---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: aws-iam-authenticator
rules:
- apiGroups:
  - iamauthenticator.k8s.aws
  resources:
  - iamidentitymappings
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - iamauthenticator.k8s.aws
  resources:
  - iamidentitymappings/status
  verbs:
  - patch
  - update
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - update
  - patch
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - configmaps
  resourceNames:
  - aws-auth
  verbs:
  - get

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: aws-iam-authenticator
  namespace: kube-system

---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: aws-iam-authenticator
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: aws-iam-authenticator
subjects:
- kind: ServiceAccount
  name: aws-iam-authenticator
  namespace: kube-system

---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  namespace: kube-system
  name: aws-iam-authenticator
  labels:
    k8s-app: aws-iam-authenticator
  annotations:
    seccomp.security.alpha.kubernetes.io/pod: runtime/default
spec:
  selector:
    matchLabels:
      k8s-app: aws-iam-authenticator
  updateStrategy:
    type: RollingUpdate
  template:
    metadata:
      annotations:
        scheduler.alpha.kubernetes.io/critical-pod: ""
      labels:
        k8s-app: aws-iam-authenticator
    spec:
      serviceAccountName: aws-iam-authenticator

      # run on the host network (don't depend on CNI)
      hostNetwork: true

      # run on each control plane node
      nodeSelector:
      {{ .cpNodeSelector | indent 2 }}
      tolerations:
      - effect: NoSchedule 
        key: node-role.kubernetes.io/master
      - effect: NoSchedule
        key: node-role.kubernetes.io/control-plane
      - key: CriticalAddonsOnly
        operator: Exists
{{- if .controlPlaneTaints }}
{{- range .controlPlaneTaints }}
      - key: {{ .Key }}
        value: {{ .Value }}
        effect: {{ .Effect }}
{{- if .TimeAdded }}
        timeAdded: {{ .TimeAdded }}
{{- end }}
{{- end }}
{{- end }}

      # `aws-iam-authenticator server` has four volumes
      # - config (mounted from the ConfigMap at /etc/aws-iam-authenticator/config.yaml)
      # - cert, key (persisted TLS certificate and key, mounted from the host)
      # - kubeconfig (kubeconfig to plug into your apiserver configuration, mounted from the host)
      containers:
      - name: aws-iam-authenticator
        image: {{.image}}
        env:
        - name: AWS_REGION
          value: {{.awsRegion}}
        args:
        - server
        - --backend-mode={{.backendMode}}
        - --partition={{.partition}}
        - --config=/etc/aws-iam-authenticator/config.yaml
        - --state-dir=/var/aws-iam-authenticator
        - --generate-kubeconfig=/etc/kubernetes/aws-iam-authenticator/kubeconfig.yaml
        - --kubeconfig-pregenerated=true

        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL

        resources:
          requests:
            memory: 20Mi
            cpu: 10m
          limits:
            memory: 20Mi
            cpu: 100m

        volumeMounts:
        - name: config
          mountPath: /etc/aws-iam-authenticator/
        - name: cert
          mountPath: /var/aws-iam-authenticator/cert.pem
        - name: key
          mountPath: /var/aws-iam-authenticator/key.pem
        - name: kubeconfig
          mountPath: /etc/kubernetes/aws-iam-authenticator/kubeconfig.yaml

      # init container to set permissions for the mount paths
      initContainers:
      - name: chown
        image: {{.initContainerImage}}
        command: ['sh', '-c', 'chown 10000:10000 /var/aws-iam-authenticator/cert.pem; chown 10000:10000 /var/aws-iam-authenticator/key.pem; chown 10000:10000 /etc/kubernetes/aws-iam-authenticator/kubeconfig.yaml']
        volumeMounts:
        - name: cert
          mountPath: /var/aws-iam-authenticator/cert.pem
        - name: key
          mountPath: /var/aws-iam-authenticator/key.pem
        - name: kubeconfig
          mountPath: /etc/kubernetes/aws-iam-authenticator/kubeconfig.yaml

      volumes:
      - name: config
        configMap:
          name: aws-iam-authenticator
      - name: kubeconfig
        hostPath:
          path: /var/lib/kubeadm/aws-iam-authenticator/kubeconfig.yaml
      - name: cert
        hostPath:
          path: /var/lib/kubeadm/aws-iam-authenticator/pki/cert.pem
      - name: key
        hostPath:
          path: /var/lib/kubeadm/aws-iam-authenticator/pki/key.pem
{{- if (ne .clusterID "") }}
---
apiVersion: v1
kind: ConfigMap
metadata:
  namespace: kube-system
  name: aws-iam-authenticator
  labels:
    k8s-app: aws-iam-authenticator
data:
  config.yaml: |
    clusterID: {{.clusterID}}
{{- end }}

---
# EKS-Style ConfigMap: roles and users can be mapped in the same way as supported on EKS.
apiVersion: v1
kind: ConfigMap
metadata:
  name: aws-auth
  namespace: kube-system
data:
{{- if (ne .mapRoles "") }}
  mapRoles: |
{{ .mapRoles | indent 4 }}
{{- end }}
{{- if (ne .mapUsers "") }}
  mapUsers: |
{{ .mapUsers | indent 4 }}
{{- end }}