fix documents

README.md

@@ -64,16 +64,23 @@ spec:
       bucketName: <S3 bucket name>
 ```
 
-4. Modify kube-apiserver Settings
+4. Check the status
 
-Execute the following commands on the control plane server to save the public and private keys for Kubernetes signatures:
+Check the IRSASetup custom resource status to verify whether it is set to true.
+
+5. Modify kube-apiserver Settings
+
+If the IRSASetup status is true, a key file (Name: `irsa-manager-key` , Namespace: `kube-system` ) will be created. This is used for signing tokens in the kubernetes API.
+Execute the following commands on the control plane server to save the public and private keys locally for Kubernetes signatures:
 
 ```console
-kubectl get secret -n kube-system irsa-manager-key -o jsonpath="{.data.ssh-privatekey}" | base64 --decode | sudo tee /etc/kubernetes/pki/irsa-manager.key > /dev/null
-kubectl get secret -n kube-system irsa-manager-key -o jsonpath="{.data.ssh-publickey}" | base64 --decode | sudo tee /etc/kubernetes/pki/irsa-manager.pub > /dev/null
+kubectl get secret -n kube-system irsa-manager-key -o jsonpath="{.data.ssh-privatekey}" | base64 --decode | sudo tee /path/to/file.key > /dev/null
+kubectl get secret -n kube-system irsa-manager-key -o jsonpath="{.data.ssh-publickey}" | base64 --decode | sudo tee /path/to/file.pub > /dev/null
 ```
 
-Then, modify the kube-apiserver.yaml file to include the following parameters:
+> [!NOTE] > `/path/to/file` can be any path you choose. If you use kubeadm, it is recommended to set `/etc/kubernetes/pki/irsa-manager.(key|pub)`
+
+Then, modify the kube-apiserver settings to include the following parameters:
 
 - API Audiences
 
@@ -89,32 +96,30 @@ Then, modify the kube-apiserver.yaml file to include the following parameters:
 
 - Service Account Key File
 
-The public key (oidc-issuer.pub) generated previously can be read by the API server. Add the path for this parameter flag:
+The public key generated previously can be read by the API server. Add the path for this parameter flag:
 
 ```
---service-account-key-file=/etc/kubernetes/pki/irsa-manager.pub
+--service-account-key-file=/path/to/file.pub
 ```
 
 > [!NOTE]
 > Add this setting as the first element. If specified multiple times, tokens signed by any of the specified keys are considered valid by the Kubernetes API server.
+> If you do not mount /path/to directory, you need to add the volumes field to this path.
 
 - Service Account Signing Key File
 
 The private key (oidc-issuer.key) generated previously can be read by the API server. Add the path for this parameter flag:
 
 ```
---service-account-signing-key-file=/etc/kubernetes/pki/irsa-manager.key
+--service-account-signing-key-file=/path/to/file.key
 ```
 
 > [!NOTE]
 > Overwrite the existing settings.
+> If you dont mount /path/to/file, you have to add the volumes field in this path
 
 For more details, refer to the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#serviceaccount-token-volume-projection).
 
-5. Check the status
-
-Check the IRSASetup custom resource status. If the status is true, you are ready to use IRSA.
-
 ## How To Use
 
 You can set IRSA for the Kubernetes ServiceAccount.

api/v1alpha1/irsa_types.go

@@ -32,11 +32,18 @@ type IRSASpec struct {
 	// of resources that are no longer needed or managed.
 	// +required
 	Cleanup bool `json:"cleanup"`
-	// ServiceAccount represents the Kubernetes service account associated with the IRSA
+
+	// ServiceAccount represents the Kubernetes service account associated with the IRSA.
+	// +required
 	ServiceAccount IRSAServiceAccount `json:"serviceAccount,omitempty"`
-	// IamRole represents the IAM role details associated with the IRSA
+
+	// IamRole represents the IAM role details associated with the IRSA.
+	// +required
 	IamRole IamRole `json:"iamRole,omitempty"`
-	// IamPolicies represents the list of IAM policies to be attached to the IAM role
+
+	// IamPolicies represents the list of IAM policies to be attached to the IAM role.
+	// You can set both the policy name (only AWS default policies) or the full ARN.
+	// +required
 	IamPolicies []string `json:"iamPolicies,omitempty"`
 }
 
@@ -50,16 +57,16 @@ type IRSAServiceAccount struct {
 
 // IamRole represents the IAM role configuration
 type IamRole struct {
-	// Name represents the name of the IAM role
+	// Name represents the name of the IAM role.
 	Name string `json:"name,omitempty"`
 }
 
-// IRSAStatus defines the observed state of IRSA
+// IRSAStatus defines the observed state of IRSA.
 type IRSAStatus struct {
 	Conditions []metav1.Condition `json:"conditions,omitempty"`
 }
 
-// GetIRSAStatusConditions returns a pointer to the Status.Conditions slice
+// GetIRSAStatusConditions returns a pointer to the Conditions slice
 func (in *IRSA) GetIRSAStatusConditions() *[]metav1.Condition {
 	return &in.Status.Conditions
 }

config/crd/bases/irsa.kkb0318.github.io_irsas.yaml

@@ -49,22 +49,23 @@ spec:
                   of resources that are no longer needed or managed.
                 type: boolean
               iamPolicies:
-                description: IamPolicies represents the list of IAM policies to be
-                  attached to the IAM role
+                description: |-
+                  IamPolicies represents the list of IAM policies to be attached to the IAM role.
+                  You can set both the policy name (only AWS default policies) or the full ARN.
                 items:
                   type: string
                 type: array
               iamRole:
                 description: IamRole represents the IAM role details associated with
-                  the IRSA
+                  the IRSA.
                 properties:
                   name:
-                    description: Name represents the name of the IAM role
+                    description: Name represents the name of the IAM role.
                     type: string
                 type: object
               serviceAccount:
                 description: ServiceAccount represents the Kubernetes service account
-                  associated with the IRSA
+                  associated with the IRSA.
                 properties:
                   name:
                     description: Name represents the name of the Kubernetes service
@@ -81,7 +82,7 @@ spec:
             - cleanup
             type: object
           status:
-            description: IRSAStatus defines the observed state of IRSA
+            description: IRSAStatus defines the observed state of IRSA.
             properties:
               conditions:
                 items:

docs/api.md

@@ -137,9 +137,9 @@ _Appears in:_
 | Field | Description | Default | Validation |
 | --- | --- | --- | --- |
 | `cleanup` _boolean_ | Cleanup, when enabled, allows the IRSA to perform garbage collection<br />of resources that are no longer needed or managed. |  |  |
-| `serviceAccount` _[IRSAServiceAccount](#irsaserviceaccount)_ | ServiceAccount represents the Kubernetes service account associated with the IRSA |  |  |
-| `iamRole` _[IamRole](#iamrole)_ | IamRole represents the IAM role details associated with the IRSA |  |  |
-| `iamPolicies` _string array_ | IamPolicies represents the list of IAM policies to be attached to the IAM role |  |  |
+| `serviceAccount` _[IRSAServiceAccount](#irsaserviceaccount)_ | ServiceAccount represents the Kubernetes service account associated with the IRSA. |  |  |
+| `iamRole` _[IamRole](#iamrole)_ | IamRole represents the IAM role details associated with the IRSA. |  |  |
+| `iamPolicies` _string array_ | IamPolicies represents the list of IAM policies to be attached to the IAM role.<br />You can set both the policy name (only AWS default policies) or the full ARN. |  |  |
 
 
 
@@ -157,7 +157,7 @@ _Appears in:_
 
 | Field | Description | Default | Validation |
 | --- | --- | --- | --- |
-| `name` _string_ | Name represents the name of the IAM role |  |  |
+| `name` _string_ | Name represents the name of the IAM role. |  |  |
 
 
 #### S3Discovery