Merge pull request #204 from rushmash91/main

update ACK controllers to combine 7 controllers into a single resource

Author: a-hilaly

examples/ack-controller/README.md

@@ -1,18 +1,75 @@
 # Steps to deploy ack-controllers to cluster
 
 ## Deploying Controllers
-### Prerequisites
-Create IRSA for IAM controller
-See [ACK Docs] (https://aws-controllers-k8s.github.io/community/docs/user-docs/irsa/)
+Conbined ResourseGroup for ACK Controllers
+- IAM
+- EC2
+- EKS
+- ECR
+- ECR Public
+- SQS
+- S3
 
-### Deployment order:
-1. IAM
-2. EC2
-3. EKS
 
 ### Steps
-For these EKS and EC2 controllers we are using the IAM controller to create
-the necessary roles for the service account
-1. Deploy Controller CRD Group
-2. Deploy Controller ResourceGroup
-3. Deploy Controller Instance (don't forget to include required fields) 
+The controllers are using the IAM controller to create the necessary roles for the service account
+1. Setup IRSA (IAM Roles for Service Accounts) for the IAM controller:
+   See [ACK Docs] (https://aws-controllers-k8s.github.io/community/docs/user-docs/irsa/)
+   
+   Run the `setup_iam_controller.sh` script to create the necessary IAM role and service account. 
+   `chmod +x setup_iam_controller.sh`
+
+   ```bash
+   ./setup_iam_controller.sh
+   ```
+
+   You can customize the script execution with the following options:
+   
+   ```
+   Usage: ./setup_iam_controller.sh [OPTIONS]
+   Options:
+     --cluster-name NAME       Set EKS cluster name (default: curious-folk-badger)
+     --region REGION           Set AWS region (default: us-west-2)
+     --namespace NAMESPACE     Set Kubernetes namespace (default: kro)
+     --service-account NAME    Set service account name (default: ack-iam-controller-sa)
+     --help                    Display this help message
+   ```
+
+   For example, to use a different cluster name and region:
+
+   ```bash
+   ./setup_iam_controller.sh --cluster-name my-cluster --region us-east-1
+   ```
+
+   You can also set these values using environment variables:
+
+   ```bash
+   EKS_CLUSTER_NAME=my-cluster AWS_REGION=us-east-1 ./setup_iam_controller.sh
+   ```
+
+2. Install the IAM controller:
+   - Apply the CRD (Custom Resource Definition)
+   - Deploy the controller
+   - Create an instance of the controller
+
+3. Install all the Resource Group CRDs:
+   ```
+   kubectl apply -f crds/
+   ```
+
+4. Install all the controllers:
+   ```
+   kubectl apply -f controllers/
+   ```
+
+5. Install the combined Resource Group controllers:
+   ```
+   kubectl apply -f resourcegroup.yaml
+   ```
+6. Install the combined instance:
+
+   All contollers are enable by default. 
+   
+   ```
+   kubectl apply -f instance.yaml
+   ```

…oller/ec2-controller/ec2-controller.yaml …ntroller/controllers/ec2-controller.yamlexamples/ack-controller/ec2-controller/ec2-controller.yaml renamed to examples/ack-controller/controllers/ec2-controller.yaml examples/ack-controller/ec2-controller/ec2-controller.yaml renamed to examples/ack-controller/controllers/ec2-controller.yaml

@@ -2,6 +2,7 @@ apiVersion: kro.run/v1alpha1
 kind: ResourceGroup
 metadata:
   name: ec2controller.kro.run
+  namespace: kro
 spec:
   schema:
     apiVersion: v1alpha1
@@ -522,4 +523,4 @@ spec:
         verbs:
         - get
         - patch
-        - update
+        - update

examples/ack-controller/controllers/ecr-controller.yaml

@@ -0,0 +1,261 @@
+apiVersion: kro.run/v1alpha1
+kind: ResourceGroup
+metadata:
+  name: ecrcontrollers.kro.run
+  namespace: kro
+spec:
+  schema:
+    apiVersion: v1alpha1
+    kind: ECRController
+    spec:
+      name: string | default=ecr-controller
+      namespace: string | default=default
+      values:
+        aws:
+          accountID: string | required=true
+          region: string | default=us-west-2
+        deployment:
+          containerPort: integer | default=8080
+          replicas: integer | default=1
+        iamRole:
+          maxSessionDuration: integer | default=3600
+          oidcProvider: string | required=true
+          roleDescription: string | default=IRSA role for ACK ECR controller deployment on EKS cluster using kro Resource group
+        iamPolicy:
+          description: string | default="policy for ecr controller"
+        image:
+          deletePolicy: string | default=delete
+          repository: string | default=public.ecr.aws/aws-controllers-k8s/ecr-controller
+          tag: string | default=1.0.19
+          resources:
+            requests:
+              memory: string | default=64Mi
+              cpu: string | default=50m
+            limits:
+              memory: string | default=128Mi
+              cpu: string | default=100m
+        log:
+          enabled: boolean | default=false
+          level: string | default=info
+        serviceAccount:
+          name: string | default=ecr-controller-sa
+  resources:
+  - id: ecrCRDGroup
+    template:
+      apiVersion: kro.run/v1alpha1
+      kind: ECRCRDGroup
+      metadata:
+        name: ${schema.spec.name}-crd-group
+      spec:
+        name: ${schema.spec.name}-crd-group
+  - id: ecrControllerIamPolicy
+    template:
+      apiVersion: iam.services.k8s.aws/v1alpha1
+      kind: Policy
+      metadata:
+        name: ${schema.spec.name}-iam-policy
+      spec:
+        name: ${schema.spec.name}-iam-policy
+        description: ${schema.spec.values.iamPolicy.description}
+        policyDocument: >
+          {
+            "Version": "2012-10-17",
+            "Statement": [
+              {
+                "Effect": "Allow",
+                "Action": [
+                  "ecr:*",
+                  "cloudtrail:LookupEvents"
+                ],
+                "Resource": "*"
+              },
+              {
+                "Effect": "Allow",
+                "Action": [
+                  "iam:CreateServiceLinkedRole"
+                ],
+                "Resource": "*",
+                "Condition": {
+                  "StringEquals": {
+                    "iam:AWSServiceName": [
+                      "replication.ecr.amazonaws.com"
+                    ]
+                  }
+                }
+              }
+            ]
+          }
+  - id: ecrControllerIamRole
+    template:
+      apiVersion: iam.services.k8s.aws/v1alpha1
+      kind: Role
+      metadata:
+        name: ${schema.spec.name}-iam-role
+        namespace: ${schema.spec.namespace}
+      spec:
+        name: ${schema.spec.name}-iam-role
+        description: ${schema.spec.values.iamRole.roleDescription}
+        maxSessionDuration: ${schema.spec.values.iamRole.maxSessionDuration}
+        policies:
+        - ${ecrControllerIamPolicy.status.ackResourceMetadata.arn}
+        assumeRolePolicyDocument: >
+          {
+            "Version":"2012-10-17",
+            "Statement": [{
+              "Effect":"Allow",
+              "Principal": {"Federated": "arn:aws:iam::${schema.spec.values.aws.accountID}:oidc-provider/${schema.spec.values.iamRole.oidcProvider}"},
+              "Action": ["sts:AssumeRoleWithWebIdentity"],
+              "Condition": {
+                "StringEquals": {"${schema.spec.values.iamRole.oidcProvider}:sub": "system:serviceaccount:${schema.spec.namespace}:${schema.spec.values.serviceAccount.name}"}
+              }
+            }]
+          }
+  - id: serviceAccount
+    template:
+      apiVersion: v1
+      kind: ServiceAccount
+      metadata:
+        name: ${schema.spec.values.serviceAccount.name}
+        namespace: ${schema.spec.namespace}
+        annotations:
+          eks.amazonaws.com/role-arn : ${ecrControllerIamRole.status.ackResourceMetadata.arn}
+  - id: deployment
+    template:
+      apiVersion: apps/v1
+      kind: Deployment
+      metadata:
+        name: ${schema.spec.name}-deployment
+        namespace: ${schema.spec.namespace}
+        labels:
+          app.kubernetes.io/name: ${schema.spec.name}-deployment
+          app.kubernetes.io/instance: ${schema.spec.name}
+      spec:
+        replicas: ${schema.spec.values.deployment.replicas}
+        selector:
+          matchLabels:
+            app.kubernetes.io/name: ${schema.spec.name}-deployment
+            app.kubernetes.io/instance: ${schema.spec.name}
+        template:
+          metadata:
+            labels:
+              app.kubernetes.io/name: ${schema.spec.name}-deployment
+              app.kubernetes.io/instance: ${schema.spec.name}
+          spec:
+            serviceAccountName: ${serviceAccount.metadata.name}
+            containers:
+            - command:
+              - ./bin/controller
+              args:
+              - --aws-region
+              - ${schema.spec.values.aws.region}
+              - --enable-development-logging=${schema.spec.values.log.enabled}
+              - --log-level
+              - ${schema.spec.values.log.level}
+              - --deletion-policy
+              - ${schema.spec.values.image.deletePolicy}
+              - --watch-namespace
+              - ${schema.spec.namespace}
+              image: ${schema.spec.values.image.repository}:${schema.spec.values.image.tag}
+              name: controller
+              ports:
+                - name: http
+                  containerPort: ${schema.spec.values.deployment.containerPort}
+              resources:
+                requests:
+                  memory: ${schema.spec.values.image.resources.requests.memory}
+                  cpu: ${schema.spec.values.image.resources.requests.cpu}
+                limits:
+                    memory: ${schema.spec.values.image.resources.limits.memory}
+                    cpu: ${schema.spec.values.image.resources.limits.cpu}
+              env:
+              - name: ACK_SYSTEM_NAMESPACE
+                value: ${schema.spec.namespace}
+              - name: AWS_REGION
+                value: ${schema.spec.values.aws.region}
+              - name: DELETE_POLICY
+                value: ${schema.spec.values.image.deletePolicy}
+              - name: ACK_LOG_LEVEL
+                value: ${schema.spec.values.log.level}              
+  - id: clusterRoleBinding
+    template:
+      apiVersion: rbac.authorization.k8s.io/v1
+      kind: ClusterRoleBinding
+      metadata:
+        name: ${schema.spec.name}-clusterrolebinding
+      roleRef:
+        kind: ClusterRole
+        apiGroup: rbac.authorization.k8s.io
+        name: ${clusterRole.metadata.name}
+      subjects:
+      - kind: ServiceAccount
+        name: ${serviceAccount.metadata.name}
+        namespace: ${serviceAccount.metadata.namespace}
+  - id: clusterRole
+    template:
+      apiVersion: rbac.authorization.k8s.io/v1
+      kind: ClusterRole
+      metadata:
+        name: ${schema.spec.name}-clusterrole
+      rules:
+      - apiGroups:
+        - ""
+        resources:
+        - configmaps
+        - secrets
+        verbs:
+        - get
+        - list
+        - patch
+        - watch
+      - apiGroups:
+        - ""
+        resources:
+        - namespaces
+        verbs:
+        - get
+        - list
+        - watch
+      - apiGroups:
+        - ecr.services.k8s.aws
+        resources:
+        - pullthroughcacherules
+        - repositories
+        verbs:
+        - create
+        - delete
+        - get
+        - list
+        - patch
+        - update
+        - watch
+      - apiGroups:
+        - ecr.services.k8s.aws
+        resources:
+        - pullthroughcacherules/status
+        - repositories/status
+        verbs:
+        - get
+        - patch
+        - update
+      - apiGroups:
+        - services.k8s.aws
+        resources:
+        - adoptedresources
+        - fieldexports
+        verbs:
+        - create
+        - delete
+        - get
+        - list
+        - patch
+        - update
+        - watch
+      - apiGroups:
+        - services.k8s.aws
+        resources:
+        - adoptedresources/status
+        - fieldexports/status
+        verbs:
+        - get
+        - patch
+        - update