AWSTemplateFormatVersion: 2010-09-09
Description: >-
  Deploys the metrics-server into an existing kubernetes cluster
  (qs-qwertyuiop).
# https://docs.aws.amazon.com/eks/latest/userguide/metrics-server.html
# https://docs.aws.amazon.com/eks/latest/userguide/horizontal-pod-autoscaler.html
# https://docs.aws.amazon.com/eks/latest/userguide/vertical-pod-autoscaler.html
Metadata:
  cfn-lint: { config: { ignore_checks: [W9002, W9003, W9004, W9006] } }
Parameters:
  EksClusterName:
    Type: String
  OIDCProviderArn:
    Type: String
  OIDCProviderEndpoint:
    Type: String
Conditions:
  Commercial: !Equals [!Ref AWS::Partition, aws]
Resources:
  MetricsServerRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument: !Sub |
        {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "Federated": "${OIDCProviderArn}"
              },
              "Action": "sts:AssumeRoleWithWebIdentity",
              "Condition": {
                "StringEquals": {
                  "${OIDCProviderEndpoint}:aud": [
                    "sts.amazonaws.com",
                    "sts.${AWS::Region}.amazonaws.com"
                  ],
                  "${OIDCProviderEndpoint}:sub": "system:serviceaccount:kube-system:metrics-server"
                }
              }
            }
          ]
        }
      ManagedPolicyArns:
        - !Sub arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly
        - !If [Commercial, !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonElasticContainerRegistryPublicReadOnly', !Ref AWS::NoValue]
  MetricsServerHelmChart:
    # https://github.com/kubernetes-sigs/metrics-server/
    # https://artifacthub.io/packages/helm/metrics-server/metrics-server
    Type: AWSQS::Kubernetes::Helm
    Properties:
      ClusterID: !Ref EksClusterName
      Namespace: kube-system
      Repository: https://kubernetes-sigs.github.io/metrics-server/
      Chart: metrics-server/metrics-server
      Values:
        image.repository: registry.k8s.io/metrics-server/metrics-server
          # TODO: Use public.ecr.aws/eks-distro/kubernetes-sigs/metrics-server
          # if they switch to a viable tagging strategy or equivalent AWS
          # image repository in ECR Public Gallery if one becomes available.
        nodeSelector.kubernetes\.io/os: linux
        serviceAccount.annotations.eks\.amazonaws\.com/role-arn: !GetAtt MetricsServerRole.Arn
        serviceAccount.create: 'true'
        serviceAccount.name: metrics-server