better examples and tests

2025-12-11 04:52:08 -05:00
parent ddb5a2b164
commit c525337d87
3 changed files with 61 additions and 11 deletions
--- a/README.md
+++ b/README.md
@@ -29,6 +29,7 @@ When a pod is created, the webhook:

 - Kubernetes 1.20+ (for projected service account tokens)
 - `kubectl` configured to access your cluster
+  - Deploy a VKE cluster and do `export KUBECONFIG=~/Downloads/vke-64c243de-eb0b-4084-93ae-6c386bef8978.yaml`
 - OpenSSL (for certificate generation)
 - Go 1.24+ (for building from source)

@@ -255,14 +256,3 @@ go build -o webhook main.go
                  │ (Get SA)   │
                  └────────────┘
 ```
-
-## License
-
-MIT
-
-## Contributing
-
-Contributions welcome! Please ensure:
- Code follows Go best practices
- Add tests for new functionality
- Update documentation as needed
--- a/example.yaml
+++ b/example.yaml
@@ -0,0 +1,41 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: example-app
+  namespace: default
+  annotations:
+    # Replace with actual IAM role ARN
+    vultr.com/role-arn: "arn:aws:iam::123456789012:role/example-app-role"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: example-app
+  namespace: default
+spec:
+  serviceAccountName: example-app
+  containers:
+  - name: aws-cli
+    image: amazon/aws-cli:latest
+    command:
+      - /bin/bash
+      - -c
+      - |
+        echo "Testing IRSA configuration..."
+        echo ""
+        echo "Environment variables:"
+        env | grep AWS
+        echo ""
+        echo "Token file contents:"
+        ls -la /var/run/secrets/vultr.com/serviceaccount/
+        echo ""
+        echo "Token (first 50 chars):"
+        head -c 50 /var/run/secrets/vultr.com/serviceaccount/token
+        echo ""
+        echo ""
+        echo "Attempting to assume role..."
+        aws sts get-caller-identity || echo "Failed to get caller identity (expected if IAM role trust is not configured)"
+        echo ""
+        echo "Sleeping for 1 hour..."
+        sleep 3600
+  restartPolicy: Never
--- a/test-webhook.yaml
+++ b/test-webhook.yaml
@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: test-irsa
+  namespace: default
+  annotations:
+    vultr.com/role-arn: "arn:aws:iam::123456789012:role/test-role"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-pod
+  namespace: default
+spec:
+  serviceAccountName: test-irsa
+  containers:
+  - name: busybox
+    image: busybox
+    command: ["sh", "-c", "env | grep AWS && ls -la /var/run/secrets/vultr.com/serviceaccount/ && sleep 3600"]