Allow ignoring secret creating errors to preserve _some_ k8s functionality in case of issues

cmd/main.go

@@ -55,6 +55,7 @@ func main() {
 	flag.StringVar(&parameters.sourceImagePullSecretName, "sourceImagePullSecretName", LookupStringEnv("CONFIG_SOURCE_IMAGE_PULL_SECRET_NAME", parameters.sourceImagePullSecretName), "Name of the imagePullSecret secret we use as source.")
 	flag.StringVar(&parameters.sourceImagePullSecretNamespace, "sourceImagePullSecretNamespace", LookupStringEnv("CONFIG_SOURCE_IMAGE_PULL_SECRET_NAMESPACE", parameters.sourceImagePullSecretNamespace), "Namespace of the imagePullSecret secret we use as source.")
 	flag.BoolVar(&parameters.allServiceAccounts, "allServiceAccounts", LookupBoolEnv("CONFIG_ALL_SERVICE_ACCOUNTS", parameters.allServiceAccounts), "Switch for watching all service accounts. If true, serviceAccounts parameter is ignored")
+	flag.BoolVar(&parameters.ignoreSecretCreationError, "ignoreSecretCreationError", LookupBoolEnv("CONFIG_IGNORE_SECRET_CREATION_ERROR", parameters.ignoreSecretCreationError), "If true, failed creation/update of secrets in the target namespace will not cause the webhook to fail")
 	flag.Parse()
 
 	glog.Infof("Running with config: %+v", parameters)

cmd/webhook.go

@@ -43,6 +43,7 @@ type WhSvrParameters struct {
 	targetImagePullSecretName      string
 	sourceImagePullSecretName      string
 	sourceImagePullSecretNamespace string
+	ignoreSecretCreationError      bool
 }
 
 var (
@@ -67,6 +68,7 @@ func DefaultParametersObject() WhSvrParameters {
 		targetImagePullSecretName:      "my-cool-secret",
 		sourceImagePullSecretName:      "my-cool-secret-source",
 		sourceImagePullSecretNamespace: "default",
+		ignoreSecretCreationError:      false,
 	}
 }
 
@@ -252,12 +254,16 @@ func (whsvr *WebhookServer) mutateServiceAccount(ar *v1beta1.AdmissionReview) *v
 
 	if err := whsvr.ensureSecrets(ar); err != nil {
 		glog.Errorf("Could not ensure existence of the imagePullSecret")
+		if !whsvr.config.ignoreSecretCreationError {
+			glog.Errorf("Failing the mutation process")
 			return &v1beta1.AdmissionResponse{
 				Result: &metav1.Status{
 					Message: err.Error(),
 				},
 			}
 		}
+		glog.Infof("ignoreSecretCreationError is true, ignoring")
+	}
 
 	return &v1beta1.AdmissionResponse{
 		Allowed: true,

helm/imagepullsecret-injector/templates/deployment.yaml

@@ -42,6 +42,8 @@ spec:
               value: {{ .Values.imagepullsecretInjector.dockerconfigjsonRef.secretName | quote }}
             - name: CONFIG_SOURCE_IMAGE_PULL_SECRET_NAMESPACE
               value: {{ .Values.imagepullsecretInjector.dockerconfigjsonRef.secretNamespace | default .Release.Namespace | quote }}
+            - name: CONFIG_IGNORE_SECRET_CREATION_ERROR
+              value: {{ .Values.imagepullsecretInjector.ignoreSecretCreationError | quote }}
             - name: CONFIG_ALL_SERVICE_ACCOUNTS
               value: {{ .Values.imagepullsecretInjector.allSaNames | quote }}
           volumeMounts:

helm/imagepullsecret-injector/values.yaml

@@ -16,7 +16,7 @@ imagepullsecretInjector:
     secretNamespace: ""
 
   targetSecretName: my-cool-secret
-
+  ignoreSecretCreationError: false
   allSaNames: false
   saNames:
     - default