mirror of
https://github.com/ysoftdevs/imagepullsecret-injector.git
synced 2026-03-20 00:04:42 +01:00
Parametrize target secret name
This commit is contained in:
Martin Šalata
@@ -51,6 +51,7 @@ func main() {
|
|||||||
flag.StringVar(¶meters.keyFile, "tlsKeyFile", LookupStringEnv("CONFIG_KEY_PATH", parameters.keyFile), "File containing the x509 private key to --tlsCertFile.")
|
flag.StringVar(¶meters.keyFile, "tlsKeyFile", LookupStringEnv("CONFIG_KEY_PATH", parameters.keyFile), "File containing the x509 private key to --tlsCertFile.")
|
||||||
flag.StringVar(¶meters.excludeNamespaces, "excludeNamespaces", LookupStringEnv("CONFIG_EXCLUDE_NAMESPACES", parameters.excludeNamespaces), "Comma-separated namespace names to ignore.")
|
flag.StringVar(¶meters.excludeNamespaces, "excludeNamespaces", LookupStringEnv("CONFIG_EXCLUDE_NAMESPACES", parameters.excludeNamespaces), "Comma-separated namespace names to ignore.")
|
||||||
flag.StringVar(¶meters.serviceAccounts, "serviceAccounts", LookupStringEnv("CONFIG_SERVICE_ACCOUNTS", parameters.serviceAccounts), "Comma-separated service account names to watch.")
|
flag.StringVar(¶meters.serviceAccounts, "serviceAccounts", LookupStringEnv("CONFIG_SERVICE_ACCOUNTS", parameters.serviceAccounts), "Comma-separated service account names to watch.")
|
||||||
|
flag.StringVar(¶meters.targetImagePullSecretName, "targetImagePullSecretName", LookupStringEnv("CONFIG_TARGET_IMAGE_PULL_SECRET_NAME", parameters.targetImagePullSecretName), "Name of the imagePullSecret secret we will create in the namespace of the mutated service account")
|
||||||
flag.StringVar(¶meters.sourceImagePullSecretName, "sourceImagePullSecretName", LookupStringEnv("CONFIG_SOURCE_IMAGE_PULL_SECRET_NAME", parameters.sourceImagePullSecretName), "Name of the imagePullSecret secret we use as source.")
|
flag.StringVar(¶meters.sourceImagePullSecretName, "sourceImagePullSecretName", LookupStringEnv("CONFIG_SOURCE_IMAGE_PULL_SECRET_NAME", parameters.sourceImagePullSecretName), "Name of the imagePullSecret secret we use as source.")
|
||||||
flag.StringVar(¶meters.sourceImagePullSecretNamespace, "sourceImagePullSecretNamespace", LookupStringEnv("CONFIG_SOURCE_IMAGE_PULL_SECRET_NAMESPACE", parameters.sourceImagePullSecretNamespace), "Namespace of the imagePullSecret secret we use as source.")
|
flag.StringVar(¶meters.sourceImagePullSecretNamespace, "sourceImagePullSecretNamespace", LookupStringEnv("CONFIG_SOURCE_IMAGE_PULL_SECRET_NAMESPACE", parameters.sourceImagePullSecretNamespace), "Namespace of the imagePullSecret secret we use as source.")
|
||||||
flag.BoolVar(¶meters.allServiceAccounts, "allServiceAccounts", LookupBoolEnv("CONFIG_ALL_SERVICE_ACCOUNTS", parameters.allServiceAccounts), "Switch for watching all service accounts. If true, serviceAccounts parameter is ignored")
|
flag.BoolVar(¶meters.allServiceAccounts, "allServiceAccounts", LookupBoolEnv("CONFIG_ALL_SERVICE_ACCOUNTS", parameters.allServiceAccounts), "Switch for watching all service accounts. If true, serviceAccounts parameter is ignored")
|
||||||
|
|||||||
@@ -27,10 +27,6 @@ var (
|
|||||||
deserializer = codecs.UniversalDeserializer()
|
deserializer = codecs.UniversalDeserializer()
|
||||||
)
|
)
|
||||||
|
|
||||||
const (
|
|
||||||
imagePullSecretName = "my-cool-secret"
|
|
||||||
)
|
|
||||||
|
|
||||||
type WebhookServer struct {
|
type WebhookServer struct {
|
||||||
server *http.Server
|
server *http.Server
|
||||||
config *WhSvrParameters
|
config *WhSvrParameters
|
||||||
@@ -44,6 +40,7 @@ type WhSvrParameters struct {
|
|||||||
excludeNamespaces string
|
excludeNamespaces string
|
||||||
serviceAccounts string
|
serviceAccounts string
|
||||||
allServiceAccounts bool
|
allServiceAccounts bool
|
||||||
|
targetImagePullSecretName string
|
||||||
sourceImagePullSecretName string
|
sourceImagePullSecretName string
|
||||||
sourceImagePullSecretNamespace string
|
sourceImagePullSecretNamespace string
|
||||||
}
|
}
|
||||||
@@ -67,6 +64,7 @@ func DefaultParametersObject() WhSvrParameters {
|
|||||||
excludeNamespaces: strings.Join(defaultIgnoredNamespaces, ","),
|
excludeNamespaces: strings.Join(defaultIgnoredNamespaces, ","),
|
||||||
serviceAccounts: strings.Join(defaultServiceAccounts, ","),
|
serviceAccounts: strings.Join(defaultServiceAccounts, ","),
|
||||||
allServiceAccounts: false,
|
allServiceAccounts: false,
|
||||||
|
targetImagePullSecretName: "my-cool-secret",
|
||||||
sourceImagePullSecretName: "my-cool-secret-source",
|
sourceImagePullSecretName: "my-cool-secret-source",
|
||||||
sourceImagePullSecretNamespace: "default",
|
sourceImagePullSecretNamespace: "default",
|
||||||
}
|
}
|
||||||
@@ -149,9 +147,9 @@ func (whsvr *WebhookServer) ensureSecrets(ar *v1beta1.AdmissionReview) error {
|
|||||||
glog.Infof("Source secret found")
|
glog.Infof("Source secret found")
|
||||||
|
|
||||||
glog.Infof("Looking for the existing target secret")
|
glog.Infof("Looking for the existing target secret")
|
||||||
secret, err := clientset.CoreV1().Secrets(namespace).Get(imagePullSecretName, metav1.GetOptions{})
|
secret, err := clientset.CoreV1().Secrets(namespace).Get(whsvr.config.targetImagePullSecretName, metav1.GetOptions{})
|
||||||
if err != nil && !errors.IsNotFound(err) {
|
if err != nil && !errors.IsNotFound(err) {
|
||||||
glog.Errorf("Could not fetch secret %s in namespace %s: %v", imagePullSecretName, namespace, err)
|
glog.Errorf("Could not fetch secret %s in namespace %s: %v", whsvr.config.targetImagePullSecretName, namespace, err)
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -159,13 +157,13 @@ func (whsvr *WebhookServer) ensureSecrets(ar *v1beta1.AdmissionReview) error {
|
|||||||
glog.Infof("Target secret not found, creating a new one")
|
glog.Infof("Target secret not found, creating a new one")
|
||||||
if _, createErr := clientset.CoreV1().Secrets(namespace).Create(&corev1.Secret{
|
if _, createErr := clientset.CoreV1().Secrets(namespace).Create(&corev1.Secret{
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
Name: imagePullSecretName,
|
Name: whsvr.config.targetImagePullSecretName,
|
||||||
Namespace: namespace,
|
Namespace: namespace,
|
||||||
},
|
},
|
||||||
Data: sourceSecret.Data,
|
Data: sourceSecret.Data,
|
||||||
Type: sourceSecret.Type,
|
Type: sourceSecret.Type,
|
||||||
}); createErr != nil {
|
}); createErr != nil {
|
||||||
glog.Errorf("Could not create secret %s in namespace %s: %v", imagePullSecretName, namespace, err)
|
glog.Errorf("Could not create secret %s in namespace %s: %v", whsvr.config.targetImagePullSecretName, namespace, err)
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
glog.Infof("Target secret created successfully")
|
glog.Infof("Target secret created successfully")
|
||||||
@@ -175,7 +173,7 @@ func (whsvr *WebhookServer) ensureSecrets(ar *v1beta1.AdmissionReview) error {
|
|||||||
glog.Infof("Target secret found, updating")
|
glog.Infof("Target secret found, updating")
|
||||||
secret.Data = sourceSecret.Data
|
secret.Data = sourceSecret.Data
|
||||||
if _, err := clientset.CoreV1().Secrets(namespace).Update(secret); err != nil {
|
if _, err := clientset.CoreV1().Secrets(namespace).Update(secret); err != nil {
|
||||||
glog.Errorf("Could not update secret %s in namespace %s: %v", imagePullSecretName, namespace, err)
|
glog.Errorf("Could not update secret %s in namespace %s: %v", whsvr.config.targetImagePullSecretName, namespace, err)
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
glog.Infof("Target secret updated successfully")
|
glog.Infof("Target secret updated successfully")
|
||||||
@@ -230,7 +228,7 @@ func (whsvr *WebhookServer) mutateServiceAccount(ar *v1beta1.AdmissionReview) *v
|
|||||||
if sa.ImagePullSecrets != nil {
|
if sa.ImagePullSecrets != nil {
|
||||||
glog.Infof("ServiceAccount is already in the correct state, skipping")
|
glog.Infof("ServiceAccount is already in the correct state, skipping")
|
||||||
for _, lor := range sa.ImagePullSecrets {
|
for _, lor := range sa.ImagePullSecrets {
|
||||||
if imagePullSecretName == lor.Name {
|
if whsvr.config.targetImagePullSecretName == lor.Name {
|
||||||
return &v1beta1.AdmissionResponse{
|
return &v1beta1.AdmissionResponse{
|
||||||
Allowed: true,
|
Allowed: true,
|
||||||
}
|
}
|
||||||
@@ -241,7 +239,7 @@ func (whsvr *WebhookServer) mutateServiceAccount(ar *v1beta1.AdmissionReview) *v
|
|||||||
glog.Infof("ServiceAccount is missing ImagePullSecrets configuration, creating a patch")
|
glog.Infof("ServiceAccount is missing ImagePullSecrets configuration, creating a patch")
|
||||||
|
|
||||||
var patch []patchOperation
|
var patch []patchOperation
|
||||||
patch = append(patch, addImagePullSecret(sa.ImagePullSecrets, []corev1.LocalObjectReference{{Name: imagePullSecretName}}, "/imagePullSecrets")...)
|
patch = append(patch, addImagePullSecret(sa.ImagePullSecrets, []corev1.LocalObjectReference{{Name: whsvr.config.targetImagePullSecretName}}, "/imagePullSecrets")...)
|
||||||
patchBytes, err := json.Marshal(patch)
|
patchBytes, err := json.Marshal(patch)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
glog.Errorf("Could not marshal patch object: %v", err)
|
glog.Errorf("Could not marshal patch object: %v", err)
|
||||||
|
|||||||
@@ -15,7 +15,7 @@ type: application
|
|||||||
# This is the chart version. This version number should be incremented each time you make changes
|
# This is the chart version. This version number should be incremented each time you make changes
|
||||||
# to the chart and its templates, including the app version.
|
# to the chart and its templates, including the app version.
|
||||||
# Versions are expected to follow Semantic Versioning (https://semver.org/)
|
# Versions are expected to follow Semantic Versioning (https://semver.org/)
|
||||||
version: 0.0.4
|
version: 0.0.5
|
||||||
|
|
||||||
# This is the version number of the application being deployed. This version number should be
|
# This is the version number of the application being deployed. This version number should be
|
||||||
# incremented each time you make changes to the application. Versions are not expected to
|
# incremented each time you make changes to the application. Versions are not expected to
|
||||||
|
|||||||
@@ -36,6 +36,8 @@ spec:
|
|||||||
value: {{ join "," .Values.imagepullsecretInjector.excludeNamespaces | quote }}
|
value: {{ join "," .Values.imagepullsecretInjector.excludeNamespaces | quote }}
|
||||||
- name: CONFIG_SERVICE_ACCOUNTS
|
- name: CONFIG_SERVICE_ACCOUNTS
|
||||||
value: {{ join "," .Values.imagepullsecretInjector.saNames | quote }}
|
value: {{ join "," .Values.imagepullsecretInjector.saNames | quote }}
|
||||||
|
- name: CONFIG_TARGET_IMAGE_PULL_SECRET_NAME
|
||||||
|
value: {{ .Values.imagepullsecretInjector.targetSecretName | quote }}
|
||||||
- name: CONFIG_SOURCE_IMAGE_PULL_SECRET_NAME
|
- name: CONFIG_SOURCE_IMAGE_PULL_SECRET_NAME
|
||||||
value: {{ .Values.imagepullsecretInjector.dockerconfigjsonRef.secretName | quote }}
|
value: {{ .Values.imagepullsecretInjector.dockerconfigjsonRef.secretName | quote }}
|
||||||
- name: CONFIG_SOURCE_IMAGE_PULL_SECRET_NAMESPACE
|
- name: CONFIG_SOURCE_IMAGE_PULL_SECRET_NAMESPACE
|
||||||
|
|||||||
@@ -15,6 +15,8 @@ imagepullsecretInjector:
|
|||||||
secretName: my-cool-secret-source
|
secretName: my-cool-secret-source
|
||||||
secretNamespace: ""
|
secretNamespace: ""
|
||||||
|
|
||||||
|
targetSecretName: my-cool-secret
|
||||||
|
|
||||||
allSaNames: false
|
allSaNames: false
|
||||||
saNames:
|
saNames:
|
||||||
- default
|
- default
|
||||||
|
|||||||
Reference in New Issue
Block a user