biondizzle/irsa-webhook
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

update sts endpoint and role key

Browse Source
This commit is contained in:
biondizzle
2026-01-10 15:42:21 -05:00
parent d5879b1513
commit 587737aa42
9 changed files with 36 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
README.md
View File

@@ -17,7 +17,7 @@ When a pod is created, the webhook:
1. Extracts the ServiceAccount name from the pod spec 1. Extracts the ServiceAccount name from the pod spec
2. Fetches the ServiceAccount from the Kubernetes API 2. Fetches the ServiceAccount from the Kubernetes API
3. Checks for the `vultr.com/role-arn` annotation 3. Checks for the `api.vultr.com/role` annotation
4. If present, mutates the pod to inject: 4. If present, mutates the pod to inject:
- **Environment Variables:** - **Environment Variables:**
- `AWS_ROLE_ARN`: The IAM role ARN from the annotation - `AWS_ROLE_ARN`: The IAM role ARN from the annotation
@@ -83,7 +83,7 @@ kubectl logs -n irsa-system -l app=irsa-webhook
### Annotate ServiceAccount ### Annotate ServiceAccount
To enable IRSA for a ServiceAccount, add the `vultr.com/role-arn` annotation: To enable IRSA for a ServiceAccount, add the `api.vultr.com/role` annotation:
```yaml ```yaml
apiVersion: v1 apiVersion: v1
@@ -92,7 +92,7 @@ metadata:
name: my-app name: my-app
namespace: default namespace: default
annotations: annotations:
vultr.com/role-arn: "arn:aws:iam::123456789012:role/my-app-role" api.vultr.com/role: "775a6be6-45cd-4f19-94f5-6e4f96f093ec"
``` ```
### Deploy a Pod ### Deploy a Pod
@@ -283,7 +283,7 @@ go build -o webhook main.go
- From this point you will be able to auth to the vultr API from inside your kubernetes cluster using the standard - See the file in this repo `test-oidc-issuer.yaml` - From this point you will be able to auth to the vultr API from inside your kubernetes cluster using the standard - See the file in this repo `test-oidc-issuer.yaml`
- Deploy this irsa-webhook to your cluster - Deploy this irsa-webhook to your cluster
- Pod->STS - Pod->STS
- Now when when a pod is owned by a serviceAccount with the annotation `vultr.com/role-arn`, the pod will send a token issued by the cluster to the Vultr sts endpoint. - Now when when a pod is owned by a serviceAccount with the annotation `api.vultr.com/role`, the pod will send a token issued by the cluster to the Vultr sts endpoint.
- STS->Pod - STS->Pod
- Vultr's STS endpoint will respond with tokens issued by Vultr that are injected into the pod for the application running in the pod to consume - Vultr's STS endpoint will respond with tokens issued by Vultr that are injected into the pod for the application running in the pod to consume

8
TROUBLESHOOTING.md
View File

@@ -54,7 +54,7 @@ kubectl get endpoints -n irsa-system irsa-webhook
**Diagnosis:** **Diagnosis:**
```bash ```bash
# Check if ServiceAccount has annotation # Check if ServiceAccount has annotation
kubectl get sa <service-account-name> -o yaml | grep vultr.com/role-arn kubectl get sa <service-account-name> -o yaml | grep api.vultr.com/role
# Check webhook configuration # Check webhook configuration
kubectl get mutatingwebhookconfiguration irsa-webhook -o yaml kubectl get mutatingwebhookconfiguration irsa-webhook -o yaml
@@ -68,7 +68,7 @@ kubectl logs -n irsa-system -l app=irsa-webhook --tail=100
1. **ServiceAccount annotation missing:** 1. **ServiceAccount annotation missing:**
```bash ```bash
kubectl annotate sa <service-account-name> \ kubectl annotate sa <service-account-name> \
vultr.com/role-arn="arn:aws:iam::123456789012:role/your-role" api.vultr.com/role: "775a6be6-45cd-4f19-94f5-6e4f96f093ec"
``` ```
2. **Namespace excluded from webhook:** 2. **Namespace excluded from webhook:**
@@ -81,7 +81,7 @@ kubectl logs -n irsa-system -l app=irsa-webhook --tail=100
```bash ```bash
# Check webhook logs for incoming requests # Check webhook logs for incoming requests
kubectl logs -n irsa-system -l app=irsa-webhook --tail=50 kubectl logs -n irsa-system -l app=irsa-webhook --tail=50
# Verify webhook configuration matches service # Verify webhook configuration matches service
kubectl get mutatingwebhookconfiguration irsa-webhook -o jsonpath='{.webhooks[0].clientConfig}' kubectl get mutatingwebhookconfiguration irsa-webhook -o jsonpath='{.webhooks[0].clientConfig}'
``` ```
@@ -146,7 +146,7 @@ kubectl get mutatingwebhookconfiguration irsa-webhook \
```bash ```bash
CA_BUNDLE=$(kubectl get secret -n irsa-system irsa-webhook-certs \ CA_BUNDLE=$(kubectl get secret -n irsa-system irsa-webhook-certs \
-o jsonpath='{.data.ca\.crt}') -o jsonpath='{.data.ca\.crt}')
kubectl patch mutatingwebhookconfiguration irsa-webhook \ kubectl patch mutatingwebhookconfiguration irsa-webhook \
--type='json' \ --type='json' \
-p="[{'op': 'replace', 'path': '/webhooks/0/clientConfig/caBundle', 'value':'${CA_BUNDLE}'}]" -p="[{'op': 'replace', 'path': '/webhooks/0/clientConfig/caBundle', 'value':'${CA_BUNDLE}'}]"

2
deploy.yaml
View File

@@ -71,8 +71,6 @@ spec:
env: env:
- name: STS_ENDPOINT - name: STS_ENDPOINT
value: "https://api.vultr.com/v2/assumed-roles/compatibility/aws/sts" value: "https://api.vultr.com/v2/assumed-roles/compatibility/aws/sts"
- name: SERVICE_ACCOUNT_AUDIENCE
value: "vultr" #TODO: Probably need to update with whatever is in the action map
- name: TLS_CERT_PATH - name: TLS_CERT_PATH
value: /etc/webhook/certs/tls.crt value: /etc/webhook/certs/tls.crt
- name: TLS_KEY_PATH - name: TLS_KEY_PATH

3
example.yaml
View File

@@ -4,8 +4,7 @@ metadata:
name: example-app name: example-app
namespace: default namespace: default
annotations: annotations:
# Replace with actual IAM role ARN api.vultr.com/role: "775a6be6-45cd-4f19-94f5-6e4f96f093ec"
vultr.com/role-arn: "arn:aws:iam::123456789012:role/example-app-role"
--- ---
apiVersion: v1 apiVersion: v1
kind: Pod kind: Pod

9
main.go
View File

@@ -18,7 +18,7 @@ import (
) )
const ( const (
roleArnAnnotation = "vultr.com/role-arn" roleArnAnnotation = "api.vultr.com/role"
tokenVolumeName = "vultr-irsa-token" tokenVolumeName = "vultr-irsa-token"
tokenMountPath = "/var/run/secrets/vultr.com/serviceaccount" tokenMountPath = "/var/run/secrets/vultr.com/serviceaccount"
tokenFileName = "token" tokenFileName = "token"
@@ -320,6 +320,9 @@ func (ws *WebhookServer) generateContainerPatches(index int, roleArn string, con
}) })
} }
// Get STS endpoint from environment (set in deployment)
stsEndpoint := getEnv("STS_ENDPOINT", "https://api.vultr.com/v2/assumed-roles/compatibility/aws/sts")
// Add environment variables // Add environment variables
envVars := []corev1.EnvVar{ envVars := []corev1.EnvVar{
{ {
@@ -334,6 +337,10 @@ func (ws *WebhookServer) generateContainerPatches(index int, roleArn string, con
Name: envAWSSTSRegionalEndpoint, Name: envAWSSTSRegionalEndpoint,
Value: "regional", Value: "regional",
}, },
{
Name: "AWS_ENDPOINT_URL_STS",
Value: stsEndpoint,
},
} }
if container.Env == nil { if container.Env == nil {

11
test-pod.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v1
kind: Pod
metadata:
name: irsa-test-pod
namespace: default
spec:
serviceAccountName: test-sa
containers:
- name: test
image: python:3.9-slim
command: ["sleep", "3600"]

7
test-serviceaccount.yaml Normal file
View File

@@ -0,0 +1,7 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: test-sa
namespace: default
annotations:
api.vultr.com/role: "b1fef0ad-c912-457b-bba2-9fb6ef1ae13b"

2
test-webhook.yaml
View File

@@ -4,7 +4,7 @@ metadata:
name: test-irsa name: test-irsa
namespace: default namespace: default
annotations: annotations:
vultr.com/role-arn: "arn:aws:iam::123456789012:role/test-role" api.vultr.com/role: "775a6be6-45cd-4f19-94f5-6e4f96f093ec"
--- ---
apiVersion: v1 apiVersion: v1
kind: Pod kind: Pod

BIN
webhook
View File

Binary file not shown.