Create proper secrets before checking whether the SA needs to be patched (in case the secret itself changed)

2026-02-24 19:35:30 +01:00 · 2022-06-13 14:27:12 +02:00
parent 265f6ba0e1
commit 012a498a8b
3 changed files with 18 additions and 18 deletions
--- a/cmd/webhook.go
+++ b/cmd/webhook.go
@@ -236,11 +236,24 @@ func (whsvr *WebhookServer) mutateServiceAccount(ar *v1beta1.AdmissionReview) *v
 		}
 	}

-	// Check whether we already have the imagePullSecretName present
+	// Make sure the secrets are present
+	if err := whsvr.ensureSecrets(ar); err != nil {
+		whsvr.logger.Errorf("Could not ensure existence of the imagePullSecret")
+		if !whsvr.config.ignoreSecretCreationError {
+			whsvr.logger.Errorf("Failing the mutation process")
+			return &v1beta1.AdmissionResponse{
+				Result: &metav1.Status{
+					Message: err.Error(),
+				},
+			}
+		}
+		whsvr.logger.Infof("ignoreSecretCreationError is true, ignoring")
+	}
+
 	if sa.ImagePullSecrets != nil {
-		whsvr.logger.Infof("ServiceAccount is already in the correct state, skipping")
 		for _, lor := range sa.ImagePullSecrets {
 			if whsvr.config.targetImagePullSecretName == lor.Name {
+				whsvr.logger.Infof("ServiceAccount is already in the correct state, skipping the patch")
 				return &v1beta1.AdmissionResponse{
 					Allowed: true,
 				}
@@ -262,19 +275,6 @@ func (whsvr *WebhookServer) mutateServiceAccount(ar *v1beta1.AdmissionReview) *v
 		}
 	}

-	if err := whsvr.ensureSecrets(ar); err != nil {
-		whsvr.logger.Errorf("Could not ensure existence of the imagePullSecret")
-		if !whsvr.config.ignoreSecretCreationError {
-			whsvr.logger.Errorf("Failing the mutation process")
-			return &v1beta1.AdmissionResponse{
-				Result: &metav1.Status{
-					Message: err.Error(),
-				},
-			}
-		}
-		whsvr.logger.Infof("ignoreSecretCreationError is true, ignoring")
-	}
-
 	return &v1beta1.AdmissionResponse{
 		Allowed: true,
 		Patch:   patchBytes,