diff --git a/README.md b/README.md index 09cdeba..46e2da0 100644 --- a/README.md +++ b/README.md @@ -17,7 +17,7 @@ When a pod is created, the webhook: 1. Extracts the ServiceAccount name from the pod spec 2. Fetches the ServiceAccount from the Kubernetes API -3. Checks for the `vultr.com/role-arn` annotation +3. Checks for the `api.vultr.com/role` annotation 4. If present, mutates the pod to inject: - **Environment Variables:** - `AWS_ROLE_ARN`: The IAM role ARN from the annotation @@ -83,7 +83,7 @@ kubectl logs -n irsa-system -l app=irsa-webhook ### Annotate ServiceAccount -To enable IRSA for a ServiceAccount, add the `vultr.com/role-arn` annotation: +To enable IRSA for a ServiceAccount, add the `api.vultr.com/role` annotation: ```yaml apiVersion: v1 @@ -92,7 +92,7 @@ metadata: name: my-app namespace: default annotations: - vultr.com/role-arn: "arn:aws:iam::123456789012:role/my-app-role" + api.vultr.com/role: "775a6be6-45cd-4f19-94f5-6e4f96f093ec" ``` ### Deploy a Pod @@ -283,7 +283,7 @@ go build -o webhook main.go - From this point you will be able to auth to the vultr API from inside your kubernetes cluster using the standard - See the file in this repo `test-oidc-issuer.yaml` - Deploy this irsa-webhook to your cluster - Pod->STS - - Now when when a pod is owned by a serviceAccount with the annotation `vultr.com/role-arn`, the pod will send a token issued by the cluster to the Vultr sts endpoint. + - Now when when a pod is owned by a serviceAccount with the annotation `api.vultr.com/role`, the pod will send a token issued by the cluster to the Vultr sts endpoint. - STS->Pod - Vultr's STS endpoint will respond with tokens issued by Vultr that are injected into the pod for the application running in the pod to consume diff --git a/TROUBLESHOOTING.md b/TROUBLESHOOTING.md index b4832e4..75b1e3c 100644 --- a/TROUBLESHOOTING.md +++ b/TROUBLESHOOTING.md @@ -54,7 +54,7 @@ kubectl get endpoints -n irsa-system irsa-webhook **Diagnosis:** ```bash # Check if ServiceAccount has annotation -kubectl get sa -o yaml | grep vultr.com/role-arn +kubectl get sa -o yaml | grep api.vultr.com/role # Check webhook configuration kubectl get mutatingwebhookconfiguration irsa-webhook -o yaml @@ -68,7 +68,7 @@ kubectl logs -n irsa-system -l app=irsa-webhook --tail=100 1. **ServiceAccount annotation missing:** ```bash kubectl annotate sa \ - vultr.com/role-arn="arn:aws:iam::123456789012:role/your-role" + api.vultr.com/role: "775a6be6-45cd-4f19-94f5-6e4f96f093ec" ``` 2. **Namespace excluded from webhook:** @@ -81,7 +81,7 @@ kubectl logs -n irsa-system -l app=irsa-webhook --tail=100 ```bash # Check webhook logs for incoming requests kubectl logs -n irsa-system -l app=irsa-webhook --tail=50 - + # Verify webhook configuration matches service kubectl get mutatingwebhookconfiguration irsa-webhook -o jsonpath='{.webhooks[0].clientConfig}' ``` @@ -146,7 +146,7 @@ kubectl get mutatingwebhookconfiguration irsa-webhook \ ```bash CA_BUNDLE=$(kubectl get secret -n irsa-system irsa-webhook-certs \ -o jsonpath='{.data.ca\.crt}') - + kubectl patch mutatingwebhookconfiguration irsa-webhook \ --type='json' \ -p="[{'op': 'replace', 'path': '/webhooks/0/clientConfig/caBundle', 'value':'${CA_BUNDLE}'}]" diff --git a/deploy.yaml b/deploy.yaml index cfaf217..cc763aa 100644 --- a/deploy.yaml +++ b/deploy.yaml @@ -71,8 +71,6 @@ spec: env: - name: STS_ENDPOINT value: "https://api.vultr.com/v2/assumed-roles/compatibility/aws/sts" - - name: SERVICE_ACCOUNT_AUDIENCE - value: "vultr" #TODO: Probably need to update with whatever is in the action map - name: TLS_CERT_PATH value: /etc/webhook/certs/tls.crt - name: TLS_KEY_PATH diff --git a/example.yaml b/example.yaml index cec7796..48beadd 100644 --- a/example.yaml +++ b/example.yaml @@ -4,8 +4,7 @@ metadata: name: example-app namespace: default annotations: - # Replace with actual IAM role ARN - vultr.com/role-arn: "arn:aws:iam::123456789012:role/example-app-role" + api.vultr.com/role: "775a6be6-45cd-4f19-94f5-6e4f96f093ec" --- apiVersion: v1 kind: Pod diff --git a/main.go b/main.go index 92172f7..1c2ebdf 100644 --- a/main.go +++ b/main.go @@ -18,7 +18,7 @@ import ( ) const ( - roleArnAnnotation = "vultr.com/role-arn" + roleArnAnnotation = "api.vultr.com/role" tokenVolumeName = "vultr-irsa-token" tokenMountPath = "/var/run/secrets/vultr.com/serviceaccount" tokenFileName = "token" @@ -320,6 +320,9 @@ func (ws *WebhookServer) generateContainerPatches(index int, roleArn string, con }) } + // Get STS endpoint from environment (set in deployment) + stsEndpoint := getEnv("STS_ENDPOINT", "https://api.vultr.com/v2/assumed-roles/compatibility/aws/sts") + // Add environment variables envVars := []corev1.EnvVar{ { @@ -334,6 +337,10 @@ func (ws *WebhookServer) generateContainerPatches(index int, roleArn string, con Name: envAWSSTSRegionalEndpoint, Value: "regional", }, + { + Name: "AWS_ENDPOINT_URL_STS", + Value: stsEndpoint, + }, } if container.Env == nil { diff --git a/test-pod.yaml b/test-pod.yaml new file mode 100644 index 0000000..b82bacb --- /dev/null +++ b/test-pod.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: irsa-test-pod + namespace: default +spec: + serviceAccountName: test-sa + containers: + - name: test + image: python:3.9-slim + command: ["sleep", "3600"] \ No newline at end of file diff --git a/test-serviceaccount.yaml b/test-serviceaccount.yaml new file mode 100644 index 0000000..498ca1e --- /dev/null +++ b/test-serviceaccount.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: test-sa + namespace: default + annotations: + api.vultr.com/role: "b1fef0ad-c912-457b-bba2-9fb6ef1ae13b" \ No newline at end of file diff --git a/test-webhook.yaml b/test-webhook.yaml index daea0b2..dd53573 100644 --- a/test-webhook.yaml +++ b/test-webhook.yaml @@ -4,7 +4,7 @@ metadata: name: test-irsa namespace: default annotations: - vultr.com/role-arn: "arn:aws:iam::123456789012:role/test-role" + api.vultr.com/role: "775a6be6-45cd-4f19-94f5-6e4f96f093ec" --- apiVersion: v1 kind: Pod diff --git a/webhook b/webhook index 34cc98a..6ed92f0 100755 Binary files a/webhook and b/webhook differ