add a docker file and generate certs and more makefile notes

Dockerfile

@@ -0,0 +1,26 @@
+FROM golang:1.24-alpine AS builder
+
+WORKDIR /workspace
+
+# Copy go mod files
+COPY go.mod go.mod
+COPY go.sum go.sum
+
+# Cache dependencies
+RUN go mod download
+
+# Copy source code
+COPY main.go main.go
+
+# Build
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -o webhook main.go
+
+# Use distroless as minimal runtime image
+FROM gcr.io/distroless/static:nonroot
+
+WORKDIR /
+COPY --from=builder /workspace/webhook .
+
+USER 65532:65532
+
+ENTRYPOINT ["/webhook"]

MAKEFILENOTES.md

@@ -0,0 +1,84 @@
+To use the Makefile, simply run `make` followed by the target name:
+
+```bash
+# View all available commands
+make help
+
+# Common commands:
+
+# Download Go dependencies
+make deps
+
+# Build the Go binary
+make build
+
+# Build Docker image
+make docker-build
+
+# Build and push Docker image
+make docker-build docker-push
+
+# Generate TLS certificates
+make certs
+
+# Deploy to Kubernetes
+make deploy
+
+# View webhook logs
+make logs
+
+# Check webhook status
+make status
+
+# Test with example pod
+make test-example
+
+# Restart webhook
+make restart
+
+# Complete pipeline (build, push, certs, deploy)
+make all
+
+# Clean up everything
+make clean
+```
+
+**Example workflow:**
+
+```bash
+# 1. First, download dependencies
+make deps
+
+# 2. Build locally to test
+make build
+
+# 3. Build Docker image (update IMAGE_NAME in Makefile first)
+make docker-build
+
+# 4. Push to registry
+make docker-push
+
+# 5. Generate certificates
+make certs
+
+# 6. Deploy to cluster
+make deploy
+
+# 7. Check status
+make status
+
+# 8. Watch logs
+make logs
+```
+
+**Customizing:**
+
+You can override variables:
+
+```bash
+# Use custom image name
+make docker-build IMAGE_NAME=myregistry.com/irsa-webhook IMAGE_TAG=v1.0.0
+
+# Use custom namespace
+make deploy NAMESPACE=custom-namespace
+```

README.md

@@ -30,7 +30,7 @@ When a pod is created, the webhook:
 - Kubernetes 1.20+ (for projected service account tokens)
 - `kubectl` configured to access your cluster
 - OpenSSL (for certificate generation)
-- Go 1.21+ (for building from source)
+- Go 1.24+ (for building from source)
 
 ## Quick Start
 

example.yaml

@@ -63,7 +63,7 @@ spec:
       serviceAccountName: irsa-webhook
       containers:
       - name: webhook
-        image: your-registry/irsa-webhook:latest
+        image: ewr.vultrcr.com/chansey/irsa-webhook:latest
         imagePullPolicy: Always
         ports:
         - containerPort: 8443

generate-certs.sh

@@ -0,0 +1,95 @@
+#!/bin/bash
+
+# Generate TLS certificates for the webhook
+# This creates a self-signed CA and certificate for the webhook service
+
+set -e
+
+NAMESPACE="irsa-system"
+SERVICE_NAME="irsa-webhook"
+SECRET_NAME="irsa-webhook-certs"
+WEBHOOK_CONFIG_NAME="irsa-webhook"
+
+# Create temporary directory for certificate generation
+CERT_DIR=$(mktemp -d)
+trap "rm -rf ${CERT_DIR}" EXIT
+
+echo "Generating certificates in ${CERT_DIR}..."
+
+# Generate CA private key
+openssl genrsa -out ${CERT_DIR}/ca.key 2048
+
+# Generate CA certificate
+openssl req -x509 -new -nodes -key ${CERT_DIR}/ca.key \
+    -subj "/CN=IRSA Webhook CA" \
+    -days 3650 \
+    -out ${CERT_DIR}/ca.crt
+
+# Generate webhook private key
+openssl genrsa -out ${CERT_DIR}/tls.key 2048
+
+# Create certificate signing request
+cat > ${CERT_DIR}/csr.conf <<EOL
+[req]
+req_extensions = v3_req
+distinguished_name = req_distinguished_name
+[req_distinguished_name]
+[v3_req]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+subjectAltName = @alt_names
+[alt_names]
+DNS.1 = ${SERVICE_NAME}
+DNS.2 = ${SERVICE_NAME}.${NAMESPACE}
+DNS.3 = ${SERVICE_NAME}.${NAMESPACE}.svc
+DNS.4 = ${SERVICE_NAME}.${NAMESPACE}.svc.cluster.local
+EOL
+
+# Generate certificate signing request
+openssl req -new -key ${CERT_DIR}/tls.key \
+    -subj "/CN=${SERVICE_NAME}.${NAMESPACE}.svc" \
+    -out ${CERT_DIR}/tls.csr \
+    -config ${CERT_DIR}/csr.conf
+
+# Sign the certificate with the CA
+openssl x509 -req -in ${CERT_DIR}/tls.csr \
+    -CA ${CERT_DIR}/ca.crt \
+    -CAkey ${CERT_DIR}/ca.key \
+    -CAcreateserial \
+    -out ${CERT_DIR}/tls.crt \
+    -days 3650 \
+    -extensions v3_req \
+    -extfile ${CERT_DIR}/csr.conf
+
+echo "Certificates generated successfully."
+
+# Create namespace if it doesn't exist
+kubectl create namespace ${NAMESPACE} --dry-run=client -o yaml | kubectl apply -f -
+
+# Create or update secret with certificates
+kubectl create secret tls ${SECRET_NAME} \
+    --cert=${CERT_DIR}/tls.crt \
+    --key=${CERT_DIR}/tls.key \
+    --namespace=${NAMESPACE} \
+    --dry-run=client -o yaml | kubectl apply -f -
+
+echo "Secret ${SECRET_NAME} created/updated in namespace ${NAMESPACE}"
+
+# Get CA bundle for webhook configuration
+CA_BUNDLE=$(cat ${CERT_DIR}/ca.crt | base64 | tr -d '\n')
+
+# Update MutatingWebhookConfiguration with CA bundle
+if kubectl get mutatingwebhookconfiguration ${WEBHOOK_CONFIG_NAME} &> /dev/null; then
+    kubectl patch mutatingwebhookconfiguration ${WEBHOOK_CONFIG_NAME} \
+        --type='json' \
+        -p="[{'op': 'replace', 'path': '/webhooks/0/clientConfig/caBundle', 'value':'${CA_BUNDLE}'}]"
+    echo "MutatingWebhookConfiguration ${WEBHOOK_CONFIG_NAME} updated with CA bundle"
+else
+    echo "MutatingWebhookConfiguration ${WEBHOOK_CONFIG_NAME} not found. Please update deploy.yaml with:"
+    echo "caBundle: ${CA_BUNDLE}"
+fi
+
+echo ""
+echo "Setup complete! CA Bundle (for manual configuration):"
+echo "${CA_BUNDLE}"