add cert manager deployment

[prasita123]

Issue #, if available:

Description of changes: updates to

• deploy/deployment-base.yaml
  • setting in-cluster=false
  • update volumeMounts paths
  • add cert-manager deployment
    • cert-manager.io/v1 ClusterIssuer
    • cert-manager.io/v1 Certificate
• deploy/mutatingwebhook.yaml
  • add annotations to replace caBundle

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[prasita123]

relates to #134

[wongma7]

the README must be updated as well to mention that cert-manager is a prerequisite. and remove mention of CSR https://github.com/aws/amazon-eks-pod-identity-webhook#in-cluster

[prasita123]

These changes were tested by using IAMserviceaccounts
Reference: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html
Steps:

• Create OIDC Provider
• Create IAM role
• Associate role to service account
• Block IMDS
  • Reference: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html#instance-metadata-limiting-access
  • command: sudo iptables -A DOCKER-USER -d 169.254.169.254/32 -j DROP
• Create a pod with aws-cli in it and test an s3 url

pod configuration:

apiVersion: v1
kind: Pod
metadata:
   name: my-test-pod
   namespace: test-pod-service-account-namespace
spec:
   serviceAccountName: test-pod-service-account
   containers:
   - name: aws-cli
     args: ["-c", "aws s3 ls s3://"]
     command:
     - sh
     image: mikesir87/aws-cli:latest
   restartPolicy: Never 

Validated the webhook to be working by checking the deployment

% kubectl get pod my-test-pod -n test-pod-service-account-namespace -o yaml | grep AWS
- name: AWS_ROLE_ARN
- name: AWS_WEB_IDENTITY_TOKEN_FILE

Validated cert rotation by checking the contents in secret pod-identity-webhook-cert before and after the cert renewal period.