Add update permission for secrets

Add a check for the correct secret type
Move k8s client setup to the constructor
2026-01-16 08:37:04 +01:00 · 2021-04-06 11:03:57 +02:00 · 2021-04-06 10:07:54 +02:00 · 2021-04-06 09:59:10 +02:00 · 2021-04-06 09:50:54 +02:00 · 2021-04-05 22:30:28 +02:00
12 changed files with 61 additions and 37 deletions
--- a/.github/workflows/release-chart.yaml
+++ b/.github/workflows/release-chart.yaml
@@ -52,4 +52,4 @@ jobs:
        with:
          charts_dir: 'helm'
        env:
-          CR_TOKEN: '${{ secrets.CR_TOKEN }}'
+          CR_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
--- a/.github/workflows/release-docker.yaml
+++ b/.github/workflows/release-docker.yaml
@@ -13,7 +13,7 @@ jobs:
      - name: Checkout
        uses: actions/checkout@v1
        with:
-          ref: main
+          ref: ${{ github.ref }}
      - name: Configure Git
        run: |
@@ -23,8 +23,8 @@ jobs:
      - name: Build and push docker images (make image)
        run: make image
        env:
-          DOCKER_USER: '${{ secrets.DOCKER_USER }}'
+          DOCKER_USER: ${GITHUB_ACTOR}
-          DOCKER_TOKEN: '${{ secrets.DOCKER_TOKEN }}'
+          DOCKER_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Logout from dockerhub (make docker-logout)
        run: make docker-logout
--- a/5
+++ b/5
@@ -1,7 +1,8 @@
 # Image URL to use all building/pushing image targets;
 # Use your own docker registry and image name for dev/test by overridding the
 # IMAGE_REPO, IMAGE_NAME and IMAGE_TAG environment variable.
-IMAGE_REPO ?= marshallmarshall
+REPOSITORY_BASE ?= ghcr.io
 IMAGE_REPO ?= $(REPOSITORY_BASE)/ysoftdevs/imagepullsecret-injector
 IMAGE_NAME ?= imagepullsecret-injector
 GENERATOR_IMAGE_NAME ?= webhook-cert-generator
@@ -81,7 +82,7 @@ build-linux:
 image: docker-login build-image push-image
 docker-login:
-	@echo ${DOCKER_TOKEN} | docker login -u ${DOCKER_USER} --password-stdin
+	@echo "$(DOCKER_TOKEN)" | docker login -u "$(DOCKER_USER)" --password-stdin "$(REPOSITORY_BASE)"
 docker-logout:
 	@docker logout
--- a/README.md
+++ b/README.md
@@ -3,10 +3,8 @@
 The responsibility of this webhook is to patch all newly created/updated service account and make sure they all contained proper imagepullsecret configuration. 
 This repo produces one helm chart available via helm repository https://ysoftdevs.github.io/imagepullsecret-injector. There are also 2 docker images:
- `marshallmarshall/imagepullsecret-injector` - the image containing the webhook itself
+- `ghcr.io/ysoftdevs/imagepullsecret-injector/imagepullsecret-injector` - the image containing the webhook itself
- `marshallmarshall/webhook-cert-generator` - helper image responsible for (re)generating the certificates
+- `ghcr.io/ysoftdevs/imagepullsecret-injector/webhook-cert-generator` - helper image responsible for (re)generating the certificates
 ## Helm description
 The helm chart consists of 2 parts: the certificate generator and the webhook configuration itself.
@@ -59,3 +57,6 @@ Of note is also a fact that the chart runs a lookup to the connected cluster to
    kubectl get sa -n yolo default -ojsonpath='{.imagePullSecrets}'
    ```
    The `get` command should display _some_ non-empty result.
 ## Releasing locally
 To authenticate to the docker registry to push the images manually, you will need your own Github Personal Access Token. For more information follow this guide https://docs.github.com/en/packages/guides/migrating-to-github-container-registry-for-docker-images#authenticating-with-the-container-registry
--- a/2
+++ b/2
@@ -1 +1 @@
-0.0.9
+0.0.10
--- a/cmd/main.go
+++ b/cmd/main.go
@@ -60,9 +60,9 @@ func main() {
 	glog.Infof("Running with config: %+v", parameters)
-	whsvr := &WebhookServer{
+	whsvr, err := NewWebhookServer(
-		config: &parameters,
+		&parameters,
-		server: &http.Server{
+		&http.Server{
 			Addr: fmt.Sprintf(":%v", parameters.port),
 			// This is quite inefficient as it loads file contents on every TLS ClientHello, but ¯\_(ツ)_/¯
 			TLSConfig: &tls.Config{GetCertificate: func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
@@ -71,6 +71,9 @@ func main() {
 				return &cert, err
 			}},
 		},
 	)
 	if err != nil {
 		glog.Exitf("Could not create the Webhook server: %v", err)
 	}
 	// define http server and server handler
--- a/cmd/webhook.go
+++ b/cmd/webhook.go
@@ -30,6 +30,7 @@ var (
 type WebhookServer struct {
 	server *http.Server
 	config *WhSvrParameters
 	client *kubernetes.Clientset
 }
 // Webhook Server parameters
@@ -57,6 +58,26 @@ var (
 	}
 )
 func NewWebhookServer(parameters *WhSvrParameters, server *http.Server) (*WebhookServer, error) {
 	config, err := rest.InClusterConfig()
 	if err != nil {
 		glog.Errorf("Could not create k8s client: %v", err)
 		return nil, err
 	}
 	clientset, err := kubernetes.NewForConfig(config)
 	if err != nil {
 		glog.Errorf("Could not create k8s clientset: %v", err)
 		return nil, err
 	}
 	return &WebhookServer{
 		config: parameters,
 		server: server,
 		client: clientset,
 	}, nil
 }
 func DefaultParametersObject() WhSvrParameters {
 	return WhSvrParameters{
 		port:                           8443,
@@ -126,46 +147,41 @@ func getCurrentNamespace() string {
 func (whsvr *WebhookServer) ensureSecrets(ar *v1beta1.AdmissionReview) error {
 	glog.Infof("Ensuring existing secrets")
-	namespace := ar.Request.Namespace
+	targetNamespace := ar.Request.Namespace
 	config, err := rest.InClusterConfig()
 	if err != nil {
 		glog.Errorf("Could not create k8s client: %v", err)
 		return err
 	}
 	clientset, err := kubernetes.NewForConfig(config)
 	if err != nil {
 		glog.Errorf("Could not create k8s clientset: %v", err)
 		return err
 	}
 	currentNamespace := getCurrentNamespace()
 	glog.Infof("Looking for the source secret")
-	sourceSecret, err := clientset.CoreV1().Secrets(whsvr.config.sourceImagePullSecretNamespace).Get(whsvr.config.sourceImagePullSecretName, metav1.GetOptions{})
+	sourceSecret, err := whsvr.client.CoreV1().Secrets(whsvr.config.sourceImagePullSecretNamespace).Get(whsvr.config.sourceImagePullSecretName, metav1.GetOptions{})
 	if err != nil {
 		glog.Errorf("Could not fetch source secret %s in namespace %s: %v", whsvr.config.sourceImagePullSecretName, currentNamespace, err)
 		return err
 	}
 	if sourceSecret.Type != corev1.SecretTypeDockerConfigJson {
 		err := fmt.Errorf("source secret %s in namespace %s exists, but has incorrect type (is %s, should be %s)", whsvr.config.sourceImagePullSecretName, currentNamespace, sourceSecret.Type, corev1.SecretTypeDockerConfigJson)
 		glog.Errorf("%v", err)
 		return err
 	}
 	glog.Infof("Source secret found")
 	glog.Infof("Looking for the existing target secret")
-	secret, err := clientset.CoreV1().Secrets(namespace).Get(whsvr.config.targetImagePullSecretName, metav1.GetOptions{})
+	secret, err := whsvr.client.CoreV1().Secrets(targetNamespace).Get(whsvr.config.targetImagePullSecretName, metav1.GetOptions{})
 	if err != nil && !errors.IsNotFound(err) {
-		glog.Errorf("Could not fetch secret %s in namespace %s: %v", whsvr.config.targetImagePullSecretName, namespace, err)
+		glog.Errorf("Could not fetch secret %s in namespace %s: %v", whsvr.config.targetImagePullSecretName, targetNamespace, err)
 		return err
 	}
 	if err != nil && errors.IsNotFound(err) {
 		glog.Infof("Target secret not found, creating a new one")
-		if _, createErr := clientset.CoreV1().Secrets(namespace).Create(&corev1.Secret{
+		if _, createErr := whsvr.client.CoreV1().Secrets(targetNamespace).Create(&corev1.Secret{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      whsvr.config.targetImagePullSecretName,
-				Namespace: namespace,
+				Namespace: targetNamespace,
 			},
 			Data: sourceSecret.Data,
 			Type: sourceSecret.Type,
 		}); createErr != nil {
-			glog.Errorf("Could not create secret %s in namespace %s: %v", whsvr.config.targetImagePullSecretName, namespace, err)
+			glog.Errorf("Could not create secret %s in namespace %s: %v", whsvr.config.targetImagePullSecretName, targetNamespace, err)
 			return err
 		}
 		glog.Infof("Target secret created successfully")
@@ -174,8 +190,8 @@ func (whsvr *WebhookServer) ensureSecrets(ar *v1beta1.AdmissionReview) error {
 	glog.Infof("Target secret found, updating")
 	secret.Data = sourceSecret.Data
-	if _, err := clientset.CoreV1().Secrets(namespace).Update(secret); err != nil {
+	if _, err := whsvr.client.CoreV1().Secrets(targetNamespace).Update(secret); err != nil {
-		glog.Errorf("Could not update secret %s in namespace %s: %v", whsvr.config.targetImagePullSecretName, namespace, err)
+		glog.Errorf("Could not update secret %s in namespace %s: %v", whsvr.config.targetImagePullSecretName, targetNamespace, err)
 		return err
 	}
 	glog.Infof("Target secret updated successfully")
--- a/helm/imagepullsecret-injector/Chart.yaml
+++ b/helm/imagepullsecret-injector/Chart.yaml
@@ -15,9 +15,9 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.0.15
+version: 0.0.19
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: 0.0.9
+appVersion: 0.0.10
--- a/helm/imagepullsecret-injector/templates/certificate-gen/cronjob-certificate-gen.yaml
+++ b/helm/imagepullsecret-injector/templates/certificate-gen/cronjob-certificate-gen.yaml
@@ -12,6 +12,7 @@ spec:
      labels:
        {{- include "imagepullsecret-injector.labels" . | nindent 8 }}
    spec:
      ttlSecondsAfterFinished: 30
      template:
        spec:
          serviceAccountName: imagepullsecret-injector-cert-gen
--- a/helm/imagepullsecret-injector/templates/certificate-gen/job-certificate-gen.yaml
+++ b/helm/imagepullsecret-injector/templates/certificate-gen/job-certificate-gen.yaml
@@ -5,6 +5,7 @@ metadata:
  labels:
    {{- include "imagepullsecret-injector.labels" . | nindent 4 }}
 spec:
  ttlSecondsAfterFinished: 30
  template:
    spec:
      serviceAccountName: imagepullsecret-injector-cert-gen
--- a/helm/imagepullsecret-injector/templates/rbac.yaml
+++ b/helm/imagepullsecret-injector/templates/rbac.yaml
@@ -25,6 +25,7 @@ rules:
      - create
      - get
      - delete
      - update
  - apiGroups:
      - ""
    resources:
--- a/helm/imagepullsecret-injector/values.yaml
+++ b/helm/imagepullsecret-injector/values.yaml
@@ -1,12 +1,12 @@
 image:
-  registry: marshallmarshall
+  registry: ghcr.io/ysoftdevs/imagepullsecret-injector
  repository: imagepullsecret-injector
  pullPolicy: Always
  # Overrides the image tag whose default is the chart appVersion.
  tag: ""
 certificateGeneratorImage:
-  registry: marshallmarshall
+  registry: ghcr.io/ysoftdevs/imagepullsecret-injector
  repository: webhook-cert-generator
  tag: ""
Author	SHA1	Message	Date
Martin Šalata	26a7b374e2	Add update permission for secrets	2021-04-06 11:03:57 +02:00
Martin Šalata	f098c48dcf	Add a check for the correct secret type	2021-04-06 10:07:54 +02:00
Martin Šalata	6e67d5b87c	Move k8s client setup to the constructor	2021-04-06 09:59:10 +02:00
Martin Šalata	eb5fe7944b	Set ttlSecondsAfterFinished on Jobs to prevent helm upgrade failures	2021-04-06 09:50:54 +02:00
Martin Šalata	c41499b934	Use GITHUB_TOKEN for releasing helm chart	2021-04-05 22:30:28 +02:00
salatamartin	bc86f0e9ab	Merge pull request #1 from ysoftdevs/devel	2021-04-05 22:08:13 +02:00
Martin Šalata	c22716b470	Bump the chart version	2021-04-05 22:07:35 +02:00
Martin Šalata	ea8755766c	Correct the Readme	2021-04-05 22:02:35 +02:00
Martin Šalata	ec9cd60d14	Use github-hosted images in helm	2021-04-05 22:02:22 +02:00
Martin Šalata	6234301c85	Switch dockerhub for Github's docker registry	2021-04-05 22:01:05 +02:00
Martin Šalata	af35fd73f0	Add devel to the docker releases	2021-04-05 21:02:19 +02:00