otterize · orishoshan · Nov 19, 2023 · Nov 18, 2023 · Nov 18, 2023 · Nov 18, 2023
diff --git a/src/operator/Makefile b/src/operator/Makefile
@@ -88,7 +88,8 @@ help: ## Display this help.
 
 .PHONY: manifests
 manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
-	$(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases
+	$(CONTROLLER_GEN) rbac:roleName=credentials-operator-manager-role crd webhook paths="./..."
+	kubectl kustomize  ./config/webhook > ./config/webhook/manifests-patched
 
 .PHONY: generate
 generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.

diff --git a/src/operator/PROJECT b/src/operator/PROJECT
@@ -3,13 +3,14 @@ layout:
 - go.kubebuilder.io/v3
 plugins:
   manifests.sdk.operatorframework.io/v2: {}
-  scorecard.sdk.operatorframework.io/v2: {}
-projectName: spire-integration-operator
-repo: github.com/otterize/spire-integration-operator
+projectName: credentials-operator
+repo: github.com/otterize/credentials-operator
 resources:
 - controller: true
   group: core
   kind: Pod
   path: k8s.io/api/core/v1
   version: v1
+  webhooks:
+    webhookVersion: v1
 version: "3"
diff --git a/src/operator/README.md b/src/operator/README.md
@@ -41,7 +41,7 @@ This project aims to follow the Kubernetes [Operator pattern](https://kubernetes
 It uses [Controllers](https://kubernetes.io/docs/concepts/architecture/controller/) 
 which provides a reconcile function responsible for synchronizing resources untile the desired state is reached on the cluster 
 
-### Test It Out
+### Test it out
 1. Install a SPIRE server. You can use the [SPIRE server from the helm-charts repository](https://github.com/otterize/helm-charts/tree/main/spire).
 
 2. If you are running this locally against a SPIRE server, and did not install it using the [Otterize all-in-one helm chart](https://github.com/otterize/helm-charts/tree/main/otterize-kubernetes), then you need to create a SPIRE server entry for the operator:

diff --git a/src/operator/config/certmanager/certificate.yaml b/src/operator/config/certmanager/certificate.yaml
diff --git a/src/operator/config/certmanager/kustomization.yaml b/src/operator/config/certmanager/kustomization.yaml
diff --git a/src/operator/config/certmanager/kustomizeconfig.yaml b/src/operator/config/certmanager/kustomizeconfig.yaml
diff --git a/src/operator/config/rbac/role.yaml b/src/operator/config/rbac/role.yaml
@@ -3,7 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   creationTimestamp: null
-  name: manager-role
+  name: credentials-operator-manager-role
 rules:
 - apiGroups:
   - ""
@@ -27,6 +27,15 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - mutatingwebhookconfigurations
+  verbs:
+  - get
+  - list
+  - patch
+  - update
 - apiGroups:
   - apps
   resources:

diff --git a/src/operator/config/samples/kustomization.yaml b/src/operator/config/samples/kustomization.yaml
diff --git a/src/operator/config/scorecard/bases/config.yaml b/src/operator/config/scorecard/bases/config.yaml
diff --git a/src/operator/config/scorecard/kustomization.yaml b/src/operator/config/scorecard/kustomization.yaml
diff --git a/src/operator/config/scorecard/patches/basic.config.yaml b/src/operator/config/scorecard/patches/basic.config.yaml
diff --git a/src/operator/config/scorecard/patches/olm.config.yaml b/src/operator/config/scorecard/patches/olm.config.yaml
diff --git a/src/operator/config/webhook/kustomization.yaml b/src/operator/config/webhook/kustomization.yaml
@@ -0,0 +1,22 @@
+resources:
+- manifests.yaml
+
+configurations:
+- kustomizeconfig.yaml
+
+patches:
+    - patch: |-
+          - op: replace
+            path: /metadata/name
+            value: 'otterize-credentials-operator-validating-webhook-configuration'
+          - op: replace
+            path: /webhooks/0/clientConfig/service/namespace
+            value: '{{ .Release.Namespace }}'
+          - op: replace
+            path: /webhooks/0/clientConfig/service/name
+            value: credentials-operator-webhook-service
+          - op: replace
+            path: /webhooks/0/clientConfig/service/namespace
+            value: '{{ .Release.Namespace }}'
+      target:
+          kind: MutatingWebhookConfiguration
diff --git a/src/operator/config/webhook/kustomizeconfig.yaml b/src/operator/config/webhook/kustomizeconfig.yaml
@@ -0,0 +1,12 @@
+# the following config is for teaching kustomize where to look at when substituting vars.
+# It requires kustomize v2.1.0 or newer to work properly.
+nameReference:
+
+namespace:
+- kind: MutatingWebhookConfiguration
+  group: admissionregistration.k8s.io
+  path: webhooks/clientConfig/service/namespace
+  create: true
+
+varReference:
+- path: metadata/annotations
diff --git a/src/operator/config/webhook/manifests.yaml b/src/operator/config/webhook/manifests.yaml
@@ -0,0 +1,27 @@
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  creationTimestamp: null
+  name: mutating-webhook-configuration
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: system
+      path: /mutate-v1-pod
+  failurePolicy: Ignore
+  name: pods.credentials-operator.otterize.com
+  rules:
+  - apiGroups:
+    - ""
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - pods
+  sideEffects: NoneOnDryRun
diff --git a/src/operator/controllers/metadata/annotations.go b/src/operator/controllers/metadata/annotations.go
@@ -10,12 +10,14 @@ const (
 	TLSSecretNameAnnotation           = "credentials-operator.otterize.com/tls-secret-name"
 	TLSSecretNameAnnotationDeprecated = "spire-integration.otterize.com/tls-secret-name"
 
-	// CreateAWSRoleAnnotation by using this annotation a pod marks that the operator should create an AWS IAM role for its service account
-	CreateAWSRoleAnnotation = "credentials-operator.otterize.com/create-aws-role"
 	// ServiceAccountAWSRoleARNAnnotation is used by EKS (Kubernetes at AWS) to link between service accounts
 	// and IAM roles
 	ServiceAccountAWSRoleARNAnnotation = "eks.amazonaws.com/role-arn"
 
+	// OtterizeServiceAccountAWSRoleARNAnnotation is used to update a Pod in the mutating webhook with the role ARN
+	// so that reinvocation is triggered for the EKS pod identity mutating webhook.
+	OtterizeServiceAccountAWSRoleARNAnnotation = "credentials-operator.otterize.com/eks-role-arn"
+
 	// DNSNamesAnnotation is a comma-separated list of additional dns names to be registered as part of the
 	// SPIRE-server entry and encoded into the certificate data
 	DNSNamesAnnotation           = "credentials-operator.otterize.com/dns-names"

diff --git a/src/operator/controllers/metadata/labels.go b/src/operator/controllers/metadata/labels.go
@@ -12,5 +12,7 @@ const (
 	SecretTypeLabel = "credentials-operator.otterize.com/secret-type"
 
 	// OtterizeServiceAccountLabel is used to label service accounts generated by the credentials-operator
-	OtterizeServiceAccountLabel = "credentials-operator.otterize.com/service-account"
+	OtterizeServiceAccountLabel = "credentials-operator.otterize.com/service-account-managed"
+	// CreateAWSRoleLabel by using this annotation a pod marks that the operator should create an AWS IAM role for its service account
+	CreateAWSRoleLabel = "credentials-operator.otterize.com/create-aws-role"
 )
diff --git a/src/operator/controllers/service_account_pod/service_account_pod_reconciler.go b/src/operator/controllers/service_account_pod/service_account_pod_reconciler.go