modify helm chart and add readme

aws · May 6, 2020 · 4057eb6 · 4057eb6
1 parent e2a64c4
commit 4057eb6
Show file tree

Hide file tree

Showing 9 changed files with 323 additions and 71 deletions.
diff --git a/helm/amazon-ec2-metadata-mock/Chart.yaml b/helm/amazon-ec2-metadata-mock/Chart.yaml
@@ -4,17 +4,20 @@ description: A Helm chart for the Amazon EC2 Metadata Mock
 version: 0.1.0
 appVersion: 0.9.0
 home: https://github.com/aws/amazon-ec2-metadata-mock
-icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png
+icon: https://raw.githubusercontent.com/aws/amazon-ec2-metadata-mock/master/helm/aws-logo.png
 sources:
   - https://github.com/aws/amazon-ec2-metadata-mock
 maintainers:
   - name: Prathibha Datta Kumar
     url: https://github.com/pdk27
-    email: prathibhadk@users.noreply.github.com
-  - name: Matthew Becker
-    url: https://github.com/mattrandallbecker
-    email: mattrandallbecker@users.noreply.github.com
+    email: pdk27@users.noreply.github.com
+  - name: Bryan Carter
+    url: https://github.com/brycahta
+    email: brycahta@users.noreply.github.com
 keywords:
   - ec2
+  - aws-ec2
   - imds
-
+  - ec2-instance-metadata
+  - ec2-instance-metadata-mock
+  - spot-interruption-mock
diff --git a/helm/amazon-ec2-metadata-mock/README.md b/helm/amazon-ec2-metadata-mock/README.md
@@ -0,0 +1,143 @@
+# Amazon EC2 Metadata Mock
+
+Amazon EC2 Metadata Mock(AEMM) Helm chart for Kubernetes. For more information on this project see the project repo at https://github.com/aws/amazon-ec2-metadata-mock.
+
+## Prerequisites
+
+* Kubernetes >= 1.11
+
+## Installing the Chart
+
+The helm chart can be installed from several sources. To install the chart with the release name amazon-ec2-metadata-mock and default configuration, pick a source below:
+
+1. Local chart archive: 
+Download the chart archive from the latest release and run 
+```sh
+helm install amazon-ec2-metadata-mock amazon-ec2-metadata-mock-0.1.0.tgz \
+  --namespace default
+```
+
+2. Unpacked local chart directory: 
+Download the source code or unpack the archive from latest release and run
+```sh
+helm install amazon-ec2-metadata-mock ./helm/amazon-ec2-metadata-mock \
+  --namespace default
+```
+----
+To upgrade an already installed chart named amazon-ec2-metadata-mock:
+```sh
+helm upgrade amazon-ec2-metadata-mock ./helm/amazon-ec2-metadata-mock \
+  --namespace default
+```
+
+### Installing the Chart with overridden values for AEMM configuration:
+
+AEMM has an [extensive list of parameters](https://github.com/aws/amazon-ec2-metadata-mock#defaults) that can overridden. For simplicity, a selective list of parameters are configurable using Helm custom `values.yaml` and `--set argument`. To override parameters not listed in `values.yaml` use Kubernetes ConfigMap.    
+
+The [configuration](#configuration) section details the selective list of parameters. Alternatively, to retrieve the same information via helm, run:
+```sh
+helm show values ./helm/amazon-ec2-metadata-mock
+```
+
+* Passing a custom values.yaml to helm
+```sh
+helm install amazon-ec2-metadata-mock ./helm/amazon-ec2-metadata-mock \
+  --namespace default -f path/to/myvalues.yaml 
+```
+
+* Passing custom values to helm via CLI 
+```sh
+helm install amazon-ec2-metadata-mock ./helm/amazon-ec2-metadata-mock \
+  --namespace default --set aemm.server.port=1660,aemm.mockDelaySec=120  
+```
+
+* Passing a config file to AEMM
+
+ 1. Create a Kubernetes ConfigMap from a custom AEMM configuration file:
+See [Readme](https://github.com/aws/amazon-ec2-metadata-mock#configuration) to learn more about AEMM configuration. [Here](https://github.com/aws/amazon-ec2-metadata-mock/blob/master/test/e2e/testdata/output/aemm-config-used.json) is a reference config file to create your own `aemm-config.json`
+```sh
+kubectl create configmap aemm-config-map --from-file path/to/aemm-config.json
+```
+
+ 2. Create `myvalues.yaml` with overridden value for configMap:
+```yaml
+configMap: "aemm-config-map"
+```
+
+ 3. Install AEMM with override:
+```sh
+helm install amazon-ec2-metadata-mock ./helm/amazon-ec2-metadata-mock \
+  --namespace default -f path/to/myvalues.yaml 
+```
+
+
+
+## Making a HTTP request to the AEMM server running on a pod
+
+1. Get the AEMM pod name:
+```sh
+kubectl get pods --namespace default
+```
+
+2. Set up port-forwarding for the port on which AEMM is running:
+```sh
+kubectl port-forward pod/<AEMM-pod-name> 1660
+```
+
+3. Make the HTTP request
+```sh
+curl http://localhost:1660/latest/meta-data/spot/instance-action
+{
+	"instance-action": "terminate",
+	"time": "2020-05-04T18:11:37Z"
+}
+```
+
+## Uninstalling the Chart
+
+To uninstall/delete the `amazon-ec2-metadata-mock` release:
+```sh
+helm uninstall amazon-ec2-metadata-mock
+```
+The command removes all the Kubernetes components associated with the chart and deletes the release.
+
+## Configuration
+
+The following tables lists the configurable parameters of the chart and their default values.
+
+Parameter | Description | Default
+--- | --- | --- 
+`image.repository` | image repository | `amazon/amazon-ec2-metadata-mock` 
+`image.tag` | image tag | `<VERSION>` 
+`image.pullPolicy` | image pull policy | `IfNotPresent`
+`nameOverride` | override for the name of the Helm Chart (default, if not overridden: `amazon-ec2-metadata-mock`) | `""`
+`fullnameOverride` | override for the name of the application (default, if not overridden: `amazon-ec2-metadata-mock`) | `""`
+`nodeSelector` | tells the DaemonSet where to place the amazon-ec2-metadata-mock pods. | `{}`, meaning every node will receive a pod
+`podAnnotations` | annotations to add to each pod | `{}`
+`updateStrategy` | the update strategy for a DaemonSet | `RollingUpdate`
+`rbac.pspEnabled` | if `true`, create and use a restricted pod security policy | `false`
+`serviceAccount.create` | if `true`, create a new service account | `true`
+`serviceAccount.name` | service account to be used | `amazon-ec2-metadata-mock-service-account`
+`serviceAccount.annotations` | specifies the annotations for service account | `{}`
+`securityContext.runAsUserID` | user ID to run the container | `1000`
+`securityContext.runAsGroupID` | group ID to run the container | `1000` 
+`namespace` | Kubernetes namespace to use for AEMM pods | `default`
+`configMap` | name of the Kubernetes ConfigMap to use to pass a config file for AEMM overrides | `""`
+`configMapFileName` | name of the file used to create the Kubernetes ConfigMap | `aemm-config.json`
+
+NOTE: A selective list of AEMM parameters are configurable via Helm CLI and values.yaml file. 
+Use the [Kubernetes ConfigMap option](#installing-the-chart-with-overridden-values-for-aemm-configuration) to configure [other AEMM parameters](https://github.com/aws/amazon-ec2-metadata-mock/blob/master/test/e2e/testdata/output/aemm-config-used.json). 
+
+Parameter | Description | Default in values.yaml | Default AEMM configuration
+--- | --- | --- | ---
+`aemm.server.port` | port to run AEMM on | `""` | `1338`
+`aemm.server.hostname` | hostname to run AEMM on | `""` | `localhost`
+`aemm.mockDelaySec` | mock delay in seconds, relative to the start time of AEMM | `0` | `0`
+`aemm.imdsv2` | if true, IMDSv2 only works | `false` | `false`, meaning both IMDSv1/v2 work 
+`aemm.spotItn.instanceAction` | instance action in the spot interruption notice | `""` | `terminate`
+`aemm.spotItn.terminationTime` | termination time in the spot interruption notice | `""` | HTTP request time + 2 minutes
+`aemm.scheduledEvents.code` | event code in the scheduled event | `""` | `system-reboot`
+`aemm.scheduledEvents.notAfter` | the latest end time for the scheduled event | `""` | Start time of AEMM  + 7 days
+`aemm.scheduledEvents.notBefore` | the earliest start time for the scheduled event | `""` | Start time of AEMM
+`aemm.scheduledEvents.notBeforeDeadline` | the deadline for starting the event | `""` | Start time of AEMM  + 9 days
+`aemm.scheduledEvents.state` | state of the scheduled event | `""` | `active`
diff --git a/helm/amazon-ec2-metadata-mock/templates/NOTES.txt b/helm/amazon-ec2-metadata-mock/templates/NOTES.txt
@@ -0,0 +1,6 @@
+{{ .Release.Name }} has been {{- if .Release.IsInstall }} installed {{ else }} updated. {{- end}}
+
+kubectl get pods --namespace {{ .Values.namespace }}
+kubectl describe pod <AEMM-pod-name>
+kubectl logs <AEMM-pod-name>
+kubectl port-forward  pod/<AEMM-pod-name> <AEMM-port-number>
diff --git a/helm/amazon-ec2-metadata-mock/templates/clusterrole.yaml b/helm/amazon-ec2-metadata-mock/templates/clusterrole.yaml
@@ -1,6 +1,7 @@
+# ClusterRole without any permissions for AEMM
+
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: {{ include "amazon-ec2-metadata-mock.fullname" . }}
-rules:
-
+rules: # empty rules array to disallow all permissions for AEMM 
diff --git a/helm/amazon-ec2-metadata-mock/templates/daemonset.yaml b/helm/amazon-ec2-metadata-mock/templates/daemonset.yaml
@@ -1,56 +1,120 @@
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
-  name: {{ .Values.amazonEC2MetadataMock.label }}
+  name: {{ include "amazon-ec2-metadata-mock.fullname" . }}
+  namespace: {{ .Release.Namespace }}
   labels:
-    app: {{ .Values.amazonEC2MetadataMock.label }}
+{{ include "amazon-ec2-metadata-mock.labels" . | indent 4 }}
 spec:
+  updateStrategy:
+    type: {{ toYaml .Values.updateStrategy }}
   selector:
     matchLabels:
-      app: {{ .Values.amazonEC2MetadataMock.label }}
+      app.kubernetes.io/name: {{ include "amazon-ec2-metadata-mock.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
   template:
     metadata:
+      {{- if .Values.podAnnotations }}
+      annotations:
+        {{- range $key, $value := .Values.podAnnotations }}
+          {{ $key }}: {{ $value | quote }}
+        {{- end }}
+      {{- end }}
       labels:
-        app: {{ .Values.amazonEC2MetadataMock.label }}
+        app.kubernetes.io/name: {{ include "amazon-ec2-metadata-mock.name" . }}
+        app.kubernetes.io/instance: {{ .Release.Name }}
+        k8s-app: amazon-ec2-metadata-mock
     spec:
+      {{- if .Values.nodeSelector }}
+      nodeSelector:
+{{- toYaml . | nindent 8 }}
+      {{- end }}
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: "beta.kubernetes.io/os"
+                operator: In
+                values:
+                - linux
+              - key: "beta.kubernetes.io/arch"
+                operator: In
+                values:
+                - amd64
+                - arm
+                - arm64
       serviceAccountName: {{ template "amazon-ec2-metadata-mock.serviceAccountName" . }}
-      hostNetwork: true
-{{- if .Values.configMap }}
+      hostNetwork: false # turn off host network to prevent undesired exposure of AEMM web server
+      {{- if .Values.configMap }}
       volumes:
-      - name: config-volume
+      - name: "aemm-config"
         configMap:
           name: {{ .Values.configMap }}
-{{ end }}
+      {{- end }}
       containers:
-      - name: {{ .Values.amazonEC2MetadataMock.label }}
-        image: {{ .Values.amazonEC2MetadataMock.image.repository }}:{{ .Values.amazonEC2MetadataMock.image.tag }}
-        imagePullPolicy: IfNotPresent
-{{- if .Values.configMap }}
+      - name: {{ include "amazon-ec2-metadata-mock.name" . }}
+        image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        securityContext:
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          runAsUser: {{ .Values.securityContext.runAsUserID }}
+          runAsGroup: {{ .Values.securityContext.runAsGroupID }}
+          allowPrivilegeEscalation: false
+        {{- if .Values.configMap }}
         volumeMounts:
-        - name: config-volume
-          mountPath: $HOME/
-{{ end }}
-        ports:
-        - containerPort: {{ .Values.settings.port }}
-          hostPort: {{ .Values.settings.port }}
+        - name: "aemm-config"
+          mountPath: {{ with $file := .Values.configMapFileName | default "aemm-config.json" }} {{ printf "/%s/%s" "config" $file }} {{ end }} 
+          subPath: {{ .Values.configMapFileName | default "aemm-config.json"  }}
+          readOnly: true
+        {{- end }}
         env:
-{{- if .Values.settings.port }}
-        - name: PORT
-          value: {{ .Values.settings.port | quote }}
-{{- end }}
-{{- if .Values.settings.hostname }}
-        - name: HOSTNAME
-          value: {{ .Values.settings.hostname | quote }}
-{{- end }}
-{{- if .Values.settings.mockDelaySec }}
-        - name: MOCK_DELAY_SEC
-          value: {{ .Values.settings.mockDelaySec | quote }}
-{{- end }}
-{{- if .Values.settings.partition }}
-        - name: PARTITION
-          value: {{ .Values.settings.partition | quote }}
-{{- end }}
-{{- if .Values.settings.region }}
-        - name: REGION
-          value: {{ .Values.settings.region | quote }}
-{{- end }}
+        {{- if .Values.configMap }}
+        - name: AEMM_CONFIG_FILE
+          value: {{ with $file := .Values.configMapFileName | default "aemm-config.json" }} {{ printf "/%s/%s" "config" $file }} {{ end }} 
+        {{- end }}
+        {{- if .Values.aemm.server.port }}
+        - name: AEMM_SERVER_PORT
+          value: {{ .Values.aemm.server.port | quote }}
+        {{- end }}
+        {{- if .Values.aemm.server.hostname }}
+        - name: AEMM_SERVER_HOSTNAME
+          value: {{ .Values.aemm.server.hostname | quote }}
+        {{- end }}
+        {{- if .Values.aemm.mockDelaySec }}
+        - name: AEMM_MOCK_DELAY_SEC
+          value: {{ .Values.aemm.mockDelaySec | quote }}
+        {{- end }}
+        {{- if .Values.aemm.imdsv2 }}
+        - name: AEMM_IMDSV2
+          value: {{ .Values.aemm.imdsv2| quote }}
+        {{- end }}
+        {{- if .Values.aemm.scheduledEvents.code }}
+        - name: AEMM_SCHEDULED_EVENTS_CODE
+          value: {{ .Values.aemm.scheduledEvents.code | quote }}
+        {{- end }}
+        {{- if .Values.aemm.scheduledEvents.notAfter }}
+        - name: AEMM_SCHEDULED_EVENTS_NOT_AFTER
+          value: {{ .Values.aemm.scheduledEvents.notAfter | quote }}
+        {{- end }}
+        {{- if .Values.aemm.scheduledEvents.notBefore }}
+        - name: AEMM_SCHEDULED_EVENTS_NOT_BEFORE
+          value: {{ .Values.aemm.scheduledEvents.notBefore | quote }}
+        {{- end }}
+        {{- if .Values.aemm.scheduledEvents.notBeforeDeadline }}
+        - name: AEMM_SCHEDULED_EVENTS_NOT_BEFORE_DEADLINE
+          value: {{ .Values.aemm.scheduledEvents.notBeforeDeadline | quote }}
+        {{- end }}
+        {{- if .Values.aemm.scheduledEvents.state }}
+        - name: AEMM_SCHEDULED_EVENTS_STATE
+          value: {{ .Values.aemm.scheduledEvents.state | quote }}
+        {{- end }}
+        {{- if .Values.aemm.spotItn.instanceAction }}
+        - name: AEMM_SPOT_ITN_INSTANCE_ACTION
+          value: {{ .Values.aemm.spotItn.instanceAction | quote }}
+        {{- end }}
+        {{- if .Values.aemm.spotItn.terminationTime }}
+        - name: AEMM_SPOT_ITN_TERMINATION_TIME
+          value: {{ .Values.aemm.spotItn.terminationTime | quote }}
+        {{- end }}
diff --git a/helm/amazon-ec2-metadata-mock/templates/psp.yaml b/helm/amazon-ec2-metadata-mock/templates/psp.yaml
@@ -10,7 +10,7 @@ metadata:
 spec:
   privileged: false
   hostIPC: false
-  hostNetwork: true
+  hostNetwork: false # turn off host network to prevent undesired exposure of AEMM web server
   hostPorts:
     - min: 1024
       max: 65535

diff --git a/helm/amazon-ec2-metadata-mock/templates/service.yaml b/helm/amazon-ec2-metadata-mock/templates/service.yaml
diff --git a/helm/amazon-ec2-metadata-mock/templates/serviceaccount.yaml b/helm/amazon-ec2-metadata-mock/templates/serviceaccount.yaml
@@ -8,4 +8,4 @@ metadata:
 {{ toYaml . | indent 4 }}
 {{- end }}
   labels:
-{{ include "amazon-ec2-metadata-mock.labels" . | indent 4 }}
+{{ include "amazon-ec2-metadata-mock.labels" . | indent 4 }}