New Addon for AWS-pca-issuer plugin for cert-manager used for mTLS use case

[allamand]

I would like to have new aws-pca-issuer installation with eksdemo:

The AWS PCA Issuer plugin works as an addon to the cert-manager that signs off certificate requests using AWS Certificate Manager Private Certificate Authority. The addon makes it easy to generate certificates for workload inside the Kubernetes cluster.

Create file pca-iam-policy.json and save the following in it:

cat << EOF > pca-iam-policy.json
{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Sid": "awspcaissuer",
        "Action": [
          "acm-pca:DescribeCertificateAuthority",
          "acm-pca:GetCertificate",
          "acm-pca:IssueCertificate"
        ],
        "Effect": "Allow",
        "Resource": "${CA_ARN}"
      }
    ]
  }
EOF

Create and IAM policy called AWSPCAIssuerIAMPolicy with the command below:

AWSPCA_POLICY_ARN=`aws iam create-policy \
--policy-name AWSPCAIssuerIAMPolicy \
--policy-document file://pca-iam-policy.json \
--query 'Policy.Arn' --output text`

Create a Service Account for the AWS PCA Issuer plugin with the command below:

eksctl create iamserviceaccount \
--cluster=$EKS_CLUSTER \
--namespace=default \
--name=aws-pca-issuer \
--attach-policy-arn=$AWSPCA_POLICY_ARN \
--override-existing-serviceaccounts \
--approve

Add the AWS PCA Issuer Helm repository and run helm install command

helm repo add awspca https://cert-manager.github.io/aws-privateca-issuer
helm repo update
helm install aws-pca-issuer awspca/aws-privateca-issuer -n default --set serviceAccount.create=false --set serviceAccount.name=aws-pca-issuer

Verify that AWS PCA issuer is configured correctly by running following command:

kubectl get pods -l app.kubernetes.io/name=aws-privateca-issuer

[aaroniscode]

this is a good one @allamand ... let me work on this