openshift · sjenning · Apr 23, 2020 · Apr 17, 2020
diff --git a/Makefile b/Makefile
@@ -58,6 +58,7 @@ IMAGE_REGISTRY :=registry.svc.ci.openshift.org
 # It will generate targets {update,verify}-bindata-$(1) logically grouping them in unsuffixed versions of these targets
 # and also hooked into {update,verify}-generated for broader integration.
 $(call add-bindata,bootstrap,./bindata/bootstrap/...,bindata,bootstrap,pkg/assets/bootstrap/bindata.go)
+$(call add-bindata,v4.1.0,./bindata/v4.1.0/...,bindata,v410_00_assets,pkg/assets/v410_00_assets/bindata.go)
 
 # This will call a macro called "build-image" which will generate image specific targets based on the parameters:
 # $0 - macro name

diff --git a/bindata/v4.1.0/aws-pod-identity-webhook/clusterrole.yaml b/bindata/v4.1.0/aws-pod-identity-webhook/clusterrole.yaml
@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: pod-identity-webhook
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts
+  verbs:
+  - get
+  - watch
+  - list
diff --git a/bindata/v4.1.0/aws-pod-identity-webhook/clusterrolebinding.yaml b/bindata/v4.1.0/aws-pod-identity-webhook/clusterrolebinding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: pod-identity-webhook
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: pod-identity-webhook
+subjects:
+- kind: ServiceAccount
+  name: pod-identity-webhook
+  namespace: openshift-cloud-credential-operator
diff --git a/bindata/v4.1.0/aws-pod-identity-webhook/deployment.yaml b/bindata/v4.1.0/aws-pod-identity-webhook/deployment.yaml
@@ -0,0 +1,55 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: pod-identity-webhook
+  namespace: openshift-cloud-credential-operator
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: pod-identity-webhook
+  template:
+    metadata:
+      labels:
+        app: pod-identity-webhook
+    spec:
+      containers:
+      - name: pod-identity-webhook
+        image: ${IMAGE}
+        imagePullPolicy: IfNotPresent
+        command:
+        - /usr/bin/aws-pod-identity-webhook
+        - --in-cluster
+        - --namespace=openshift-cloud-credential-operator
+        - --port=6443
+        - --service-name=pod-identity-webhook
+        - --tls-secret=pod-identity-webhook
+        - --annotation-prefix=eks.amazonaws.com # TODO: use openshift.io based prefix
+        - --token-audience=sts.amazonaws.com
+        - --logtostderr
+        resources:
+          requests:
+            cpu: 10m
+            memory: 10Mi
+        volumeMounts:
+        - name: webhook-certs
+          mountPath: /var/run/app/certs
+          readOnly: false
+      nodeSelector:
+        node-role.kubernetes.io/master: ""
+      serviceAccountName: pod-identity-webhook
+      tolerations:
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/master
+        operator: Exists
+      - effect: NoExecute
+        key: node.kubernetes.io/unreachable
+        operator: Exists
+        tolerationSeconds: 120
+      - effect: NoExecute
+        key: node.kubernetes.io/not-ready
+        operator: Exists
+        tolerationSeconds: 120
+      volumes:
+      - name: webhook-certs
+        emptyDir: {}
diff --git a/bindata/v4.1.0/aws-pod-identity-webhook/mutatingwebhook.yaml b/bindata/v4.1.0/aws-pod-identity-webhook/mutatingwebhook.yaml
@@ -0,0 +1,19 @@
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: pod-identity-webhook
+  annotations:
+    service.beta.openshift.io/inject-cabundle: "true"
+webhooks:
+- name: pod-identity-webhook.amazonaws.com
+  failurePolicy: Ignore
+  clientConfig:
+    service:
+      name: pod-identity-webhook
+      namespace: openshift-cloud-credential-operator
+      path: "/mutate"
+  rules:
+  - operations: [ "CREATE" ]
+    apiGroups: [""]
+    apiVersions: ["v1"]
+    resources: ["pods"]
diff --git a/bindata/v4.1.0/aws-pod-identity-webhook/role.yaml b/bindata/v4.1.0/aws-pod-identity-webhook/role.yaml
@@ -0,0 +1,22 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: pod-identity-webhook
+  namespace: openshift-cloud-credential-operator
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - update
+  - patch
+  resourceNames:
+  - "pod-identity-webhook"
diff --git a/bindata/v4.1.0/aws-pod-identity-webhook/rolebinding.yaml b/bindata/v4.1.0/aws-pod-identity-webhook/rolebinding.yaml
@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: pod-identity-webhook
+  namespace: openshift-cloud-credential-operator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: pod-identity-webhook
+subjects:
+- kind: ServiceAccount
+  name: pod-identity-webhook
+  namespace: openshift-cloud-credential-operator
diff --git a/bindata/v4.1.0/aws-pod-identity-webhook/sa.yaml b/bindata/v4.1.0/aws-pod-identity-webhook/sa.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: pod-identity-webhook
+  namespace: openshift-cloud-credential-operator
diff --git a/bindata/v4.1.0/aws-pod-identity-webhook/svc.yaml b/bindata/v4.1.0/aws-pod-identity-webhook/svc.yaml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: pod-identity-webhook
+  namespace: openshift-cloud-credential-operator
+  annotations:
+    prometheus.io/port: "443"
+    prometheus.io/scheme: "https"
+    prometheus.io/scrape: "true"
+    service.beta.openshift.io/serving-cert-secret-name: pod-identity-webhook
+spec:
+  ports:
+  - port: 443
+    targetPort: 6443
+  selector:
+    app: pod-identity-webhook
diff --git a/go.mod b/go.mod
@@ -15,9 +15,11 @@ require (
 	github.com/dgrijalva/jwt-go v3.2.0+incompatible
 	github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b
 	github.com/golang/mock v1.4.3
+	github.com/imdario/mergo v0.3.7 // indirect
 	github.com/jteeuwen/go-bindata v3.0.8-0.20151023091102-a0ff2567cfb7+incompatible
-	github.com/openshift/api v0.0.0-20200210091934-a0e53e94816b
+	github.com/openshift/api v0.0.0-20200414152312-3e8f22fb0b56
 	github.com/openshift/build-machinery-go v0.0.0-20200211121458-5e3d6e570160
+	github.com/openshift/library-go v0.0.0-20200407165825-2e79bd232e72
 	github.com/prometheus/client_golang v1.5.1
 	github.com/satori/go.uuid v1.2.0
 	github.com/sirupsen/logrus v1.5.0