Parametrize target secret name

2026-01-15 08:13:52 +01:00 · 2021-04-03 13:32:06 +02:00
parent 184e0d3c07
commit 9219b83a9b
5 changed files with 15 additions and 12 deletions
--- a/cmd/main.go
+++ b/cmd/main.go
@@ -51,6 +51,7 @@ func main() {
 	flag.StringVar(&parameters.keyFile, "tlsKeyFile", LookupStringEnv("CONFIG_KEY_PATH", parameters.keyFile), "File containing the x509 private key to --tlsCertFile.")
 	flag.StringVar(&parameters.excludeNamespaces, "excludeNamespaces", LookupStringEnv("CONFIG_EXCLUDE_NAMESPACES", parameters.excludeNamespaces), "Comma-separated namespace names to ignore.")
 	flag.StringVar(&parameters.serviceAccounts, "serviceAccounts", LookupStringEnv("CONFIG_SERVICE_ACCOUNTS", parameters.serviceAccounts), "Comma-separated service account names to watch.")
+	flag.StringVar(&parameters.targetImagePullSecretName, "targetImagePullSecretName", LookupStringEnv("CONFIG_TARGET_IMAGE_PULL_SECRET_NAME", parameters.targetImagePullSecretName), "Name of the imagePullSecret secret we will create in the namespace of the mutated service account")
 	flag.StringVar(&parameters.sourceImagePullSecretName, "sourceImagePullSecretName", LookupStringEnv("CONFIG_SOURCE_IMAGE_PULL_SECRET_NAME", parameters.sourceImagePullSecretName), "Name of the imagePullSecret secret we use as source.")
 	flag.StringVar(&parameters.sourceImagePullSecretNamespace, "sourceImagePullSecretNamespace", LookupStringEnv("CONFIG_SOURCE_IMAGE_PULL_SECRET_NAMESPACE", parameters.sourceImagePullSecretNamespace), "Namespace of the imagePullSecret secret we use as source.")
 	flag.BoolVar(&parameters.allServiceAccounts, "allServiceAccounts", LookupBoolEnv("CONFIG_ALL_SERVICE_ACCOUNTS", parameters.allServiceAccounts), "Switch for watching all service accounts. If true, serviceAccounts parameter is ignored")
--- a/cmd/webhook.go
+++ b/cmd/webhook.go
@@ -27,10 +27,6 @@ var (
 	deserializer  = codecs.UniversalDeserializer()
 )

-const (
-	imagePullSecretName = "my-cool-secret"
-)
-
 type WebhookServer struct {
 	server *http.Server
 	config *WhSvrParameters
@@ -44,6 +40,7 @@ type WhSvrParameters struct {
 	excludeNamespaces              string
 	serviceAccounts                string
 	allServiceAccounts             bool
+	targetImagePullSecretName      string
 	sourceImagePullSecretName      string
 	sourceImagePullSecretNamespace string
 }
@@ -67,6 +64,7 @@ func DefaultParametersObject() WhSvrParameters {
 		excludeNamespaces:              strings.Join(defaultIgnoredNamespaces, ","),
 		serviceAccounts:                strings.Join(defaultServiceAccounts, ","),
 		allServiceAccounts:             false,
+		targetImagePullSecretName:      "my-cool-secret",
 		sourceImagePullSecretName:      "my-cool-secret-source",
 		sourceImagePullSecretNamespace: "default",
 	}
@@ -149,9 +147,9 @@ func (whsvr *WebhookServer) ensureSecrets(ar *v1beta1.AdmissionReview) error {
 	glog.Infof("Source secret found")

 	glog.Infof("Looking for the existing target secret")
-	secret, err := clientset.CoreV1().Secrets(namespace).Get(imagePullSecretName, metav1.GetOptions{})
+	secret, err := clientset.CoreV1().Secrets(namespace).Get(whsvr.config.targetImagePullSecretName, metav1.GetOptions{})
 	if err != nil && !errors.IsNotFound(err) {
-		glog.Errorf("Could not fetch secret %s in namespace %s: %v", imagePullSecretName, namespace, err)
+		glog.Errorf("Could not fetch secret %s in namespace %s: %v", whsvr.config.targetImagePullSecretName, namespace, err)
 		return err
 	}

@@ -159,13 +157,13 @@ func (whsvr *WebhookServer) ensureSecrets(ar *v1beta1.AdmissionReview) error {
 		glog.Infof("Target secret not found, creating a new one")
 		if _, createErr := clientset.CoreV1().Secrets(namespace).Create(&corev1.Secret{
 			ObjectMeta: metav1.ObjectMeta{
-				Name:      imagePullSecretName,
+				Name:      whsvr.config.targetImagePullSecretName,
 				Namespace: namespace,
 			},
 			Data: sourceSecret.Data,
 			Type: sourceSecret.Type,
 		}); createErr != nil {
-			glog.Errorf("Could not create secret %s in namespace %s: %v", imagePullSecretName, namespace, err)
+			glog.Errorf("Could not create secret %s in namespace %s: %v", whsvr.config.targetImagePullSecretName, namespace, err)
 			return err
 		}
 		glog.Infof("Target secret created successfully")
@@ -175,7 +173,7 @@ func (whsvr *WebhookServer) ensureSecrets(ar *v1beta1.AdmissionReview) error {
 	glog.Infof("Target secret found, updating")
 	secret.Data = sourceSecret.Data
 	if _, err := clientset.CoreV1().Secrets(namespace).Update(secret); err != nil {
-		glog.Errorf("Could not update secret %s in namespace %s: %v", imagePullSecretName, namespace, err)
+		glog.Errorf("Could not update secret %s in namespace %s: %v", whsvr.config.targetImagePullSecretName, namespace, err)
 		return err
 	}
 	glog.Infof("Target secret updated successfully")
@@ -230,7 +228,7 @@ func (whsvr *WebhookServer) mutateServiceAccount(ar *v1beta1.AdmissionReview) *v
 	if sa.ImagePullSecrets != nil {
 		glog.Infof("ServiceAccount is already in the correct state, skipping")
 		for _, lor := range sa.ImagePullSecrets {
-			if imagePullSecretName == lor.Name {
+			if whsvr.config.targetImagePullSecretName == lor.Name {
 				return &v1beta1.AdmissionResponse{
 					Allowed: true,
 				}
@@ -241,7 +239,7 @@ func (whsvr *WebhookServer) mutateServiceAccount(ar *v1beta1.AdmissionReview) *v
 	glog.Infof("ServiceAccount is missing ImagePullSecrets configuration, creating a patch")

 	var patch []patchOperation
-	patch = append(patch, addImagePullSecret(sa.ImagePullSecrets, []corev1.LocalObjectReference{{Name: imagePullSecretName}}, "/imagePullSecrets")...)
+	patch = append(patch, addImagePullSecret(sa.ImagePullSecrets, []corev1.LocalObjectReference{{Name: whsvr.config.targetImagePullSecretName}}, "/imagePullSecrets")...)
 	patchBytes, err := json.Marshal(patch)
 	if err != nil {
 		glog.Errorf("Could not marshal patch object: %v", err)
--- a/helm/imagepullsecret-injector/Chart.yaml
+++ b/helm/imagepullsecret-injector/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.0.4
+version: 0.0.5

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
--- a/helm/imagepullsecret-injector/templates/deployment.yaml
+++ b/helm/imagepullsecret-injector/templates/deployment.yaml
@@ -36,6 +36,8 @@ spec:
              value: {{ join "," .Values.imagepullsecretInjector.excludeNamespaces | quote }}
            - name: CONFIG_SERVICE_ACCOUNTS
              value: {{ join "," .Values.imagepullsecretInjector.saNames | quote }}
+            - name: CONFIG_TARGET_IMAGE_PULL_SECRET_NAME
+              value: {{ .Values.imagepullsecretInjector.targetSecretName | quote }}
            - name: CONFIG_SOURCE_IMAGE_PULL_SECRET_NAME
              value: {{ .Values.imagepullsecretInjector.dockerconfigjsonRef.secretName | quote }}
            - name: CONFIG_SOURCE_IMAGE_PULL_SECRET_NAMESPACE
--- a/helm/imagepullsecret-injector/values.yaml
+++ b/helm/imagepullsecret-injector/values.yaml
@@ -15,6 +15,8 @@ imagepullsecretInjector:
    secretName: my-cool-secret-source
    secretNamespace: ""

+  targetSecretName: my-cool-secret
+
  allSaNames: false
  saNames:
    - default