gitops-ack-kro-argocd/charts/kro/resource-groups/pod-identity/pod-identity.yaml

apiVersion: kro.run/v1alpha1
kind: ResourceGroup
metadata:
  name: podidentity.kro.run
  annotations:
    argocd.argoproj.io/sync-wave: "-5"
spec:
  schema:
    apiVersion: v1alpha1
    kind: PodIdentity  
    spec:
      name: string | default="pod-identity"
      values:
        aws:
          clusterName: string
        policy:
          description: 'string | default="Test Description"'
          path: 'string | default="/"'
          policyDocument: string | default=""
        piAssociation:
          serviceAccount: string
          piNamespace: string
    status:
      policyStatus: ${podpolicy.status.conditions}
      roleStatus: ${podrole.status.conditions}
  resources:
  - id: podpolicy
    readyWhen:
      - ${podpolicy.status.conditions[0].status == "True"}
    template:
      apiVersion: iam.services.k8s.aws/v1alpha1
      kind: Policy
      metadata:
        name: ${schema.spec.name}-pod-policy
      spec:
        name: ${schema.spec.name}-pod-policy
        description: ${schema.spec.values.policy.description}
        path: ${schema.spec.values.policy.path}
        policyDocument: ${schema.spec.values.policy.policyDocument}
  - id: podrole
    readyWhen:
      - ${podrole.status.conditions[0].status == "True"}
    template:
      apiVersion: iam.services.k8s.aws/v1alpha1
      kind: Role
      metadata:
        name: ${schema.spec.name}-role
      spec:
        name: ${schema.spec.name}-role               
        policies:
          - ${podpolicy.status.ackResourceMetadata.arn}
        assumeRolePolicyDocument: |
          {
            "Version": "2012-10-17",
            "Statement": [
              {
                "Effect": "Allow",
                "Principal": {
                  "Service": "pods.eks.amazonaws.com"
                },
                "Action": [
                  "sts:TagSession",
                  "sts:AssumeRole"
                ]
              }
            ]
          }
  - id: piAssociation
    readyWhen:
      - ${piAssociation.status.conditions[0].status == "True"}
    template:
      apiVersion: eks.services.k8s.aws/v1alpha1
      kind: PodIdentityAssociation
      metadata:
        name: ${schema.spec.name}-pod-association-${schema.spec.values.piAssociation.serviceAccount}
      spec:
        clusterName: ${schema.spec.values.aws.clusterName}
        roleARN: ${podrole.status.ackResourceMetadata.arn}
        serviceAccount: ${schema.spec.values.piAssociation.serviceAccount}
        namespace: ${schema.spec.values.piAssociation.piNamespace}