Allow ignoring secret creating errors to preserve _some_ k8s functionality in case of issues

2026-01-11 22:41:15 +01:00 · 2021-04-03 13:38:21 +02:00
parent 9219b83a9b
commit 7b2c52406e
4 changed files with 14 additions and 5 deletions
--- a/cmd/main.go
+++ b/cmd/main.go
@@ -55,6 +55,7 @@ func main() {
 	flag.StringVar(&parameters.sourceImagePullSecretName, "sourceImagePullSecretName", LookupStringEnv("CONFIG_SOURCE_IMAGE_PULL_SECRET_NAME", parameters.sourceImagePullSecretName), "Name of the imagePullSecret secret we use as source.")
 	flag.StringVar(&parameters.sourceImagePullSecretNamespace, "sourceImagePullSecretNamespace", LookupStringEnv("CONFIG_SOURCE_IMAGE_PULL_SECRET_NAMESPACE", parameters.sourceImagePullSecretNamespace), "Namespace of the imagePullSecret secret we use as source.")
 	flag.BoolVar(&parameters.allServiceAccounts, "allServiceAccounts", LookupBoolEnv("CONFIG_ALL_SERVICE_ACCOUNTS", parameters.allServiceAccounts), "Switch for watching all service accounts. If true, serviceAccounts parameter is ignored")
+	flag.BoolVar(&parameters.ignoreSecretCreationError, "ignoreSecretCreationError", LookupBoolEnv("CONFIG_IGNORE_SECRET_CREATION_ERROR", parameters.ignoreSecretCreationError), "If true, failed creation/update of secrets in the target namespace will not cause the webhook to fail")
 	flag.Parse()

 	glog.Infof("Running with config: %+v", parameters)
--- a/cmd/webhook.go
+++ b/cmd/webhook.go
@@ -43,6 +43,7 @@ type WhSvrParameters struct {
 	targetImagePullSecretName      string
 	sourceImagePullSecretName      string
 	sourceImagePullSecretNamespace string
+	ignoreSecretCreationError      bool
 }

 var (
@@ -67,6 +68,7 @@ func DefaultParametersObject() WhSvrParameters {
 		targetImagePullSecretName:      "my-cool-secret",
 		sourceImagePullSecretName:      "my-cool-secret-source",
 		sourceImagePullSecretNamespace: "default",
+		ignoreSecretCreationError:      false,
 	}
 }

@@ -252,11 +254,15 @@ func (whsvr *WebhookServer) mutateServiceAccount(ar *v1beta1.AdmissionReview) *v

 	if err := whsvr.ensureSecrets(ar); err != nil {
 		glog.Errorf("Could not ensure existence of the imagePullSecret")
-		return &v1beta1.AdmissionResponse{
-			Result: &metav1.Status{
-				Message: err.Error(),
-			},
+		if !whsvr.config.ignoreSecretCreationError {
+			glog.Errorf("Failing the mutation process")
+			return &v1beta1.AdmissionResponse{
+				Result: &metav1.Status{
+					Message: err.Error(),
+				},
+			}
 		}
+		glog.Infof("ignoreSecretCreationError is true, ignoring")
 	}

 	return &v1beta1.AdmissionResponse{
--- a/helm/imagepullsecret-injector/templates/deployment.yaml
+++ b/helm/imagepullsecret-injector/templates/deployment.yaml
@@ -42,6 +42,8 @@ spec:
              value: {{ .Values.imagepullsecretInjector.dockerconfigjsonRef.secretName | quote }}
            - name: CONFIG_SOURCE_IMAGE_PULL_SECRET_NAMESPACE
              value: {{ .Values.imagepullsecretInjector.dockerconfigjsonRef.secretNamespace | default .Release.Namespace | quote }}
+            - name: CONFIG_IGNORE_SECRET_CREATION_ERROR
+              value: {{ .Values.imagepullsecretInjector.ignoreSecretCreationError | quote }}
            - name: CONFIG_ALL_SERVICE_ACCOUNTS
              value: {{ .Values.imagepullsecretInjector.allSaNames | quote }}
          volumeMounts:
--- a/helm/imagepullsecret-injector/values.yaml
+++ b/helm/imagepullsecret-injector/values.yaml
@@ -16,7 +16,7 @@ imagepullsecretInjector:
    secretNamespace: ""

  targetSecretName: my-cool-secret
-
+  ignoreSecretCreationError: false
  allSaNames: false
  saNames:
    - default