From 3284dec92143bb5200f7680367f29afa3ec8cb1b Mon Sep 17 00:00:00 2001
From: Alexei Ledenev <alexei.led@gmail.com>
Date: Sun, 3 Apr 2022 12:58:36 +0300
Subject: [PATCH] deploy on GKE autopilot

---
 README.md                                     | 15 ++-
 deployment/deployment.yaml                    |  4 +
 deployment/webhook-create-self-signed-cert.sh | 98 +++++++++++++++++++
 deployment/webhook-create-signed-cert.sh      |  5 +
 deployment/webhook-patch-ca-bundle.sh         |  6 +-
 5 files changed, 124 insertions(+), 4 deletions(-)
 create mode 100755 deployment/webhook-create-self-signed-cert.sh

diff --git a/README.md b/README.md
index cd0f184..aa4a34e 100644
--- a/README.md
+++ b/README.md
@@ -2,8 +2,6 @@
 
 # Securely access AWS Services from GKE cluster
 
-> :attention: GKE Autopilot deployment is not supported due to the [limitations](https://cloud.google.com/kubernetes-engine/docs/concepts/autopilot-overview#webhooks_limitations)
-
 Ever wanted to access AWS services from Google Kubernetes cluster (GKE) without using AWS IAM credentials?
 
 This solution can help you to get and exchange Google OIDC token for temporary AWS IAM security credentials are generated by AWS STS service. This approach allows you to access AWS services form a GKE cluster without pre-generated long-living AWS credentials.
@@ -89,6 +87,19 @@ certificatesigningrequest.certificates.k8s.io/gtoken-webhook-svc.default approve
 secret/gtoken-webhook-certs configured
 ```
 
+**Note** Gor GKE Autopilot, run the [webhook-create-self-signed-cert.sh](https://github.com/doitintl/gtoken/blob/master/deployment/webhook-create-self-signed-cert.sh) script to generate a self-signed certificate.
+
+Export CA Bundle as environment variable:
+
+```sh
+export CA_BUNDLE=[output value of the previous script "Encoded CA:"]
+```
+
+Then, we’ll create the webhook service and deployment:
+
+```yaml
+```
+
 Create Kubernetes Service Account to be used with `gtoken-webhook`:
 
 ```sh
diff --git a/deployment/deployment.yaml b/deployment/deployment.yaml
index 10b95e8..a51f36d 100644
--- a/deployment/deployment.yaml
+++ b/deployment/deployment.yaml
@@ -18,6 +18,10 @@ spec:
         - name: gtoken-webhook
           image: doitintl/gtoken-webhook
           imagePullPolicy: Always
+          resources:
+            requests:
+              cpu: 250m
+              memory: 512Mi
           args:
             - --log-level=debug
             - server
diff --git a/deployment/webhook-create-self-signed-cert.sh b/deployment/webhook-create-self-signed-cert.sh
new file mode 100755
index 0000000..f2750e8
--- /dev/null
+++ b/deployment/webhook-create-self-signed-cert.sh
@@ -0,0 +1,98 @@
+#!/bin/bash
+
+set -e
+
+usage() {
+    cat <<EOF
+Generate certificate suitable for use with an gtoken webhook service.
+
+This script generates self-signed certificate for the webhook. See
+https://www.velotio.com/engineering-blog/managing-tls-certificate-for-kubernetes-admission-webhook
+detailed explantion and additional instructions.
+
+The server key/cert k8s CA cert are stored in a k8s secret.
+
+usage: ${0} [OPTIONS]
+
+The following flags are required.
+
+       --service          Service name of webhook.
+       --namespace        Namespace where webhook service and secret reside.
+       --secret           Secret name for CA certificate and server certificate/key pair.
+EOF
+    exit 1
+}
+
+while [[ $# -gt 0 ]]; do
+    case ${1} in
+        --service)
+            service="$2"
+            shift
+            ;;
+        --secret)
+            secret="$2"
+            shift
+            ;;
+        --namespace)
+            namespace="$2"
+            shift
+            ;;
+        *)
+            usage
+            ;;
+    esac
+    shift
+done
+
+[ -z ${service} ] && service=gtoken-webhook-svc
+[ -z ${secret} ] && secret=gtoken-webhook-certs
+[ -z ${namespace} ] && namespace=default
+
+if [ ! -x "$(command -v openssl)" ]; then
+    echo "openssl not found"
+    exit 1
+fi
+
+csrName=${service}.${namespace}
+tmpdir=$(mktemp -d)
+echo "creating certs in tmpdir ${tmpdir} "
+
+cat <<EOF >> ${tmpdir}/csr.conf
+[req]
+req_extensions = v3_req
+distinguished_name = req_distinguished_name
+[req_distinguished_name]
+[ v3_req ]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+subjectAltName = @alt_names
+[alt_names]
+DNS.1 = ${service}
+DNS.2 = ${service}.${namespace}
+DNS.3 = ${service}.${namespace}.svc
+EOF
+
+# create CA and Server key/certificate
+openssl genrsa -out ${tmpdir}/ca.key 2048
+openssl req -x509 -newkey rsa:2048 -key ${tmpdir}/ca.key -out ${tmpdir}/ca.crt -days 1825 -nodes -subj "/CN=${service}.${namespace}.svc"
+
+# create server key/certificate
+openssl genrsa -out ${tmpdir}/server.key 2048
+openssl req -new -key ${tmpdir}/server.key -subj "/CN=${service}.${namespace}.svc" -out ${tmpdir}/server.csr -config ${tmpdir}/csr.conf
+
+# Self sign
+openssl x509 -extensions v3_req -req -days 1825 -in ${tmpdir}/server.csr -CA ${tmpdir}/ca.crt -CAkey ${tmpdir}/ca.key -CAcreateserial -out ${tmpdir}/server.crt -extfile ${tmpdir}/csr.conf
+
+# create the secret with CA cert and server cert/key
+kubectl create secret generic ${secret} \
+        --from-file=key.pem=${tmpdir}/server.key \
+        --from-file=cert.pem=${tmpdir}/server.crt \
+        --dry-run=client -o yaml |
+    kubectl -n ${namespace} apply -f -
+
+# -a means base64 encode
+caBundle=$(cat ${tmpdir}/ca.crt | openssl enc -a -A)
+
+echo "Encoded CA:"
+echo -e "${caBundle} \n"
\ No newline at end of file
diff --git a/deployment/webhook-create-signed-cert.sh b/deployment/webhook-create-signed-cert.sh
index c23ddbe..f3e2bad 100755
--- a/deployment/webhook-create-signed-cert.sh
+++ b/deployment/webhook-create-signed-cert.sh
@@ -129,3 +129,8 @@ kubectl create secret generic ${secret} \
         --from-file=cert.pem=${tmpdir}/server-cert.pem \
         --dry-run=client -o yaml |
     kubectl -n ${namespace} apply -f -
+
+# get CA bundle for use by webhook bootstrap
+caBundle=$(kubectl config view --raw --flatten -o json | jq -r '.clusters[] | select(.name == "'$(kubectl config current-context)'") | .cluster."certificate-authority-data"')
+echo "Encoded CA:"
+echo -e "${caBundle} \n"
\ No newline at end of file
diff --git a/deployment/webhook-patch-ca-bundle.sh b/deployment/webhook-patch-ca-bundle.sh
index 1749274..4c96499 100755
--- a/deployment/webhook-patch-ca-bundle.sh
+++ b/deployment/webhook-patch-ca-bundle.sh
@@ -6,8 +6,10 @@ set -o errexit
 set -o nounset
 set -o pipefail
 
-
-export CA_BUNDLE=$(kubectl config view --raw --flatten -o json | jq -r '.clusters[] | select(.name == "'$(kubectl config current-context)'") | .cluster."certificate-authority-data"')
+if [[ -z "${CA_BUNDLE}" ]]; then
+    echo "CA_BUNDLE not set"
+    exit 1
+fi
 
 if command -v envsubst >/dev/null 2>&1; then
     envsubst