From cc72630c60ab758bf301c28fc708c8001b22a8fe Mon Sep 17 00:00:00 2001
From: Claus-Theodor Riegg <claus-theodor.riegg@digits.schwarz>
Date: Fri, 8 May 2026 10:24:17 +0200
Subject: [PATCH 1/2] use public IP range API endpoint for the example workload

Since the example workload is used in SKE test environments too we don't
want to rely on a SKE specific endpoint for testing the example workload
functionality.
---
 .../main.go                                   | 41 ++++++++++---------
 go.mod                                        |  2 +-
 go.sum                                        |  4 +-
 3 files changed, 24 insertions(+), 23 deletions(-)

diff --git a/cmd/stackit-workload-identity-example-app/main.go b/cmd/stackit-workload-identity-example-app/main.go
index 8449ad6..12c02d2 100644
--- a/cmd/stackit-workload-identity-example-app/main.go
+++ b/cmd/stackit-workload-identity-example-app/main.go
@@ -1,7 +1,7 @@
 // Package main provides a simple example application that demonstrates the use of STACKIT Workload Identity.
 // It uses the STACKIT Go SDK to interact with the SKE API, relying on the identity injected
 // by the stackit-pod-identity-webhook for authentication.
-// Getting the provider options does not require any permissions to be assigned to the ServiceAccount.
+// Getting the public IP ranges does not require any permissions to be assigned to the ServiceAccount.
 package main
 
 import (
@@ -9,49 +9,50 @@ import (
 	"fmt"
 	"log/slog"
 	"os"
+	"os/signal"
+	"syscall"
 
 	"github.com/stackitcloud/stackit-sdk-go/core/config"
-	ske "github.com/stackitcloud/stackit-sdk-go/services/ske/v2api"
+	iaas "github.com/stackitcloud/stackit-sdk-go/services/iaas/v2api"
 )
 
-const defaultRegion = "eu01"
-
 func main() {
-	if err := run(); err != nil {
+	ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM)
+	defer stop()
+
+	if err := run(ctx); err != nil {
 		slog.Error("Application failed", "error", err)
 		os.Exit(1)
 	}
 }
 
-func run() error {
-	region := os.Getenv("STACKIT_REGION")
-	if region == "" {
-		region = defaultRegion
-	}
-
+func run(ctx context.Context) error {
 	var opts []config.ConfigurationOption
-	if endpoint := os.Getenv("STACKIT_SKE_ENDPOINT"); endpoint != "" {
-		slog.Info("Using custom SKE endpoint", "endpoint", endpoint)
+	if endpoint := os.Getenv("STACKIT_IAAS_API_ENDPOINT"); endpoint != "" {
+		slog.Info("Using custom IaaS API endpoint", "endpoint", endpoint)
 		opts = append(opts, config.WithEndpoint(endpoint))
 	}
 
 	// Create a new API client that uses default authentication and configuration
-	skeClient, err := ske.NewAPIClient(opts...)
+	iaasClient, err := iaas.NewAPIClient(opts...)
 	if err != nil {
 		return fmt.Errorf("creating API client: %w", err)
 	}
 
-	slog.Info("Fetching SKE options", "region", region)
-	getOptionsResp, err := skeClient.DefaultAPI.ListProviderOptions(context.Background(), region).Execute()
+	slog.Info("Fetching public IP ranges")
+
+	publicIpRangesResponse, err := iaasClient.DefaultAPI.ListPublicIPRanges(ctx).Execute()
+
 	if err != nil {
-		return fmt.Errorf("calling ListProviderOptions: %w", err)
+		return fmt.Errorf("calling ListPublicIPRanges: %w", err)
 	}
 
 	slog.Info("Authentication successful, API call succeeded")
 
-	availableVersions := getOptionsResp.KubernetesVersions
-	if len(availableVersions) == 0 {
-		slog.Warn("No Kubernetes versions found", "region", region)
+	publicIpRanges := publicIpRangesResponse.Items
+
+	if len(publicIpRanges) == 0 {
+		slog.Warn("No public IP ranges found. There might be a problem with the autentication.")
 	}
 
 	return nil
diff --git a/go.mod b/go.mod
index 354751f..a2d915b 100644
--- a/go.mod
+++ b/go.mod
@@ -6,7 +6,7 @@ require (
 	github.com/onsi/ginkgo/v2 v2.28.1
 	github.com/onsi/gomega v1.39.1
 	github.com/stackitcloud/stackit-sdk-go/core v0.26.0
-	github.com/stackitcloud/stackit-sdk-go/services/ske v1.12.0
+	github.com/stackitcloud/stackit-sdk-go/services/iaas v1.11.1
 	k8s.io/api v0.35.1
 	k8s.io/apimachinery v0.35.1
 	k8s.io/client-go v0.35.1
diff --git a/go.sum b/go.sum
index 679075c..8c22172 100644
--- a/go.sum
+++ b/go.sum
@@ -862,8 +862,8 @@ github.com/ssgreg/nlreturn/v2 v2.2.1 h1:X4XDI7jstt3ySqGU86YGAURbxw3oTDPK9sPEi6YE
 github.com/ssgreg/nlreturn/v2 v2.2.1/go.mod h1:E/iiPB78hV7Szg2YfRgyIrk1AD6JVMTRkkxBiELzh2I=
 github.com/stackitcloud/stackit-sdk-go/core v0.26.0 h1:jQEb9gkehfp6VCP6TcYk7BI10cz4l0KM2L6hqYBH2QA=
 github.com/stackitcloud/stackit-sdk-go/core v0.26.0/go.mod h1:WU1hhxnjXw2EV7CYa1nlEvNpMiRY6CvmIOaHuL3pOaA=
-github.com/stackitcloud/stackit-sdk-go/services/ske v1.12.0 h1:G6iUFDlrwCkCkwSV3eLNsFpVD24h6qV7D4pm0rqftnM=
-github.com/stackitcloud/stackit-sdk-go/services/ske v1.12.0/go.mod h1:cSRF2ARIB6dKmvZ12Z5h1usKQligeZJ1JOiJk6Ds3wE=
+github.com/stackitcloud/stackit-sdk-go/services/iaas v1.11.1 h1:HcKqjwIjv4OAW1aWI0U/JWjnzTwzSvdr6DLasH940EU=
+github.com/stackitcloud/stackit-sdk-go/services/iaas v1.11.1/go.mod h1:Ts06id0KejUlQWbpR+/rm+tKng6QkTuFV1VQTPJ4dA4=
 github.com/stbenjam/no-sprintf-host-port v0.2.0 h1:i8pxvGrt1+4G0czLr/WnmyH7zbZ8Bg8etvARQ1rpyl4=
 github.com/stbenjam/no-sprintf-host-port v0.2.0/go.mod h1:eL0bQ9PasS0hsyTyfTjjG+E80QIyPnBVQbYZyv20Jfk=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=

From ebfd84d813202b7cc1d932e184376677125c888d Mon Sep 17 00:00:00 2001
From: Claus-Theodor Riegg <claus-theodor.riegg@digits.schwarz>
Date: Fri, 8 May 2026 12:59:48 +0200
Subject: [PATCH 2/2] publish :latest image for releases

---
 Makefile | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/Makefile b/Makefile
index 0277f8a..ff07b3a 100644
--- a/Makefile
+++ b/Makefile
@@ -1,13 +1,15 @@
 # Image URL to use all building/pushing image targets
-REGISTRY                    ?= ghcr.io
-IMAGE_ORG                   ?= stackitcloud
-IS_DEV                      ?= true
+VERSION               := $(shell git describe --tag --always --dirty)
+REGISTRY              ?= ghcr.io
+IMAGE_ORG             ?= stackitcloud
+IMAGE_TAGS            := $(VERSION),latest
+IS_DEV                ?= true
 ifeq ($(IS_DEV),true)
-REPO_POSTFIX                := -dev
+REPO_POSTFIX          := -dev
+IMAGE_TAGS            := $(VERSION)
 endif
-REPO_ROOT                   := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))
-HACK_DIR                    := $(REPO_ROOT)/hack
-VERSION              := $(shell git describe --tag --always --dirty)
+REPO_ROOT             := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))
+HACK_DIR              := $(REPO_ROOT)/hack
 
 # Setting SHELL to bash allows bash commands to be executed by recipes.
 # Options are set to exit immediately on error, unset variables, and pipe failures.
@@ -84,7 +86,7 @@ image-%: ## Builds a specific image using ko (e.g., make image-stackit-workload-
 	KO_DOCKER_REPO=$(REGISTRY)/$(IMAGE_ORG)/$*$(REPO_POSTFIX) \
 	go tool ko build --push=$(PUSH) \
 	--image-label org.opencontainers.image.source="https://github.com/stackitcloud/stackit-pod-identity-webhook" \
-	--sbom none -t $(VERSION) \
+	--sbom none -t $(IMAGE_TAGS) \
 	--bare \
 	--platform linux/amd64,linux/arm64 \
 	./cmd/$* \
@@ -100,4 +102,4 @@ artifacts: images chart ## Pushes all artifacts including image and helm chart
 .PHONY: clean
 clean: ## Clean binaries and image files
 	rm -rf bin/
-	rm -f image-*.txt
\ No newline at end of file
+	rm -f image-*.txt