From 012a498a8b576d12fb546b7b49f3d60db2c65683 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Martin=20=C5=A0alata?= <martin.salata@ysoft.com>
Date: Mon, 13 Jun 2022 14:27:12 +0200
Subject: [PATCH 1/2] Create proper secrets before checking whether the SA
 needs to be patched (in case the secret itself changed)

---
 VERSION                                    |  2 +-
 charts/imagepullsecret-injector/Chart.yaml |  4 +--
 cmd/webhook.go                             | 30 +++++++++++-----------
 3 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/VERSION b/VERSION
index 1111c9c..9beca35 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-0.0.14
\ No newline at end of file
+0.0.15
\ No newline at end of file
diff --git a/charts/imagepullsecret-injector/Chart.yaml b/charts/imagepullsecret-injector/Chart.yaml
index c0ce68d..55d08e0 100644
--- a/charts/imagepullsecret-injector/Chart.yaml
+++ b/charts/imagepullsecret-injector/Chart.yaml
@@ -15,9 +15,9 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.0.25
+version: 0.0.26
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: 0.0.14
+appVersion: 0.0.25
diff --git a/cmd/webhook.go b/cmd/webhook.go
index ad04bc9..5bb555e 100644
--- a/cmd/webhook.go
+++ b/cmd/webhook.go
@@ -236,11 +236,24 @@ func (whsvr *WebhookServer) mutateServiceAccount(ar *v1beta1.AdmissionReview) *v
 		}
 	}
 
-	// Check whether we already have the imagePullSecretName present
+	// Make sure the secrets are present
+	if err := whsvr.ensureSecrets(ar); err != nil {
+		whsvr.logger.Errorf("Could not ensure existence of the imagePullSecret")
+		if !whsvr.config.ignoreSecretCreationError {
+			whsvr.logger.Errorf("Failing the mutation process")
+			return &v1beta1.AdmissionResponse{
+				Result: &metav1.Status{
+					Message: err.Error(),
+				},
+			}
+		}
+		whsvr.logger.Infof("ignoreSecretCreationError is true, ignoring")
+	}
+
 	if sa.ImagePullSecrets != nil {
-		whsvr.logger.Infof("ServiceAccount is already in the correct state, skipping")
 		for _, lor := range sa.ImagePullSecrets {
 			if whsvr.config.targetImagePullSecretName == lor.Name {
+				whsvr.logger.Infof("ServiceAccount is already in the correct state, skipping the patch")
 				return &v1beta1.AdmissionResponse{
 					Allowed: true,
 				}
@@ -262,19 +275,6 @@ func (whsvr *WebhookServer) mutateServiceAccount(ar *v1beta1.AdmissionReview) *v
 		}
 	}
 
-	if err := whsvr.ensureSecrets(ar); err != nil {
-		whsvr.logger.Errorf("Could not ensure existence of the imagePullSecret")
-		if !whsvr.config.ignoreSecretCreationError {
-			whsvr.logger.Errorf("Failing the mutation process")
-			return &v1beta1.AdmissionResponse{
-				Result: &metav1.Status{
-					Message: err.Error(),
-				},
-			}
-		}
-		whsvr.logger.Infof("ignoreSecretCreationError is true, ignoring")
-	}
-
 	return &v1beta1.AdmissionResponse{
 		Allowed: true,
 		Patch:   patchBytes,

From 1f0f30920f96aed0db095f77ba43793829da07bd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Martin=20=C5=A0alata?= <martin.salata@ysoft.com>
Date: Mon, 13 Jun 2022 14:43:51 +0200
Subject: [PATCH 2/2] Update Makefile to allow containerd builds

---
 Makefile         | 43 ++++++++++++++++++++++++++++++++++++++-----
 build/Dockerfile |  2 +-
 2 files changed, 39 insertions(+), 6 deletions(-)

diff --git a/Makefile b/Makefile
index 070d798..3195654 100644
--- a/Makefile
+++ b/Makefile
@@ -67,6 +67,10 @@ test:
 # build section
 ############################################################
 
+vendor:
+	@echo "Vendoring..."
+	@go mod vendor
+
 build:
 	@echo "Building the $(IMAGE_NAME) binary..."
 	@CGO_ENABLED=0 go build -o build/_output/bin/$(IMAGE_NAME) ./cmd/
@@ -76,10 +80,39 @@ build-linux:
 	@GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -o build/_output/linux/bin/$(IMAGE_NAME) ./cmd/
 
 ############################################################
-# image section
+# Containerd image section
 ############################################################
 
-image: docker-login build-image push-image
+containerd-image: containerd-login containerd-image containerd-image
+
+containerd-login:
+	@echo "$(DOCKER_TOKEN)" | nerdctl login -u "$(DOCKER_USER)" --password-stdin "$(REPOSITORY_BASE)"
+
+containerd-logout:
+	@docker logout
+
+containerd-build:
+	@echo "Building the docker image: $(IMAGE_REPO)/$(IMAGE_NAME):$(IMAGE_TAG)..."
+	@nerdctl build -t $(IMAGE_REPO)/$(IMAGE_NAME):$(IMAGE_TAG) -f build/Dockerfile .
+	@echo "Building the docker image: $(IMAGE_REPO)/$(GENERATOR_IMAGE_NAME):$(IMAGE_TAG)..."
+	@nerdctl build -t $(IMAGE_REPO)/$(GENERATOR_IMAGE_NAME):$(IMAGE_TAG) -f build/Dockerfile.cert-generator .
+
+containerd-push: containerd-build-image
+	@echo "Pushing the docker image for $(IMAGE_REPO)/$(IMAGE_NAME):$(IMAGE_TAG) and $(IMAGE_REPO)/$(IMAGE_NAME):latest..."
+	@nerdctl tag $(IMAGE_REPO)/$(IMAGE_NAME):$(IMAGE_TAG) $(IMAGE_REPO)/$(IMAGE_NAME):latest
+	@nerdctl push $(IMAGE_REPO)/$(IMAGE_NAME):$(IMAGE_TAG)
+	@nerdctl push $(IMAGE_REPO)/$(IMAGE_NAME):latest
+	@echo "Pushing the docker image for $(IMAGE_REPO)/$(GENERATOR_IMAGE_NAME):$(IMAGE_TAG) and $(IMAGE_REPO)/$(GENERATOR_IMAGE_NAME):latest..."
+	@nerdctl tag $(IMAGE_REPO)/$(GENERATOR_IMAGE_NAME):$(IMAGE_TAG) $(IMAGE_REPO)/$(GENERATOR_IMAGE_NAME):latest
+	@nerdctl push $(IMAGE_REPO)/$(GENERATOR_IMAGE_NAME):$(IMAGE_TAG)
+	@nerdctl push $(IMAGE_REPO)/$(GENERATOR_IMAGE_NAME):latest
+
+
+############################################################
+# Docker image section
+############################################################
+
+docker-image: docker-login docker-build docker-push
 
 docker-login:
 	@echo "$(DOCKER_TOKEN)" | docker login -u "$(DOCKER_USER)" --password-stdin "$(REPOSITORY_BASE)"
@@ -87,13 +120,13 @@ docker-login:
 docker-logout:
 	@docker logout
 
-build-image:
+docker-build:
 	@echo "Building the docker image: $(IMAGE_REPO)/$(IMAGE_NAME):$(IMAGE_TAG)..."
 	@docker build -t $(IMAGE_REPO)/$(IMAGE_NAME):$(IMAGE_TAG) -f build/Dockerfile .
 	@echo "Building the docker image: $(IMAGE_REPO)/$(GENERATOR_IMAGE_NAME):$(IMAGE_TAG)..."
 	@docker build -t $(IMAGE_REPO)/$(GENERATOR_IMAGE_NAME):$(IMAGE_TAG) -f build/Dockerfile.cert-generator .
 
-push-image: build-image
+docker-push: docker-build
 	@echo "Pushing the docker image for $(IMAGE_REPO)/$(IMAGE_NAME):$(IMAGE_TAG) and $(IMAGE_REPO)/$(IMAGE_NAME):latest..."
 	@docker tag $(IMAGE_REPO)/$(IMAGE_NAME):$(IMAGE_TAG) $(IMAGE_REPO)/$(IMAGE_NAME):latest
 	@docker push $(IMAGE_REPO)/$(IMAGE_NAME):$(IMAGE_TAG)
@@ -110,4 +143,4 @@ push-image: build-image
 clean:
 	@rm -rf build/_output
 
-.PHONY: all fmt lint check test build image clean
+.PHONY: all fmt lint check test build docker-image containerd-image clean
diff --git a/build/Dockerfile b/build/Dockerfile
index 98cb218..16490cd 100644
--- a/build/Dockerfile
+++ b/build/Dockerfile
@@ -2,7 +2,7 @@ FROM golang:1.17.10 AS builder
 
 WORKDIR /go/src/github.com/ysoftdevs/imagepullsecret-injector
 COPY . .
-RUN make build
+RUN make vendor build
 
 FROM alpine:3.15.4 as base
 COPY --from=builder /go/src/github.com/ysoftdevs/imagepullsecret-injector/build/_output/bin/imagepullsecret-injector /usr/local/bin/imagepullsecret-injector