Fix manifests and Makefile for v0.3.0

Makefile

@@ -17,7 +17,7 @@ endif
 REGISTRY_ID?=602401143452
 IMAGE_NAME?=eks/pod-identity-webhook
 REGION?=us-west-2
-IMAGE?=$(REGISTRY_ID).dkr.ecr.$(REGION).amazonaws.com/$(IMAGE_NAME)
+IMAGE?=$(REGISTRY_ID).dkr.ecr.$(REGION).amazonaws.com/$(IMAGE_NAME):latest
 
 test:
 	go test -coverprofile=coverage.out ./...
@@ -70,30 +70,16 @@ cluster-up: deploy-config
 cluster-down: delete-config
 
 prep-config:
-	@echo 'Generating certs and deploying into active cluster...'
-	cat deploy/deployment-base.yaml | sed -e "s|IMAGE|${IMAGE}|g" | tee deploy/deployment.yaml
-	cat deploy/mutatingwebhook.yaml | hack/webhook-patch-ca-bundle.sh > deploy/mutatingwebhook-ca-bundle.yaml
+	@echo 'Overriding specified docker image...'
+	cd deploy && kustomize edit set image "eks-pod-identity-webhook-image=${IMAGE}"
 
 deploy-config: prep-config
 	@echo 'Applying configuration to active cluster...'
-	kubectl apply -f deploy/auth.yaml
-	kubectl apply -f deploy/deployment.yaml
-	kubectl apply -f deploy/service.yaml
-	kubectl apply -f deploy/mutatingwebhook-ca-bundle.yaml
-	until kubectl get csr -o \
-		jsonpath='{.items[?(@.spec.username=="system:serviceaccount:default:pod-identity-webhook")].metadata.name}' | \
-		grep -m 1 "csr-"; \
-		do echo "Waiting for CSR to be created" && sleep 1 ; \
-	done
-	kubectl certificate approve $$(kubectl get csr -o jsonpath='{.items[?(@.spec.username=="system:serviceaccount:default:pod-identity-webhook")].metadata.name}')
+	kubectl apply -k deploy
 
 delete-config:
 	@echo 'Tearing down mutating controller and associated resources...'
-	kubectl delete -f deploy/mutatingwebhook-ca-bundle.yaml
-	kubectl delete -f deploy/service.yaml
-	kubectl delete -f deploy/deployment.yaml
-	kubectl delete -f deploy/auth.yaml
-	kubectl delete secret pod-identity-webhook
+	kubectl delete -k deploy
 
 clean::
 	rm -rf ./amazon-eks-pod-identity-webhook

deploy/auth.yaml

@@ -5,43 +5,6 @@ metadata:
   namespace: default
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: pod-identity-webhook
-  namespace: default
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - create
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
-  - update
-  - patch
-  resourceNames:
-  - "pod-identity-webhook"
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: pod-identity-webhook
-  namespace: default
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: pod-identity-webhook
-subjects:
-- kind: ServiceAccount
-  name: pod-identity-webhook
-  namespace: default
----
-apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: pod-identity-webhook
@@ -54,15 +17,6 @@ rules:
   - get
   - watch
   - list
-- apiGroups:
-  - certificates.k8s.io
-  resources:
-  - certificatesigningrequests
-  verbs:
-  - create
-  - get
-  - list
-  - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

deploy/certificate.yaml

@@ -0,0 +1,26 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: selfsigned
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: pod-identity-webhook
+  namespace: default
+spec:
+  secretName: pod-identity-webhook-cert
+  commonName: "pod-identity-webhook.default.svc"
+  dnsNames:
+  - "pod-identity-webhook"
+  - "pod-identity-webhook.default"
+  - "pod-identity-webhook.default.svc"
+  - "pod-identity-webhook.default.svc.local"
+  isCA: true
+  duration: 2160h # 90d
+  renewBefore: 360h # 15d
+  issuerRef:
+    name: selfsigned
+    kind: ClusterIssuer

deploy/kustomization.yaml

@@ -0,0 +1,16 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: default
+
+resources:
+- auth.yaml
+- certificate.yaml
+- deployment.yaml
+- mutatingwebhook.yaml
+- service.yaml
+
+images:
+- name: eks-pod-identity-webhook-image
+  newName: amazon/amazon-eks-pod-identity-webhook
+  newTag: latest