Merge pull request #50 from netfoundry/add-helm-and-config-loader

Add helm chart and config loader

Author: qrkourier

.github/actions/eks-cluster-cleanup/action.yml

@@ -57,7 +57,28 @@ runs:
           STATUS=$(get_cluster_status)
           
           if [[ "$STATUS" == "NOT_FOUND" ]]; then
-            echo "Cluster does not exist, nothing to delete"
+            echo "Cluster does not exist, checking for orphaned CloudFormation stacks..."
+            
+            # Clean up any orphaned CloudFormation stacks
+            STACK_PREFIX="eksctl-${{ inputs.cluster_name }}"
+            STACKS=$(aws cloudformation list-stacks \
+              --region "${{ inputs.region }}" \
+              --stack-status-filter CREATE_COMPLETE UPDATE_COMPLETE DELETE_FAILED \
+              --query "StackSummaries[?starts_with(StackName, '${STACK_PREFIX}')].StackName" \
+              --output text)
+            
+            if [[ -n "$STACKS" ]]; then
+              echo "Found orphaned stacks: $STACKS"
+              for STACK in $STACKS; do
+                echo "Deleting orphaned stack: $STACK"
+                aws cloudformation delete-stack --stack-name "$STACK" --region "${{ inputs.region }}" || true
+              done
+              echo "Initiated deletion of orphaned stacks, waiting 30s..."
+              sleep 30
+            else
+              echo "No orphaned stacks found"
+            fi
+            
             exit 0
           fi
           
@@ -75,8 +96,34 @@ runs:
           fi
           
           # Check for specific error conditions
-          if grep -q "try again later\|ResourceInUseException\|cluster is currently being\|InvalidParameterException" /tmp/eksctl_delete.log; then
+          if grep -q "try again later\|ResourceInUseException\|cluster is currently being\|InvalidParameterException\|DELETE_FAILED\|found the following undeleted stacks" /tmp/eksctl_delete.log; then
             echo "Received retryable error, waiting before next attempt..."
+            if grep -q "DELETE_FAILED" /tmp/eksctl_delete.log || grep -q "found the following undeleted stacks" /tmp/eksctl_delete.log; then
+              echo "Attempting to clean up nodegroup stacks that failed deletion"
+              STACK_PREFIX="eksctl-${{ inputs.cluster_name }}"
+              STACKS=$(aws cloudformation list-stacks \
+                --region "${{ inputs.region }}" \
+                --stack-status-filter CREATE_COMPLETE UPDATE_COMPLETE DELETE_FAILED \
+                --query "StackSummaries[?starts_with(StackName, '${STACK_PREFIX}')].StackName" \
+                --output text)
+              if [[ -n "$STACKS" ]]; then
+                echo "Retry cleanup: found stacks $STACKS"
+                for STACK in $STACKS; do
+                  echo "Retry cleanup: deleting $STACK"
+                  aws cloudformation update-termination-protection \
+                    --stack-name "$STACK" \
+                    --no-enable-termination-protection \
+                    --region "${{ inputs.region }}" || true
+                  aws cloudformation delete-stack --stack-name "$STACK" --region "${{ inputs.region }}" || true
+                  echo "Waiting for stack $STACK to reach DELETE_COMPLETE"
+                  aws cloudformation wait stack-delete-complete \
+                    --stack-name "$STACK" \
+                    --region "${{ inputs.region }}" && echo "Stack $STACK deleted" || echo "Stack $STACK still deleting or already removed"
+                done
+              else
+                echo "Retry cleanup: no matching stacks found"
+              fi
+            fi
             sleep $DELAY
             ATTEMPT=$((ATTEMPT + 1))
             DELAY=$((DELAY * 2))  # Exponential backoff

.github/workflows/pr.yaml

@@ -1,47 +1,99 @@
 # ziti-k8s-agent
 
-The agent injects a sidecar that runs a Ziti tunneler as a bi-directional proxy and nameserver for Ziti services. You may enable sidecars for all pods in a namespace or specifc pods in any namespace. For each, the agent will manage the life cycle of a Ziti identity with the roles you specify in a pod annotation.
+The Ziti Kubernetes Agent injects a sidecar that runs a Ziti tunneler as a bi-directional proxy and nameserver for Ziti services. You may enable sidecars for all pods in a namespace or specific pods in any namespace. For each, the agent will manage the life cycle of a Ziti identity with the roles you specify in a pod annotation.
 
-## Namespace
+## Installation
 
-A namespace will not be created. The agent may be installed in any existing namespace.
+### Prerequisites
 
-## Select Pods for Sidecar Injection
+- Kubernetes cluster with cert-manager installed
+- Ziti Controller with admin identity credentials
+- Helm 3.x
+
+### Install with Helm
+
+```bash
+# install chart directly from source
+git clone https://github.com/netfoundry/ziti-k8s-agent.git
+cd ziti-k8s-agent
+```
 
-Choose a method to select the pods: namespace, pod, or both. The sidecar is injected only on pod creation.
+#### Option 1: Existing Secret (PREFERRED FOR SECURITY)
 
-### Select by Namespace
+> **⚠️ SECURITY WARNING**: This webhook requires a Ziti admin identity with full network privileges. Handle with extreme care!
 
-Select all pods in namespaces labeled `tunnel.openziti.io/enabled="true"`.
+Create a secret containing your complete Ziti identity JSON configuration:
 
 ```bash
-kubectl label namespace {name} tunnel.openziti.io/enabled="true"
+# Create secret from enrolled identity JSON file
+kubectl create secret generic netfoundry-admin-identity \
+  --from-file=netfoundry-admin.json=netfoundry-admin.json \
+  --namespace=netfoundry-system
+
+# Install webhook
+helm upgrade --install ziti-webhook ./charts/ziti-webhook \
+  --set identity.existingSecret.name="netfoundry-admin-identity"
+
+#### Option 2: Chart-Managed Secret (FOR DEVELOPMENT/TESTING ONLY)
+
+> **⚠️ EXTREME SECURITY WARNING**: Option 2 embeds the complete admin identity in Helm values, which may be stored in version control or Helm history. This exposes full network administrative credentials. Use ONLY for development/testing environments!
+
+Provide the complete identity JSON directly via Helm values:
+
+```bash
+# Read the identity JSON and provide it directly
+# Using --set-json validates the JSON syntax immediately
+helm upgrade --install ziti-webhook ./charts/ziti-webhook \
+  --set-json identity.json="$(< netfoundry-admin.json)"
 ```
 
-The agent manifest must reflect your choice to select by namespace. Setting `SIDECAR_SELECTORS="namespace"` in the script's environment before generating the manifest will configure the mutating webhook with a `namespaceSelector`.
+## Select Pods for Sidecar Injection
+
+### Select by Namespace (Default)
 
-The `kube-system` namespace is excluded based on the advice in this [Kubernetes documentation](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#avoiding-operating-on-the-kube-system-namespace).
+Select all pods in namespaces labeled `tunnel.openziti.io/enabled="true"`:
+
+```bash
+# Label namespace for sidecar injection
+kubectl label namespace {name} tunnel.openziti.io/enabled="true"
+
+# Install webhook with namespace selector (default)
+helm upgrade --install ziti-webhook ./charts/ziti-webhook \
+  --set identity.existingSecret.name="netfoundry-admin-identity" \
+  --set webhook.selectors.enabled="namespace"
+```
 
 ### Select by Pod
 
-Select pods labeled `tunnel.openziti.io/enabled="true"` in any namespace.
+Select pods labeled `tunnel.openziti.io/enabled="true"` in any namespace:
 
 ```bash
+# Label deployment for sidecar injection
 kubectl patch deployment/{name} -p '{"spec":{"template":{"metadata":{"labels":{"tunnel.openziti.io/enabled":"true"}}}}}'
-```
 
-The agent manifest must reflect your choice to select by pod. Setting `SIDECAR_SELECTORS="pod"` in the script's environment before generating the manifest will configure the mutating webhook with an `objectSelector`.
+# Install webhook with pod selector
+helm install ziti-webhook ./charts/ziti-webhook \
+  --set identity.existingSecret.name="netfoundry-admin-identity" \
+  --set webhook.selectors.enabled="pod"
+```
 
 ### Select by Namespace and Pod
 
-Select pods labeled `tunnel.openziti.io/enabled="true"` only in namespaces labeled `tunnel.openziti.io/enabled="true"`.
-
-The agent manifest must reflect your choice to select by pod. Setting `SIDECAR_SELECTORS="namespace,pod"` in the script's environment before generating the manifest will configure the mutating webhook with both `namespaceSelector` and `objectSelector`. Both selectors must match for a pod to be selected.
+Select pods labeled `tunnel.openziti.io/enabled="true"` only in namespaces labeled `tunnel.openziti.io/enabled="true"`:
 
 ```bash
+# Label both namespace and deployment
 kubectl label namespace "default" tunnel.openziti.io/enabled="true"
+kubectl patch deployment/{name} -p '{"spec":{"template":{"metadata":{"labels":{"tunnel.openziti.io/enabled":"true"}}}}}'
+
+# Install webhook with both selectors
+helm upgrade --install ziti-webhook ./charts/ziti-webhook \
+  --set identity.existingSecret.name="netfoundry-admin-identity" \
+  --set webhook.selectors.enabled="namespace,pod"
 ```
 
+**Note**: The `kube-system` namespace is excluded based on [Kubernetes best practices](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#avoiding-operating-on-the-kube-system-namespace).
+
 ## Specify Ziti roles for Pod Identities
 
 The Ziti agent will generate a default Ziti identity role based on the app label unless you annotate it with a comma-separated list of roles. This example adds the role `acme-api-clients` to the Ziti identity shared by all replicas of the deployment. Updating the running pod's annotation will update the Ziti identity role.
@@ -70,57 +122,105 @@ Pods authorized to bind a Ziti service require that service to have a host addre
 
 ### Prerequisities
 
-1. an OpenZiti network - either NetFoundry Cloud or self-hosted
+1. an OpenZiti network - either NetFoundry Cloud, NetFoundry On-Premises, or self-hosted
 1. A JSON identity configuration file for an OpenZiti identity with the admin privilege
 1. A K8S namespace in which to deploy the agent
 
-### Set Optional Environment Variables
+## Advanced Configuration
 
-These optional variables will override defaults.
+### Custom Values File
 
-```bash
-# Namespace configuration
-export ZITI_AGENT_NAMESPACE="default"      # Namespace to deploy the agent
-export CLUSTER_DNS_ZONE="cluster.local"    # Kubernetes cluster DNS zone
-
-# Agent image configuration
-export ZITI_AGENT_IMAGE="docker.io/netfoundry/ziti-k8s-agent"  # Agent container image
-export ZITI_AGENT_IMAGE_PULL_POLICY="IfNotPresent"             # Pull policy for agent image
-export ZITI_AGENT_LOG_LEVEL="2"                                # Log level for agent (0-5)
-
-# Sidecar configuration
-export SIDECAR_IMAGE="docker.io/openziti/ziti-tunnel"         # Sidecar container image
-export SIDECAR_IMAGE_VERSION="latest"                         # Sidecar image version
-export SIDECAR_IMAGE_PULL_POLICY="IfNotPresent"              # Pull policy for sidecar image
-
-# Resource configuration
-export ZITI_AGENT_CPU="100m"              # CPU request for agent
-export ZITI_AGENT_MEMORY="128Mi"          # Memory request for agent
-export ZITI_AGENT_CPU_LIMIT="500m"        # CPU limit for agent
-export ZITI_AGENT_MEMORY_LIMIT="512Mi"    # Memory limit for agent
-
-# Webhook configuration
-export ZITI_AGENT_WEBHOOK_FAILURE_POLICY="Fail"  # How webhook failures are handled (Fail or Ignore)
-
-# DNS configuration
-export SEARCH_DOMAINS=""                   # Space-separated list of DNS search domains
+For complex deployments, create a custom values file:
+
+```yaml
+# values-production.yaml
+controller:
+  # Optional - if not specified, will be inferred from identity configuration
+  mgmtApi: "https://ctrl0.ziti.example.com:1280/edge/management/v1"
+
+deployment:
+  image:
+    repo: "docker.io/netfoundry/ziti-k8s-agent"
+    tag: "v1.2.3"
+    pullPolicy: "IfNotPresent"
+  replicas: 2
+  resources:
+    requests:
+      cpu: "200m"
+      memory: "256Mi"
+    limits:
+      cpu: "1000m"
+      memory: "1Gi"
+
+sidecar:
+  image:
+    repo: "docker.io/openziti/ziti-tunnel"
+    tag: "v0.23.0"
+    pullPolicy: "IfNotPresent"
+  # Custom DNS search domains for injected pods
+  searchDomains:
+    - "ziti.internal"
+    - "ziti.example.com"
+  dnsUpstreamEnabled: true
+  dnsUnanswerable: "refused"
+
+server:
+  port: 9443
+  logLevel: 2  # 0=errors, 1=info, 2=detailed, 3=debug, 4=trace
+
+webhook:
+  selectors:
+    enabled: "namespace,pod"  # Both namespace and pod selectors
+  failurePolicy: "Fail"
+
+# Custom cluster DNS configuration
+clusterDns:
+  zone: "cluster.local"
+
+# Identity configuration (use existing secret for production)
+identity:
+  existingSecret:
+    name: "netfoundry-admin-identity"
+    key: "netfoundry-admin.json"
 ```
 
-You may replace the cluster's default DNS search domains for selected pods by exporting `SEARCH_DOMAINS` as a space separated list of domain name suffixes. This may be useful if the selected pods never need to resolve the names of cluster services, but do need to resolve short names in a DNS zone that you control outside of the cluster, e.g., `ziti.internal ziti.example.com`.
+### Install with Custom Values
 
-### Generate a Manifest
+```bash
+# Install with custom values file
+helm upgrade --install ziti-webhook ./charts/ziti-webhook \
+  --namespace=ziti-system \
+  --create-namespace \
+  --values=values-production.yaml
+
+# Or override specific values inline
+helm upgrade --install ziti-webhook ./charts/ziti-webhook \
+  --set identity.existingSecret.name="netfoundry-admin-identity" \
+  --set deployment.replicas=3 \
+  --set server.logLevel=4 \
+  --set sidecar.searchDomains="{ziti.internal,ziti.example.com}" \
+  --set webhook.selectors.enabled="namespace,pod"
+```
 
-Required environment variables:
+### DNS Search Domains
 
-- `IDENTITY_FILE` - path to the JSON file from the admin identity enrollment step
-- `SIDECAR_SELECTORS` - comma-separated list of methods by which pods are selected for sidecar injection: `namespace`, `pod`, or both (see [Select Pods for Sidecar Injection](#select-pods-for-sidecar-injection) above)
+You may replace the cluster's default DNS search domains for selected pods by configuring `sidecar.searchDomains`. This is useful when selected pods need to resolve short names in DNS zones outside the cluster:
 
 ```bash
-IDENTITY_FILE="ziti-k8s-agent.json" SIDECAR_SELECTORS="namespace,pod" ./generate-ziti-agent-manifest.bash > ./ziti-agent.yaml
+helm upgrade --install ziti-webhook ./charts/ziti-webhook \
+  --set identity.existingSecret.name="netfoundry-admin-identity" \
+  --set sidecar.searchDomains="{ziti.internal,ziti.example.com}"
 ```
 
-### Apply the Manifest
+### Resource Management
+
+Configure resource requests and limits for production deployments:
 
 ```bash
-kubectl create -f ./ziti-agent.yaml
+helm upgrade --install ziti-webhook ./charts/ziti-webhook \
+  --set identity.existingSecret.name="netfoundry-admin-identity" \
+  --set deployment.resources.requests.cpu="200m" \
+  --set deployment.resources.requests.memory="256Mi" \
+  --set deployment.resources.limits.cpu="1000m" \
+  --set deployment.resources.limits.memory="1Gi"
 ```

README.md

@@ -0,0 +1,19 @@
+apiVersion: v2
+name: ziti-webhook
+description: A Helm chart for Ziti Kubernetes Admission Webhook
+type: application
+version: 0.1.0
+appVersion: "latest"
+keywords:
+  - ziti
+  - openziti
+  - zero-trust
+  - networking
+  - kubernetes
+  - admission-webhook
+home: https://netfoundry.io/docs/openziti/
+sources:
+  - https://github.com/netfoundry/ziti-k8s-agent
+maintainers:
+  - name: OpenZiti Team
+    email: [email protected]