feat: Update aws-sdk to enable IRSA (AWS IAM Roles for ServiceAccounts) support, add securityContext to helm chart (#200)

- Update AWS SDK version
- securityContext in a helm chart

Author: arruzk

charts/kubernetes-external-secrets/README.md

@@ -22,6 +22,12 @@ $ helm install --name my-release external-secrets/kubernetes-external-secrets
 
 > **Tip:** A namespace can be specified by the `Helm` option '`--namespace kube-external-secrets`'
 
+To install the chart with [AWS IAM Roles for Service Accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html):
+
+```bash
+$ helm install --name my-release --set securityContext.fsGroup=65534 --set serviceAccount.annotations."eks\.amazonaws\.com/role-arn"='arn:aws:iam::111111111111:role/ROLENAME' external-secrets/kubernetes-external-secrets
+```
+
 ## Uninstalling the Chart
 
 To uninstall/delete the deployment:
@@ -49,8 +55,10 @@ The following table lists the configurable parameters of the `kubernetes-externa
 | `nameOverride`                   | Override the name of app                                            | `nil`                                          |
 | `fullnameOverride`                   | Override the full name of app                                            | `nil`                                          |
 | `rbac.create`                        | Create & use RBAC resources                                  | `true`                                                  |
+| `securityContext.fsGroup`            | Security context for the container                           | `{}`                                                    |
 | `serviceAccount.create`              | Whether a new service account name should be created.        | `true`                                                  |
-| `serviceAccount.name`                | Service account to be used.                                  | automatically generated
+| `serviceAccount.name`                | Service account to be used.                                  | automatically generated                                 |
+| `serviceAccount.annotations`         | Annotations to be added to service account                   | `nil`                                                   |
 | `podAnnotations`                     | Annotations to be added to pods                              | `{}`                                                    |
 | `replicaCount`                       | Number of replicas                                           | `1`                                                     |
 | `nodeSelector`                       | node labels for pod assignment                               | `{}`                                                    |

charts/kubernetes-external-secrets/templates/deployment.yaml

@@ -24,6 +24,9 @@ spec:
       {{- end }}
     spec:
       serviceAccountName: {{ template "kubernetes-external-secrets.serviceAccountName" . }}
+      {{- if .Values.securityContext }}
+      securityContext: {{ toYaml .Values.securityContext | nindent 8 }}
+      {{- end }}
       containers:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"

charts/kubernetes-external-secrets/values.yaml

@@ -43,6 +43,9 @@ fullnameOverride: ""
 
 podAnnotations: {}
 
+securityContext: {}
+  # fsGroup: 65534
+
 resources: {}
   # We usually recommend not to specify default resources and to leave this as a conscious
   # choice for the user. This also increases chances charts run on environments with little

package-lock.json

@@ -29,7 +29,7 @@
     "node": ">=12.0.0"
   },
   "dependencies": {
-    "aws-sdk": "^2.433.0",
+    "aws-sdk": "^2.566.0",
     "express": "^4.17.1",
     "json-stream": "^1.0.0",
     "kubernetes-client": "^8.3.0",