Add IRSA injection

Author: yorinasub17

charts/k8s-service/templates/deployment.yaml

@@ -13,10 +13,15 @@ Similarly, we need to decide whether or not there are environment variables to a
 We need this because certain sections are omitted if there are no volumes or environment variables to add.
 */ -}}
 {{/* Go Templates do not support variable updating, so we simulate it using dictionaries */}}
-{{- $hasInjectionTypes := dict "hasVolume" false "hasEnvVars" false -}}
+{{- $hasInjectionTypes := dict "hasVolume" false "hasEnvVars" false "hasIRSA" false -}}
 {{- if .Values.envVars -}}
   {{- $_ := set $hasInjectionTypes "hasEnvVars" true -}}
 {{- end -}}
+{{- if gt (len .Values.aws.irsa.role_arn) 0 -}}
+  {{- $_ := set $hasInjectionTypes "hasEnvVars" true -}}
+  {{- $_ := set $hasInjectionTypes "hasVolume" true -}}
+  {{- $_ := set $hasInjectionTypes "hasIRSA" true -}}
+{{- end -}}
 {{- $allSecrets := values .Values.secrets -}}
 {{- range $allSecrets -}}
   {{- if eq (index . "as") "volume" -}}
@@ -163,6 +168,12 @@ spec:
           {{- if index $hasInjectionTypes "hasEnvVars" }}
           env:
           {{- end }}
+          {{- if index $hasInjectionTypes "hasIRSA" }}
+            - name: AWS_ROLE_ARN
+              value: "{{ .Values.aws.irsa.role_arn }}"
+            - name: AWS_WEB_IDENTITY_TOKEN_FILE
+              value: /var/run/secrets/eks.amazonaws.com/serviceaccount/token
+          {{- end }}
           {{- range $key, $value := .Values.envVars }}
             - name: {{ $key }}
               value: {{ quote $value }}
@@ -195,6 +206,11 @@ spec:
           {{- if index $hasInjectionTypes "hasVolume" }}
           volumeMounts:
           {{- end }}
+          {{- if index $hasInjectionTypes "hasIRSA" }}
+            - name: aws-iam-token
+              mountPath: /var/run/secrets/eks.amazonaws.com/serviceaccount
+              readOnly: true
+          {{- end }}
           {{- range $name, $value := .Values.configMaps }}
             {{- if eq $value.as "volume" }}
             - name: {{ $name }}-volume
@@ -227,6 +243,16 @@ spec:
     {{- if index $hasInjectionTypes "hasVolume" }}
       volumes:
     {{- end }}
+    {{- if index $hasInjectionTypes "hasIRSA" }}
+        - name: aws-iam-token
+          projected:
+            defaultMode: 420
+            sources:
+              - serviceAccountToken:
+                  audience: sts.amazonaws.com
+                  expirationSeconds: 86400
+                  path: token
+    {{- end }}
     {{- range $name, $value := .Values.configMaps }}
       {{- if eq $value.as "volume" }}
         - name: {{ $name }}-volume

charts/k8s-service/values.yaml

@@ -359,6 +359,35 @@ tolerations: []
 # list is a string that corresponds to the Secret name.
 imagePullSecrets: []
 
+#----------------------------------------------------------------------------------------------------------------------
+# AWS SPECIFIC VALUES
+# These input values relate to AWS specific features, such as those relating to EKS and the AWS ALB Ingress Controller.
+#----------------------------------------------------------------------------------------------------------------------
+aws:
+  # irsa can be used to configure the projected tokens used in the IAM Roles for Service Accounts feature. This is
+  # useful if you are manually annotating the projected tokens into your Pods, instead of relying on the mutating
+  # admission hook.
+  #
+  # irsa is a map and expects the following keys:
+  #   - role_arn     (string) (required) : The AWS ARN that the Service Account associated with the Pod should assume.
+  #                                        Note that the projected token will not be mounted and the environment
+  #                                        variables will not be set if this is an empty string (the default).
+  #
+  # Note that you can not use any role with the IRSA feature. It must have the proper assume role IAM policy to allow
+  # the Service Account of the Pod to assume that role. See
+  # https://docs.aws.amazon.com/eks/latest/userguide/create-service-account-iam-policy-and-role.html for more
+  # information.
+  #
+  # EXAMPLE:
+  #
+  # aws:
+  #   irsa:
+  #     role_arn: "arn:aws:iam::123456789012:role/role-for-pod"
+  #
+  irsa:
+    role_arn: ""
+
+
 #----------------------------------------------------------------------------------------------------------------------
 # GOOGLE SPECIFIC VALUES
 # google specifies Google (GKE) specific configuration to be set via arguments/env. variables

test/k8s_service_template_test.go

@@ -142,7 +142,7 @@ func TestK8SServiceSecurityContextAnnotationRenderCorrectly(t *testing.T) {
 		t,
 		map[string]string{
 			"securityContext.privileged": "true",
-			"securityContext.runAsUser": "1000",
+			"securityContext.runAsUser":  "1000",
 		},
 	)
 	renderedContainers := deployment.Spec.Template.Spec.Containers
@@ -524,6 +524,58 @@ func TestK8SServiceWithContainerCommandHasCommandSpec(t *testing.T) {
 	assert.Equal(t, appContainer.Command, []string{"echo", "Hello world"})
 }
 
+// Test that omitting aws.irsa.role_arn does not render the IRSA vars
+func TestK8SServiceWithoutIRSA(t *testing.T) {
+	t.Parallel()
+
+	deployment := renderK8SServiceDeploymentWithSetValues(
+		t,
+		map[string]string{},
+	)
+	renderedPodSpec := deployment.Spec.Template.Spec
+	assert.Equal(t, len(renderedPodSpec.Volumes), 0)
+	renderedPodContainers := renderedPodSpec.Containers
+	require.Equal(t, len(renderedPodContainers), 1)
+	appContainer := renderedPodContainers[0]
+	assert.Equal(t, len(appContainer.Env), 0)
+}
+
+// Test that setting aws.irsa.role_arn renders the IRSA vars
+func TestK8SServiceWithIRSA(t *testing.T) {
+	t.Parallel()
+
+	testRoleArn := "arn:aws:iam::123456789012:role/test-role"
+	deployment := renderK8SServiceDeploymentWithSetValues(
+		t,
+		map[string]string{
+			"aws.irsa.role_arn": testRoleArn,
+		},
+	)
+	renderedPodSpec := deployment.Spec.Template.Spec
+
+	// Verify projected volume
+	require.Equal(t, len(renderedPodSpec.Volumes), 1)
+	volume := renderedPodSpec.Volumes[0]
+	assert.Equal(t, volume.Name, "aws-iam-token")
+	require.NotNil(t, volume.VolumeSource.Projected)
+	projectedVolume := volume.VolumeSource.Projected
+	require.Equal(t, len(projectedVolume.Sources), 1)
+	projectedVolumeSource := projectedVolume.Sources[0]
+	require.NotNil(t, projectedVolumeSource.ServiceAccountToken)
+	assert.Equal(t, projectedVolumeSource.ServiceAccountToken.Audience, "sts.amazonaws.com")
+
+	// Verify injected env vars
+	renderedPodContainers := renderedPodSpec.Containers
+	require.Equal(t, len(renderedPodContainers), 1)
+	appContainer := renderedPodContainers[0]
+	assert.Equal(t, len(appContainer.Env), 2)
+	roleArnEnv := appContainer.Env[0]
+	assert.Equal(t, roleArnEnv.Name, "AWS_ROLE_ARN")
+	assert.Equal(t, roleArnEnv.Value, testRoleArn)
+	tokenEnv := appContainer.Env[1]
+	assert.Equal(t, tokenEnv.Name, "AWS_WEB_IDENTITY_TOKEN_FILE")
+	assert.Equal(t, tokenEnv.Value, "/var/run/secrets/eks.amazonaws.com/serviceaccount/token")
+}
 
 // Test that providing tls configuration to Ingress renders correctly
 func TestK8SServiceIngressMultiCert(t *testing.T) {