update sts endpoint and role key

2026-01-10 15:42:21 -05:00
parent d5879b1513
commit 587737aa42
9 changed files with 36 additions and 14 deletions
--- a/README.md
+++ b/README.md
@@ -17,7 +17,7 @@ When a pod is created, the webhook:

 1. Extracts the ServiceAccount name from the pod spec
 2. Fetches the ServiceAccount from the Kubernetes API
-3. Checks for the `vultr.com/role-arn` annotation
+3. Checks for the `api.vultr.com/role` annotation
 4. If present, mutates the pod to inject:
   - **Environment Variables:**
     - `AWS_ROLE_ARN`: The IAM role ARN from the annotation
@@ -83,7 +83,7 @@ kubectl logs -n irsa-system -l app=irsa-webhook

 ### Annotate ServiceAccount

-To enable IRSA for a ServiceAccount, add the `vultr.com/role-arn` annotation:
+To enable IRSA for a ServiceAccount, add the `api.vultr.com/role` annotation:

 ```yaml
 apiVersion: v1
@@ -92,7 +92,7 @@ metadata:
  name: my-app
  namespace: default
  annotations:
-    vultr.com/role-arn: "arn:aws:iam::123456789012:role/my-app-role"
+    api.vultr.com/role: "775a6be6-45cd-4f19-94f5-6e4f96f093ec"
 ```

 ### Deploy a Pod
@@ -283,7 +283,7 @@ go build -o webhook main.go
 - From this point you will be able to auth to the vultr API from inside your kubernetes cluster using the standard - See the file in this repo `test-oidc-issuer.yaml`
 - Deploy this irsa-webhook to your cluster
 - Pod->STS
-  - Now when when a pod is owned by a serviceAccount with the annotation `vultr.com/role-arn`, the pod will send a token issued by the cluster to the Vultr sts endpoint.
+  - Now when when a pod is owned by a serviceAccount with the annotation `api.vultr.com/role`, the pod will send a token issued by the cluster to the Vultr sts endpoint.
 - STS->Pod
  - Vultr's STS endpoint will respond with tokens issued by Vultr that are injected into the pod for the application running in the pod to consume

--- a/TROUBLESHOOTING.md
+++ b/TROUBLESHOOTING.md
@@ -54,7 +54,7 @@ kubectl get endpoints -n irsa-system irsa-webhook
 **Diagnosis:**
 ```bash
 # Check if ServiceAccount has annotation
-kubectl get sa <service-account-name> -o yaml | grep vultr.com/role-arn
+kubectl get sa <service-account-name> -o yaml | grep api.vultr.com/role

 # Check webhook configuration
 kubectl get mutatingwebhookconfiguration irsa-webhook -o yaml
@@ -68,7 +68,7 @@ kubectl logs -n irsa-system -l app=irsa-webhook --tail=100
 1. **ServiceAccount annotation missing:**
   ```bash
   kubectl annotate sa <service-account-name> \
-     vultr.com/role-arn="arn:aws:iam::123456789012:role/your-role"
+     api.vultr.com/role: "775a6be6-45cd-4f19-94f5-6e4f96f093ec"
   ```

 2. **Namespace excluded from webhook:**
--- a/deploy.yaml
+++ b/deploy.yaml
@@ -71,8 +71,6 @@ spec:
        env:
        - name: STS_ENDPOINT
          value: "https://api.vultr.com/v2/assumed-roles/compatibility/aws/sts"
-        - name: SERVICE_ACCOUNT_AUDIENCE
-          value: "vultr" #TODO: Probably need to update with whatever is in the action map
        - name: TLS_CERT_PATH
          value: /etc/webhook/certs/tls.crt
        - name: TLS_KEY_PATH
--- a/example.yaml
+++ b/example.yaml
@@ -4,8 +4,7 @@ metadata:
  name: example-app
  namespace: default
  annotations:
-    # Replace with actual IAM role ARN
-    vultr.com/role-arn: "arn:aws:iam::123456789012:role/example-app-role"
+    api.vultr.com/role: "775a6be6-45cd-4f19-94f5-6e4f96f093ec"
 ---
 apiVersion: v1
 kind: Pod
--- a/main.go
+++ b/main.go
@@ -18,7 +18,7 @@ import (
 )

 const (
-	roleArnAnnotation         = "vultr.com/role-arn"
+	roleArnAnnotation         = "api.vultr.com/role"
 	tokenVolumeName           = "vultr-irsa-token"
 	tokenMountPath            = "/var/run/secrets/vultr.com/serviceaccount"
 	tokenFileName             = "token"
@@ -320,6 +320,9 @@ func (ws *WebhookServer) generateContainerPatches(index int, roleArn string, con
 		})
 	}

+	// Get STS endpoint from environment (set in deployment)
+	stsEndpoint := getEnv("STS_ENDPOINT", "https://api.vultr.com/v2/assumed-roles/compatibility/aws/sts")
+
 	// Add environment variables
 	envVars := []corev1.EnvVar{
 		{
@@ -334,6 +337,10 @@ func (ws *WebhookServer) generateContainerPatches(index int, roleArn string, con
 			Name:  envAWSSTSRegionalEndpoint,
 			Value: "regional",
 		},
+		{
+			Name:  "AWS_ENDPOINT_URL_STS",
+			Value: stsEndpoint,
+		},
 	}

 	if container.Env == nil {
--- a/test-pod.yaml
+++ b/test-pod.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: irsa-test-pod
+  namespace: default
+spec:
+  serviceAccountName: test-sa
+  containers:
+  - name: test
+    image: python:3.9-slim
+    command: ["sleep", "3600"]
--- a/test-serviceaccount.yaml
+++ b/test-serviceaccount.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: test-sa
+  namespace: default
+  annotations:
+    api.vultr.com/role: "b1fef0ad-c912-457b-bba2-9fb6ef1ae13b"
--- a/test-webhook.yaml
+++ b/test-webhook.yaml
@@ -4,7 +4,7 @@ metadata:
  name: test-irsa
  namespace: default
  annotations:
-    vultr.com/role-arn: "arn:aws:iam::123456789012:role/test-role"
+    api.vultr.com/role: "775a6be6-45cd-4f19-94f5-6e4f96f093ec"
 ---
 apiVersion: v1
 kind: Pod
--- a/BIN
+++ b/BIN