resources:
+            requests:
+              cpu: 250m
+              memory: 512Mi
           args:
             - --log-level=debug
             - server

deployment/webhook-create-self-signed-cert.sh

@@ -0,0 +1,98 @@
+#!/bin/bash
+
+set -e
+
+usage() {
+    cat <<EOF
+Generate certificate suitable for use with an gtoken webhook service.
+
+This script generates self-signed certificate for the webhook. See
+https://www.velotio.com/engineering-blog/managing-tls-certificate-for-kubernetes-admission-webhook
+detailed explantion and additional instructions.
+
+The server key/cert k8s CA cert are stored in a k8s secret.
+
+usage: ${0} [OPTIONS]
+
+The following flags are required.
+
+       --service          Service name of webhook.
+       --namespace        Namespace where webhook service and secret reside.
+       --secret           Secret name for CA certificate and server certificate/key pair.
+EOF
+    exit 1
+}
+
+while [[ $# -gt 0 ]]; do
+    case ${1} in
+        --service)
+            service="$2"
+            shift
+            ;;
+        --secret)
+            secret="$2"
+            shift
+            ;;
+        --namespace)
+            namespace="$2"
+            shift
+            ;;
+        *)
+            usage
+            ;;
+    esac
+    shift
+done
+
+[ -z ${service} ] && service=gtoken-webhook-svc
+[ -z ${secret} ] && secret=gtoken-webhook-certs
+[ -z ${namespace} ] && namespace=default
+
+if [ ! -x "$(command -v openssl)" ]; then
+    echo "openssl not found"
+    exit 1
+fi
+
+csrName=${service}.${namespace}
+tmpdir=$(mktemp -d)
+echo "creating certs in tmpdir ${tmpdir} "
+
+cat <<EOF >> ${tmpdir}/csr.conf
+[req]
+req_extensions = v3_req
+distinguished_name = req_distinguished_name
+[req_distinguished_name]
+[ v3_req ]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+subjectAltName = @alt_names
+[alt_names]
+DNS.1 = ${service}
+DNS.2 = ${service}.${namespace}
+DNS.3 = ${service}.${namespace}.svc
+EOF
+
+# create CA and Server key/certificate
+openssl genrsa -out ${tmpdir}/ca.key 2048
+openssl req -x509 -newkey rsa:2048 -key ${tmpdir}/ca.key -out ${tmpdir}/ca.crt -days 1825 -nodes -subj "/CN=${service}.${namespace}.svc"
+
+# create server key/certificate
+openssl genrsa -out ${tmpdir}/server.key 2048
+openssl req -new -key ${tmpdir}/server.key -subj "/CN=${service}.${namespace}.svc" -out ${tmpdir}/server.csr -config ${tmpdir}/csr.conf
+
+# Self sign
+openssl x509 -extensions v3_req -req -days 1825 -in ${tmpdir}/server.csr -CA ${tmpdir}/ca.crt -CAkey ${tmpdir}/ca.key -CAcreateserial -out ${tmpdir}/server.crt -extfile ${tmpdir}/csr.conf
+
+# create the secret with CA cert and server cert/key
+kubectl create secret generic ${secret} \
+        --from-file=key.pem=${tmpdir}/server.key \
+        --from-file=cert.pem=${tmpdir}/server.crt \
+        --dry-run=client -o yaml |
+    kubectl -n ${namespace} apply -f -
+
+# -a means base64 encode
+caBundle=$(cat ${tmpdir}/ca.crt | openssl enc -a -A)
+
+echo "Encoded CA:"
+echo -e "${caBundle} \n"

deployment/webhook-create-signed-cert.sh

@@ -129,3 +129,8 @@ kubectl create secret generic ${secret} \
         --from-file=cert.pem=${tmpdir}/server-cert.pem \
         --dry-run=client -o yaml |
     kubectl -n ${namespace} apply -f -
+
+# get CA bundle for use by webhook bootstrap
+caBundle=$(kubectl config view --raw --flatten -o json | jq -r '.clusters[] | select(.name == "'$(kubectl config current-context)'") | .cluster."certificate-authority-data"')
+echo "Encoded CA:"
+echo -e "${caBundle} \n"

deployment/webhook-patch-ca-bundle.sh

@@ -6,8 +6,10 @@ set -o errexit
 set -o nounset
 set -o pipefail
 
-
-export CA_BUNDLE=$(kubectl config view --raw --flatten -o json | jq -r '.clusters[] | select(.name == "'$(kubectl config current-context)'") | .cluster."certificate-authority-data"')
+if [[ -z "${CA_BUNDLE}" ]]; then
+    echo "CA_BUNDLE not set"
+    exit 1
+fi
 
 if command -v envsubst >/dev/null 2>&1; then
     envsubst