deploy pod-identity-webhook to kube-system ns

sl1pm4t · Jul 23, 2024 · a2b8fb9 · a2b8fb9
1 parent b933109
commit a2b8fb9
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 8 deletions.
diff --git a/pkg/cloud/services/iam/iam.go b/pkg/cloud/services/iam/iam.go
@@ -102,7 +102,7 @@ func (s *Service) ReconcileOIDCProvider(ctx context.Context) error {
 	if err := s.reconcileBucketContents(ctx); err != nil {
 		return err
 	}
-
+	log.Info("Creating PodIdentityWebhook addon")
 	if err := s.reconcilePodIdentityWebhook(ctx); err != nil {
 		return err
 	}

diff --git a/pkg/cloud/services/iam/podidentitywebhook.go b/pkg/cloud/services/iam/podidentitywebhook.go
@@ -19,7 +19,7 @@ import (
 
 const (
 	podIdentityWebhookName  = "pod-identity-webhook"
-	podIdentityWebhookImage = "amazon/amazon-eks-pod-identity-webhook:v0.4.0"
+	podIdentityWebhookImage = "amazon/amazon-eks-pod-identity-webhook:v0.5.5"
 )
 
 func reconcileServiceAccount(ctx context.Context, ns string, remoteClient client.Client) error {
@@ -134,7 +134,7 @@ func reconcileService(ctx context.Context, ns string, remoteClient client.Client
 			Ports: []corev1.ServicePort{
 				{
 					Port:       443,
-					TargetPort: intstr.FromInt(443),
+					TargetPort: intstr.FromInt32(443),
 				},
 			},
 			Selector: map[string]string{
@@ -325,15 +325,20 @@ func reconcileCertificateSecret(ctx context.Context, cert *corev1.Secret, remote
 	certCheck := &corev1.Secret{}
 	if err := remoteClient.Get(ctx, types.NamespacedName{
 		Name:      cert.Name,
-		Namespace: cert.Namespace,
+		Namespace: podIdentityNamespace,
 	}, certCheck); err != nil && !apierrors.IsNotFound(err) {
 		// will return not found if waiting for cert-manager and will reconcile again later due to error
 		return err
 	}
 
 	if certCheck.UID == "" {
+		cert.Namespace = podIdentityNamespace
 		cert.ResourceVersion = ""
-		return remoteClient.Create(ctx, cert)
+		err := remoteClient.Create(ctx, cert)
+		if err != nil && apierrors.IsAlreadyExists(err) {
+			return nil
+		}
+		return err
 	}
 
 	return nil

diff --git a/pkg/cloud/services/iam/reconcilers.go b/pkg/cloud/services/iam/reconcilers.go
@@ -19,6 +19,8 @@ import (
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
 )
 
+const podIdentityNamespace = "kube-system"
+
 // reconcilePodIdentityWebhook generates certs and starts the webhook in the workload cluster
 // https://github.com/aws/amazon-eks-pod-identity-webhook
 // 1. generate webhook certs via cert-manager in the management cluster
@@ -29,8 +31,8 @@ func (s *Service) reconcilePodIdentityWebhook(ctx context.Context) error {
 	certSecret, err := certificateSecret(ctx,
 		certName, s.scope.Namespace(),
 		fmt.Sprintf(SelfsignedIssuerFormat, s.scope.Name()), []string{
-			fmt.Sprintf("%s.%s.svc", podIdentityWebhookName, s.scope.Namespace()),
-			fmt.Sprintf("%s.%s.svc.cluster.local", podIdentityWebhookName, s.scope.Namespace()),
+			fmt.Sprintf("%s.%s.svc", podIdentityWebhookName, podIdentityNamespace),
+			fmt.Sprintf("%s.%s.svc.cluster.local", podIdentityWebhookName, podIdentityNamespace),
 		}, s.scope.ManagementClient())
 
 	if err != nil {
@@ -47,7 +49,7 @@ func (s *Service) reconcilePodIdentityWebhook(ctx context.Context) error {
 		return err
 	}
 
-	if err := reconcilePodIdentityWebhookComponents(ctx, s.scope.Namespace(), certSecret, remoteClient); err != nil {
+	if err := reconcilePodIdentityWebhookComponents(ctx, podIdentityNamespace, certSecret, remoteClient); err != nil {
 		return err
 	}