Bump the chart version to 0.0.6

.github/workflows/release-chart.yaml

@@ -0,0 +1,55 @@
+name: Release Charts
+
+on:
+  push:
+    branches:
+      - main
+# TODO: add this back
+#    paths:
+#      - 'helm/**'
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v1
+        with:
+          ref: main
+
+      - name: Configure Git
+        run: |
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
+
+      - name: Install Helm
+        uses: azure/setup-helm@v1
+        with:
+          version: v3.4.0
+
+      - name: Helm version checker
+        id: helm_version_checker
+        continue-on-error: true
+        run: |
+          helm repo add imagepullsecret-injector https://ysoftdevs.github.io/imagepullsecret-injector
+          helm repo update
+
+          newVersion="$(helm show chart helm/imagepullsecret-injector | grep version: | awk '{print $2}')"
+          echo "Trying to upload version $newVersion"
+          uploadedVersions="$(helm search repo imagepullsecret-injector/imagepullsecret-injector -l | tail -n +2 | awk '{print $2}')"
+          echo "Found these versions in upstream: $uploadedVersions"
+          for uploadedVersion in $uploadedVersions; do
+            if [ "$newVersion" == "$uploadedVersion" ]; then
+              echo "Found a matching version in upstream, failing this task and skipping the release"
+              exit 1
+            fi
+          done
+          echo "No matching version found, running the release"
+
+      - name: Run chart-releaser
+        if: steps.helm_version_checker.outcome == 'success'
+        uses: helm/chart-releaser-action@master
+        with:
+          charts_dir: 'helm'
+        env:
+          CR_TOKEN: '${{ secrets.CR_TOKEN }}'

.github/workflows/release-docker.yaml

@@ -1,11 +1,9 @@
-name: Release Charts
+name: Release docker images
 
 on:
   push:
     branches:
       - main
-    paths:
-      - 'helm/**'
 
 jobs:
   release:
@@ -21,14 +19,11 @@ jobs:
           git config user.name "$GITHUB_ACTOR"
           git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
 
-      - name: Install Helm
-        uses: azure/setup-helm@v1
-        with:
-          version: v3.4.0
-
-      - name: Run chart-releaser
-        uses: helm/chart-releaser-action@master
-        with:
-          charts_dir: 'helm'
+      - name: Build and push docker images (make image)
+        run: make image
         env:
-          CR_TOKEN: '${{ secrets.CR_TOKEN }}'
+          DOCKER_USER: '${{ secrets.DOCKER_USER }}'
+          DOCKER_TOKEN: '${{ secrets.DOCKER_TOKEN }}'
+
+      - name: Logout from dockerhub (make docker-logout)
+        run: make docker-logout

Makefile

@@ -18,7 +18,7 @@ export GOPATH ?= $(GOPATH_DEFAULT)
 TESTARGS_DEFAULT := "-v"
 export TESTARGS ?= $(TESTARGS_DEFAULT)
 DEST := $(GOPATH)/src/$(GIT_HOST)/$(BASE_DIR)
-IMAGE_TAG ?= $(shell cat "$(REPO_ROOT)/VERSION")-$(shell git describe --match=$(git rev-parse --short=8 HEAD) --tags --always --dirty)
+IMAGE_TAG ?= $(shell cat "$(REPO_ROOT)/VERSION")
 
 
 LOCAL_OS := $(shell uname)
@@ -45,7 +45,7 @@ endif
 ############################################################
 
 fmt:
-	@echo "Run go fmt..."
+	@go fmt ./cmd/...
 
 ############################################################
 # lint section
@@ -78,9 +78,15 @@ build-linux:
 # image section
 ############################################################
 
-image: build-image push-image
+image: docker-login build-image push-image
 
-build-image: build-linux
+docker-login:
+	@echo ${DOCKER_TOKEN} | docker login -u ${DOCKER_USER} --password-stdin
+
+docker-logout:
+	@docker logout
+
+build-image:
 	@echo "Building the docker image: $(IMAGE_REPO)/$(IMAGE_NAME):$(IMAGE_TAG)..."
 	@docker build -t $(IMAGE_REPO)/$(IMAGE_NAME):$(IMAGE_TAG) -f build/Dockerfile .
 	@echo "Building the docker image: $(IMAGE_REPO)/$(GENERATOR_IMAGE_NAME):$(IMAGE_TAG)..."

VERSION

@@ -1 +1 @@
-v0.0.1
+v0.0.8

build/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.14 AS builder
+FROM golang:1.15 AS builder
 
 WORKDIR /go/src/github.com/ysoftdevs/imagepullsecret-injector
 COPY . .

cmd/main.go

@@ -51,9 +51,11 @@ func main() {
 	flag.StringVar(&parameters.keyFile, "tlsKeyFile", LookupStringEnv("CONFIG_KEY_PATH", parameters.keyFile), "File containing the x509 private key to --tlsCertFile.")
 	flag.StringVar(&parameters.excludeNamespaces, "excludeNamespaces", LookupStringEnv("CONFIG_EXCLUDE_NAMESPACES", parameters.excludeNamespaces), "Comma-separated namespace names to ignore.")
 	flag.StringVar(&parameters.serviceAccounts, "serviceAccounts", LookupStringEnv("CONFIG_SERVICE_ACCOUNTS", parameters.serviceAccounts), "Comma-separated service account names to watch.")
+	flag.StringVar(&parameters.targetImagePullSecretName, "targetImagePullSecretName", LookupStringEnv("CONFIG_TARGET_IMAGE_PULL_SECRET_NAME", parameters.targetImagePullSecretName), "Name of the imagePullSecret secret we will create in the namespace of the mutated service account")
 	flag.StringVar(&parameters.sourceImagePullSecretName, "sourceImagePullSecretName", LookupStringEnv("CONFIG_SOURCE_IMAGE_PULL_SECRET_NAME", parameters.sourceImagePullSecretName), "Name of the imagePullSecret secret we use as source.")
 	flag.StringVar(&parameters.sourceImagePullSecretNamespace, "sourceImagePullSecretNamespace", LookupStringEnv("CONFIG_SOURCE_IMAGE_PULL_SECRET_NAMESPACE", parameters.sourceImagePullSecretNamespace), "Namespace of the imagePullSecret secret we use as source.")
 	flag.BoolVar(&parameters.allServiceAccounts, "allServiceAccounts", LookupBoolEnv("CONFIG_ALL_SERVICE_ACCOUNTS", parameters.allServiceAccounts), "Switch for watching all service accounts. If true, serviceAccounts parameter is ignored")
+	flag.BoolVar(&parameters.ignoreSecretCreationError, "ignoreSecretCreationError", LookupBoolEnv("CONFIG_IGNORE_SECRET_CREATION_ERROR", parameters.ignoreSecretCreationError), "If true, failed creation/update of secrets in the target namespace will not cause the webhook to fail")
 	flag.Parse()
 
 	glog.Infof("Running with config: %+v", parameters)

cmd/webhook.go

@@ -27,10 +27,6 @@ var (
 	deserializer  = codecs.UniversalDeserializer()
 )
 
-const (
-	imagePullSecretName       = "my-cool-secret"
-)
-
 type WebhookServer struct {
 	server *http.Server
 	config *WhSvrParameters
@@ -44,8 +40,10 @@ type WhSvrParameters struct {
 	excludeNamespaces              string
 	serviceAccounts                string
 	allServiceAccounts             bool
+	targetImagePullSecretName      string
 	sourceImagePullSecretName      string
 	sourceImagePullSecretNamespace string
+	ignoreSecretCreationError      bool
 }
 
 var (
@@ -67,8 +65,10 @@ func DefaultParametersObject() WhSvrParameters {
 		excludeNamespaces:              strings.Join(defaultIgnoredNamespaces, ","),
 		serviceAccounts:                strings.Join(defaultServiceAccounts, ","),
 		allServiceAccounts:             false,
+		targetImagePullSecretName:      "my-cool-secret",
 		sourceImagePullSecretName:      "my-cool-secret-source",
 		sourceImagePullSecretNamespace: "default",
+		ignoreSecretCreationError:      false,
 	}
 }
 
@@ -149,9 +149,9 @@ func (whsvr *WebhookServer) ensureSecrets(ar *v1beta1.AdmissionReview) error {
 	glog.Infof("Source secret found")
 
 	glog.Infof("Looking for the existing target secret")
-	secret, err := clientset.CoreV1().Secrets(namespace).Get(imagePullSecretName, metav1.GetOptions{})
+	secret, err := clientset.CoreV1().Secrets(namespace).Get(whsvr.config.targetImagePullSecretName, metav1.GetOptions{})
 	if err != nil && !errors.IsNotFound(err) {
-		glog.Errorf("Could not fetch secret %s in namespace %s: %v", imagePullSecretName, namespace, err)
+		glog.Errorf("Could not fetch secret %s in namespace %s: %v", whsvr.config.targetImagePullSecretName, namespace, err)
 		return err
 	}
 
@@ -159,13 +159,13 @@ func (whsvr *WebhookServer) ensureSecrets(ar *v1beta1.AdmissionReview) error {
 		glog.Infof("Target secret not found, creating a new one")
 		if _, createErr := clientset.CoreV1().Secrets(namespace).Create(&corev1.Secret{
 			ObjectMeta: metav1.ObjectMeta{
-				Name:      imagePullSecretName,
+				Name:      whsvr.config.targetImagePullSecretName,
 				Namespace: namespace,
 			},
 			Data: sourceSecret.Data,
 			Type: sourceSecret.Type,
 		}); createErr != nil {
-			glog.Errorf("Could not create secret %s in namespace %s: %v", imagePullSecretName, namespace, err)
+			glog.Errorf("Could not create secret %s in namespace %s: %v", whsvr.config.targetImagePullSecretName, namespace, err)
 			return err
 		}
 		glog.Infof("Target secret created successfully")
@@ -175,7 +175,7 @@ func (whsvr *WebhookServer) ensureSecrets(ar *v1beta1.AdmissionReview) error {
 	glog.Infof("Target secret found, updating")
 	secret.Data = sourceSecret.Data
 	if _, err := clientset.CoreV1().Secrets(namespace).Update(secret); err != nil {
-		glog.Errorf("Could not update secret %s in namespace %s: %v", imagePullSecretName, namespace, err)
+		glog.Errorf("Could not update secret %s in namespace %s: %v", whsvr.config.targetImagePullSecretName, namespace, err)
 		return err
 	}
 	glog.Infof("Target secret updated successfully")
@@ -230,7 +230,7 @@ func (whsvr *WebhookServer) mutateServiceAccount(ar *v1beta1.AdmissionReview) *v
 	if sa.ImagePullSecrets != nil {
 		glog.Infof("ServiceAccount is already in the correct state, skipping")
 		for _, lor := range sa.ImagePullSecrets {
-			if imagePullSecretName == lor.Name {
+			if whsvr.config.targetImagePullSecretName == lor.Name {
 				return &v1beta1.AdmissionResponse{
 					Allowed: true,
 				}
@@ -241,7 +241,7 @@ func (whsvr *WebhookServer) mutateServiceAccount(ar *v1beta1.AdmissionReview) *v
 	glog.Infof("ServiceAccount is missing ImagePullSecrets configuration, creating a patch")
 
 	var patch []patchOperation
-	patch = append(patch, addImagePullSecret(sa.ImagePullSecrets, []corev1.LocalObjectReference{{Name: imagePullSecretName}}, "/imagePullSecrets")...)
+	patch = append(patch, addImagePullSecret(sa.ImagePullSecrets, []corev1.LocalObjectReference{{Name: whsvr.config.targetImagePullSecretName}}, "/imagePullSecrets")...)
 	patchBytes, err := json.Marshal(patch)
 	if err != nil {
 		glog.Errorf("Could not marshal patch object: %v", err)
@@ -254,11 +254,15 @@ func (whsvr *WebhookServer) mutateServiceAccount(ar *v1beta1.AdmissionReview) *v
 
 	if err := whsvr.ensureSecrets(ar); err != nil {
 		glog.Errorf("Could not ensure existence of the imagePullSecret")
-		return &v1beta1.AdmissionResponse{
-			Result: &metav1.Status{
-				Message: err.Error(),
-			},
+		if !whsvr.config.ignoreSecretCreationError {
+			glog.Errorf("Failing the mutation process")
+			return &v1beta1.AdmissionResponse{
+				Result: &metav1.Status{
+					Message: err.Error(),
+				},
+			}
 		}
+		glog.Infof("ignoreSecretCreationError is true, ignoring")
 	}
 
 	return &v1beta1.AdmissionResponse{

helm/imagepullsecret-injector/Chart.yaml

@@ -15,9 +15,9 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.0.4
+version: 0.0.6
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: v0.0.1
+appVersion: v0.0.8

helm/imagepullsecret-injector/templates/deployment.yaml

@@ -36,10 +36,14 @@ spec:
               value: {{ join "," .Values.imagepullsecretInjector.excludeNamespaces | quote }}
             - name: CONFIG_SERVICE_ACCOUNTS
               value: {{ join "," .Values.imagepullsecretInjector.saNames | quote }}
+            - name: CONFIG_TARGET_IMAGE_PULL_SECRET_NAME
+              value: {{ .Values.imagepullsecretInjector.targetSecretName | quote }}
             - name: CONFIG_SOURCE_IMAGE_PULL_SECRET_NAME
               value: {{ .Values.imagepullsecretInjector.dockerconfigjsonRef.secretName | quote }}
             - name: CONFIG_SOURCE_IMAGE_PULL_SECRET_NAMESPACE
               value: {{ .Values.imagepullsecretInjector.dockerconfigjsonRef.secretNamespace | default .Release.Namespace | quote }}
+            - name: CONFIG_IGNORE_SECRET_CREATION_ERROR
+              value: {{ .Values.imagepullsecretInjector.ignoreSecretCreationError | quote }}
             - name: CONFIG_ALL_SERVICE_ACCOUNTS
               value: {{ .Values.imagepullsecretInjector.allSaNames | quote }}
           volumeMounts:

helm/imagepullsecret-injector/values.yaml

@@ -15,6 +15,8 @@ imagepullsecretInjector:
     secretName: my-cool-secret-source
     secretNamespace: ""
 
+  targetSecretName: my-cool-secret
+  ignoreSecretCreationError: false
   allSaNames: false
   saNames:
     - default