From 7b2c52406e7e782075d612ef4be128f4bce9f8ae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20=C5=A0alata?= Date: Sat, 3 Apr 2021 13:38:21 +0200 Subject: [PATCH] Allow ignoring secret creating errors to preserve _some_ k8s functionality in case of issues --- cmd/main.go | 1 + cmd/webhook.go | 14 ++++++++++---- .../templates/deployment.yaml | 2 ++ helm/imagepullsecret-injector/values.yaml | 2 +- 4 files changed, 14 insertions(+), 5 deletions(-) diff --git a/cmd/main.go b/cmd/main.go index 7c15092..412585c 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -55,6 +55,7 @@ func main() { flag.StringVar(¶meters.sourceImagePullSecretName, "sourceImagePullSecretName", LookupStringEnv("CONFIG_SOURCE_IMAGE_PULL_SECRET_NAME", parameters.sourceImagePullSecretName), "Name of the imagePullSecret secret we use as source.") flag.StringVar(¶meters.sourceImagePullSecretNamespace, "sourceImagePullSecretNamespace", LookupStringEnv("CONFIG_SOURCE_IMAGE_PULL_SECRET_NAMESPACE", parameters.sourceImagePullSecretNamespace), "Namespace of the imagePullSecret secret we use as source.") flag.BoolVar(¶meters.allServiceAccounts, "allServiceAccounts", LookupBoolEnv("CONFIG_ALL_SERVICE_ACCOUNTS", parameters.allServiceAccounts), "Switch for watching all service accounts. If true, serviceAccounts parameter is ignored") + flag.BoolVar(¶meters.ignoreSecretCreationError, "ignoreSecretCreationError", LookupBoolEnv("CONFIG_IGNORE_SECRET_CREATION_ERROR", parameters.ignoreSecretCreationError), "If true, failed creation/update of secrets in the target namespace will not cause the webhook to fail") flag.Parse() glog.Infof("Running with config: %+v", parameters) diff --git a/cmd/webhook.go b/cmd/webhook.go index b417e5c..df4c346 100644 --- a/cmd/webhook.go +++ b/cmd/webhook.go @@ -43,6 +43,7 @@ type WhSvrParameters struct { targetImagePullSecretName string sourceImagePullSecretName string sourceImagePullSecretNamespace string + ignoreSecretCreationError bool } var ( @@ -67,6 +68,7 @@ func DefaultParametersObject() WhSvrParameters { targetImagePullSecretName: "my-cool-secret", sourceImagePullSecretName: "my-cool-secret-source", sourceImagePullSecretNamespace: "default", + ignoreSecretCreationError: false, } } @@ -252,11 +254,15 @@ func (whsvr *WebhookServer) mutateServiceAccount(ar *v1beta1.AdmissionReview) *v if err := whsvr.ensureSecrets(ar); err != nil { glog.Errorf("Could not ensure existence of the imagePullSecret") - return &v1beta1.AdmissionResponse{ - Result: &metav1.Status{ - Message: err.Error(), - }, + if !whsvr.config.ignoreSecretCreationError { + glog.Errorf("Failing the mutation process") + return &v1beta1.AdmissionResponse{ + Result: &metav1.Status{ + Message: err.Error(), + }, + } } + glog.Infof("ignoreSecretCreationError is true, ignoring") } return &v1beta1.AdmissionResponse{ diff --git a/helm/imagepullsecret-injector/templates/deployment.yaml b/helm/imagepullsecret-injector/templates/deployment.yaml index 056cd38..fce4a95 100644 --- a/helm/imagepullsecret-injector/templates/deployment.yaml +++ b/helm/imagepullsecret-injector/templates/deployment.yaml @@ -42,6 +42,8 @@ spec: value: {{ .Values.imagepullsecretInjector.dockerconfigjsonRef.secretName | quote }} - name: CONFIG_SOURCE_IMAGE_PULL_SECRET_NAMESPACE value: {{ .Values.imagepullsecretInjector.dockerconfigjsonRef.secretNamespace | default .Release.Namespace | quote }} + - name: CONFIG_IGNORE_SECRET_CREATION_ERROR + value: {{ .Values.imagepullsecretInjector.ignoreSecretCreationError | quote }} - name: CONFIG_ALL_SERVICE_ACCOUNTS value: {{ .Values.imagepullsecretInjector.allSaNames | quote }} volumeMounts: diff --git a/helm/imagepullsecret-injector/values.yaml b/helm/imagepullsecret-injector/values.yaml index f54005e..056ec51 100644 --- a/helm/imagepullsecret-injector/values.yaml +++ b/helm/imagepullsecret-injector/values.yaml @@ -16,7 +16,7 @@ imagepullsecretInjector: secretNamespace: "" targetSecretName: my-cool-secret - + ignoreSecretCreationError: false allSaNames: false saNames: - default