Merge remote-tracking branch 'teleport/main' into taras/sync-with-ups…

…tream

.github/workflows/cicd.yaml

@@ -0,0 +1,164 @@
+name: CICD
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]
+    tags: [v*]
+  workflow_dispatch:
+    inputs:
+      push_to_repo:
+        # This allows to manually trigger deployment of any branch to private repo
+        description: "Select repo type"
+        default: private
+        required: false
+        type: choice
+        options:
+          - private
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    name: Test application and helm chart
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+        with:
+          fetch-depth: 0
+      - name: Setup Go
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5
+        with:
+          go-version-file: go.mod
+          cache: true
+      - name: Run tets
+        run: make test
+      - name: Build helm chart
+        working-directory: charts/eks-pod-identity-agent
+        run: helm package . --version "1.2.3-dev" --app-version "4.5.6-dev"
+
+  build-and-push:
+    strategy:
+      matrix:
+        ecr_repo:
+          # environment protection rules allow to push to "release" env only from master branch of tags
+          - region: us-west-2
+            environment: release
+            type: private
+            push: ${{ github.event_name == 'push' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v')) }}
+          - region: us-east-1
+            environment: release
+            type: public
+            push: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') }}
+          - region: us-west-2
+            environment: staging
+            type: private
+            push: true
+          - region: us-east-1
+            environment: staging
+            type: public
+            push: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') }}
+        exclude:
+          - ecr_repo:
+              push: false
+
+    name: Build and push Docker image and Helm chart
+    runs-on: ubuntu-latest
+    needs: [test]
+    environment: ${{ matrix.ecr_repo.environment }}
+    permissions:
+      contents: read
+      id-token: write # This is required for requesting the JWT, see https://github.com/aws-actions/configure-aws-credentials#OIDC
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup docker buildx
+        uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3
+
+      - name: Configure AWS credentials for ECR Private
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4
+        with:
+          aws-region: ${{ matrix.ecr_repo.region }}
+          role-to-assume: ${{ vars.ECR_ROLE }}
+
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2
+        with:
+          registry-type: ${{ matrix.ecr_repo.type }}
+
+      - name: Prepare docker labels and tags
+        id: meta
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5
+        with:
+          images: |
+            name=${{ vars.PUBLIC_ECR_REPO }},enable=${{ matrix.ecr_repo.type == 'public' }}
+            name=${{ vars.PRIVATE_ECR_REPO }},enable=${{ matrix.ecr_repo.type == 'private' }}
+          flavor: |
+            latest=false
+          # Enable PR
+          # Enable sha tag on branch push events and workflow dispatches.
+          # Enable semver tags on tag push events, but don't overwrite major/minor tags for prereleases.
+          tags: |
+            type=ref,suffix=-{{ sha }},event=pr
+            type=sha,prefix={{branch}}-,suffix=-{{date 'YYYYMMDDTHHmmss'}},format=short,enable=${{ startsWith(github.ref, 'refs/heads/') }}
+            type=semver,pattern={{major}},event=tag,enable=${{ !contains(github.ref, '-') }}
+            type=semver,pattern={{major}}.{{minor}},event=tag,enable=${{ !contains(github.ref, '-') }}
+            type=semver,pattern={{version}},event=tag
+  
+      - name: Build the Docker image and push
+        uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6
+        with:
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          platforms: |
+            linux/amd64
+            linux/arm64
+
+      - name: Build and publish the Helm chart
+        working-directory: charts/eks-pod-identity-agent
+        env:
+          EVENT_TYPE: ${{ (github.event_name == 'push' && (startsWith(github.ref, 'refs/tags/v') && 'tag' ) || 'commit' ) || 'dispatch'}}
+          IMAGE_VERSION: ${{ steps.meta.outputs.version }}
+        run: |
+          # Determine chart version to set
+          case "${EVENT_TYPE}" in
+            tag)
+              CHART_VERSION="${GITHUB_REF_NAME}"
+              ;;
+            commit)
+              ;&
+            dispatch)
+              CHART_VERSION="$(git describe --tags --dirty --long --match "v[[:digit:]]*.[[:digit:]]*.[[:digit:]]*" || true)"
+              ;;
+            *)
+              echo "Unknown event type '${EVENT_TYPE}', workflow bug?" >&2
+              exit 1
+              ;;
+          esac
+
+          # Trim `v` prefix if exists
+          CHART_VERSION=${CHART_VERSION#v}
+          IMAGE_VERSION=${IMAGE_VERSION#v}
+          CHART_VERSION=${CHART_VERSION:-0.0.0-${IMAGE_VERSION}}
+
+          # Build/package the chart
+          echo "Setting chart version to ${CHART_VERSION} and image version to ${IMAGE_VERSION}"
+          helm package . --version "${CHART_VERSION}" --app-version "${IMAGE_VERSION}"
+          ARTIFACT_NAME=$(find . -name '*.tgz' -exec basename {} \; | head -n 1)
+
+          # Publish the chart
+          helm_repo=${{vars.HELM_PRIVATE_ECR_REPO}}
+          if [ "${{ matrix.ecr_repo.type}}" = "public" ]; then
+            helm_repo=${{vars.HELM_PUBLIC_ECR_REPO}}
+          fi
+
+          helm push "$ARTIFACT_NAME" "oci://$helm_repo"

README.md

@@ -12,6 +12,10 @@ The container credentials provider provides temporary credentials from an agent
 
 Visit [EKS user guide](https://docs.aws.amazon.com/eks/latest/userguide/pod-id-how-it-works.html)  to learn more about the Pod Identity feature.
 
+>[!NOTE]
+>This fork has extended capability to Chain-AssumeRole before passing it to the requester.
+>See [pkg/extensions/chainrole](./pkg/extensions/chainrole/) for details
+
 ## Building
 
 * `make build`  builds the Linux binaries.

charts/eks-pod-identity-agent/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: eks-pod-identity-agent
 type: application
 version: 1.2.0
-appVersion: 0.1.6
+appVersion: 0.1.10
 description: A Helm chart for eks-pod-identity-agent
 icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png
 

charts/eks-pod-identity-agent/templates/_helpers.tpl

@@ -57,6 +57,8 @@ The eks-pod-identity-agent image to use
 {{- define "eks-pod-identity-agent.image" -}}
 {{- if .Values.image.override }}
 {{- .Values.image.override }}
+{{- else if (contains "gravitational/eks-pod-identity-agent" .Values.image.containerRegistry ) }}
+{{- printf "%s:%s" .Values.image.containerRegistry (default .Chart.AppVersion .Values.image.tag) }}
 {{- else }}
 {{- printf "%s/eks/eks-pod-identity-agent:%s" .Values.image.containerRegistry .Values.image.tag }}
 {{- end }}

charts/eks-pod-identity-agent/templates/daemonset.yaml

@@ -22,6 +22,9 @@ spec:
     spec:
       priorityClassName: {{ .Values.priorityClassName }}
       hostNetwork: true
+      {{- if .Values.irsa.enabled }}
+      serviceAccountName: {{ include "eks-pod-identity-agent.fullname" . }}
+      {{- end }}
       terminationGracePeriodSeconds: 30
       {{- with .Values.tolerations }}
       tolerations:

charts/eks-pod-identity-agent/templates/serviceaccount.yaml

@@ -0,0 +1,11 @@
+{{- if .Values.irsa.enabled }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "eks-pod-identity-agent.fullname" . }}
+  annotations:
+    eks.amazonaws.com/role-arn: {{ .Values.irsa.service_account.role_arn }}
+    {{- with .Values.irsa.service_account.additionalAnnotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+{{- end -}}

charts/eks-pod-identity-agent/values.yaml

@@ -49,10 +49,8 @@ env:
 fullnameOverride: "eks-pod-identity-agent"
 
 image:
-  containerRegistry: "602401143452.dkr.ecr.us-west-2.amazonaws.com"
+  containerRegistry: "public.ecr.aws/gravitational/eks-pod-identity-agent"
   pullPolicy: Always
-  region: us-west-2
-  tag: 0.1.10
 
   # Set to use custom image
   # override: "repo/org/image:tag"
@@ -95,3 +93,12 @@ updateStrategy:
   type: RollingUpdate
   rollingUpdate:
     maxUnavailable: "10%"
+
+# This setting can be used to create service account and enable IRSA
+# instead of relying on EC2 instance credentials.
+# for enhanced security recommended to use together with AWS_EC2_METADATA_DISABLED=true
+irsa:
+  enabled: false
+  service_account:
+    role_arn: IRSA_ROLE_ARN
+    additionalAnnotations:

cmd/server.go

@@ -18,6 +18,9 @@ import (
 	"go.amzn.com/eks/eks-pod-identity-agent/internal/middleware/logger"
 	"go.amzn.com/eks/eks-pod-identity-agent/pkg/handlers"
 	"go.amzn.com/eks/eks-pod-identity-agent/pkg/server"
+
+	// extensions imports
+	"go.amzn.com/eks/eks-pod-identity-agent/pkg/extensions/chainrole"
 )
 
 var (
@@ -140,4 +143,6 @@ func init() {
 
 	serverCmd.Flags().StringVar(&overrideEksAuthEndpoint, "endpoint", "", "Override for EKS auth endpoint")
 
+	// extended cmd flags
+	chainrole.AddCMDFlags(serverCmd)
 }

go.mod

@@ -3,12 +3,16 @@ module go.amzn.com/eks/eks-pod-identity-agent
 go 1.22.5
 
 require (
-	github.com/aws/aws-sdk-go-v2 v1.26.1
+	github.com/aws/aws-sdk-go-v2 v1.30.4
 	github.com/aws/aws-sdk-go-v2/config v1.27.11
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.11
+	github.com/aws/aws-sdk-go-v2/service/eks v1.48.1
 	github.com/aws/aws-sdk-go-v2/service/eksauth v1.3.4
-	github.com/aws/smithy-go v1.20.2
+	github.com/aws/aws-sdk-go-v2/service/sts v1.28.6
+	github.com/aws/smithy-go v1.20.4
 	github.com/golang-jwt/jwt/v5 v5.2.0
 	github.com/onsi/gomega v1.27.8
+	github.com/prometheus/client_golang v1.20.3
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.7.0
 	github.com/stretchr/testify v1.9.0
@@ -19,25 +23,24 @@ require (
 )
 
 require (
-	github.com/aws/aws-sdk-go-v2/credentials v1.17.11 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.16 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.16 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sso v1.20.5 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.4 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.28.6 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/klauspost/compress v1.17.9 // indirect
+	github.com/kr/text v0.2.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/prometheus/client_golang v1.20.3 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
 	github.com/prometheus/common v0.55.0 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect