Make the deployment and the jobs run in a non-root environment

.github/workflows/release-chart.yaml

@@ -0,0 +1,51 @@
+name: Release Charts
+
+on:
+  push:
+    branches:
+      - main
+      - release/legacy-csr
+    paths:
+      - 'charts/**'
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v1
+
+      - name: Configure Git
+        run: |
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
+
+      - name: Install Helm
+        uses: azure/setup-helm@v1
+        with:
+          version: v3.4.0
+
+      - name: Helm version checker
+        id: helm_version_checker
+        continue-on-error: true
+        run: |
+          helm repo add imagepullsecret-injector https://ysoftdevs.github.io/imagepullsecret-injector
+          helm repo update
+
+          newVersion="$(helm show chart helm/imagepullsecret-injector | grep version: | awk '{print $2}')"
+          echo "Trying to upload version $newVersion"
+          uploadedVersions="$(helm search repo imagepullsecret-injector/imagepullsecret-injector -l | tail -n +2 | awk '{print $2}')"
+          echo "Found these versions in upstream: $uploadedVersions"
+          for uploadedVersion in $uploadedVersions; do
+            if [ "$newVersion" == "$uploadedVersion" ]; then
+              echo "Found a matching version in upstream, failing this task and skipping the release"
+              exit 1
+            fi
+          done
+          echo "No matching version found, running the release"
+
+      - name: Run chart-releaser
+        if: steps.helm_version_checker.outcome == 'success'
+        uses: helm/chart-releaser-action@v1.2.1
+        env:
+          CR_TOKEN: '${{ secrets.GITHUB_TOKEN }}'

.github/workflows/release-docker.yaml

@@ -1,11 +1,10 @@
-name: Release Charts
+name: Release docker images
 
 on:
   push:
     branches:
       - main
-    paths:
+      - devel
-      - 'helm/**'
 
 jobs:
   release:
@@ -14,21 +13,18 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v1
         with:
-          ref: main
+          ref: ${{ github.ref }}
 
       - name: Configure Git
         run: |
           git config user.name "$GITHUB_ACTOR"
           git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
 
-      - name: Install Helm
+      - name: Build and push docker images (make image)
-        uses: azure/setup-helm@v1
+        run: make image
-        with:
-          version: v3.4.0
-
-      - name: Run chart-releaser
-        uses: helm/chart-releaser-action@master
-        with:
-          charts_dir: 'helm'
         env:
-          CR_TOKEN: '${{ secrets.CR_TOKEN }}'
+          DOCKER_USER: ${GITHUB_ACTOR}
+          DOCKER_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Logout from dockerhub (make docker-logout)
+        run: make docker-logout

Makefile

@@ -1,7 +1,8 @@
 # Image URL to use all building/pushing image targets;
 # Use your own docker registry and image name for dev/test by overridding the
 # IMAGE_REPO, IMAGE_NAME and IMAGE_TAG environment variable.
-IMAGE_REPO ?= marshallmarshall
+REPOSITORY_BASE ?= ghcr.io
+IMAGE_REPO ?= $(REPOSITORY_BASE)/ysoftdevs/imagepullsecret-injector
 IMAGE_NAME ?= imagepullsecret-injector
 GENERATOR_IMAGE_NAME ?= webhook-cert-generator
 
@@ -18,7 +19,7 @@ export GOPATH ?= $(GOPATH_DEFAULT)
 TESTARGS_DEFAULT := "-v"
 export TESTARGS ?= $(TESTARGS_DEFAULT)
 DEST := $(GOPATH)/src/$(GIT_HOST)/$(BASE_DIR)
-IMAGE_TAG ?= $(shell cat "$(REPO_ROOT)/VERSION")-$(shell git describe --match=$(git rev-parse --short=8 HEAD) --tags --always --dirty)
+IMAGE_TAG ?= $(shell cat "$(REPO_ROOT)/VERSION")
 
 
 LOCAL_OS := $(shell uname)
@@ -45,7 +46,7 @@ endif
 ############################################################
 
 fmt:
-	@echo "Run go fmt..."
+	@go fmt ./cmd/...
 
 ############################################################
 # lint section
@@ -78,9 +79,15 @@ build-linux:
 # image section
 ############################################################
 
-image: build-image push-image
+image: docker-login build-image push-image
 
-build-image: build-linux
+docker-login:
+	@echo "$(DOCKER_TOKEN)" | docker login -u "$(DOCKER_USER)" --password-stdin "$(REPOSITORY_BASE)"
+
+docker-logout:
+	@docker logout
+
+build-image:
 	@echo "Building the docker image: $(IMAGE_REPO)/$(IMAGE_NAME):$(IMAGE_TAG)..."
 	@docker build -t $(IMAGE_REPO)/$(IMAGE_NAME):$(IMAGE_TAG) -f build/Dockerfile .
 	@echo "Building the docker image: $(IMAGE_REPO)/$(GENERATOR_IMAGE_NAME):$(IMAGE_TAG)..."

README.md

@@ -2,6 +2,10 @@
 
 The responsibility of this webhook is to patch all newly created/updated service account and make sure they all contained proper imagepullsecret configuration. 
 
+This repo produces one helm chart available via helm repository https://ysoftdevs.github.io/imagepullsecret-injector. There are also 2 docker images:
+- `ghcr.io/ysoftdevs/imagepullsecret-injector/imagepullsecret-injector` - the image containing the webhook itself
+- `ghcr.io/ysoftdevs/imagepullsecret-injector/webhook-cert-generator` - helper image responsible for (re)generating the certificates
+
 ## Helm description
 The helm chart consists of 2 parts: the certificate generator and the webhook configuration itself.
 
@@ -21,22 +25,38 @@ The main part is the deployment and the web hook configuration. The flow is as f
 Of note is also a fact that the chart runs a lookup to the connected cluster to fetch the CA bundle for the MutatingWebhook. This means `helm template` won't work.
 
 ## Running locally
-```bash
+1. Create the prerequisite resources:
-kubectl create ns imagepullsecret-injector
+    ```bash
+    kubectl create ns imagepullsecret-injector
 
-kubectl create secret -n imagepullsecret-injector \
+    kubectl create secret -n imagepullsecret-injector \
-    generic my-cool-secret-source \
+        generic acr-dockerconfigjson-source \
-    --from-literal=.dockerconfigjson='<your .dockerconfigjson configuration file>'
+        --type=kubernetes.io/dockerconfigjson \
+        --from-literal=.dockerconfigjson='<your .dockerconfigjson configuration file>'
+    ```
 
-make build-image
+1. Build the images and run the chart
-helm upgrade -i imagepullsecret-injector \
+    ``` bash
-    --create-namespace -n imagepullsecret-injector \
+    make build-image
-    helm/imagepullsecret-injector
+    helm upgrade -i imagepullsecret-injector \
-```
+        -n imagepullsecret-injector \
+        charts/imagepullsecret-injector
+    ```
+    Alternatively, you can use the pre-built, publicly available helm chart and docker images:
+    ```bash
+    helm repo add imagepullsecret-injector https://ysoftdevs.github.io/imagepullsecret-injector
+    helm repo update
+    helm upgrade -i imagepullsecret-injector \
+        -n imagepullsecret-injector \
+        magepullsecret-injector/imagepullsecret-injector
+    ```
 
-To test whether everything works, you can run
+1. To test whether everything works, you can run
-```bash
+    ```bash
-kubectl create ns yolo
+    kubectl create ns yolo
-kubectl get sa -n yolo default -ojsonpath='{.imagePullSecrets}'
+    kubectl get sa -n yolo default -ojsonpath='{.imagePullSecrets}'
-```
+    ```
-The get command should display _some_ non-empty result.
+    The `get` command should display _some_ non-empty result.
+
+## Releasing locally
+To authenticate to the docker registry to push the images manually, you will need your own Github Personal Access Token. For more information follow this guide https://docs.github.com/en/packages/guides/migrating-to-github-container-registry-for-docker-images#authenticating-with-the-container-registry

VERSION

@@ -1 +1 @@
-v0.0.1
+0.0.12

build/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.14 AS builder
+FROM golang:1.15 AS builder
 
 WORKDIR /go/src/github.com/ysoftdevs/imagepullsecret-injector
 COPY . .
@@ -7,4 +7,7 @@ RUN make build
 FROM alpine:3.13.4 as base
 COPY --from=builder /go/src/github.com/ysoftdevs/imagepullsecret-injector/build/_output/bin/imagepullsecret-injector /usr/local/bin/imagepullsecret-injector
 
+RUN addgroup -S imagepullsecret-injector-group && adduser -S imagepullsecret-injector-user -G imagepullsecret-injector-group
+USER imagepullsecret-injector-user
+
 ENTRYPOINT ["imagepullsecret-injector"]

build/Dockerfile.cert-generator

@@ -1,6 +1,9 @@
 FROM alpine:3.13.4
 
-RUN apk add bash curl openssl \
+RUN addgroup -S imagepullsecret-injector-group && adduser -S imagepullsecret-injector-user -G imagepullsecret-injector-group \
+    && apk add bash curl openssl jq \
     && curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" \
     && chmod 755 ./kubectl \
     && mv ./kubectl /usr/bin/kubectl
+
+USER imagepullsecret-injector-user

charts/imagepullsecret-injector/Chart.yaml

@@ -15,9 +15,9 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.0.4
+version: 0.0.21
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: v0.0.1
+appVersion: 0.0.12

charts/imagepullsecret-injector/scripts/create-signed-cert.sh

@@ -83,22 +83,27 @@ echo "Deleting old CertificateSigningRequests"
 kubectl delete csr ${csrName} 2>/dev/null || true
 
 echo "Creating new CertificateSigningRequests"
-# create  server cert/key CSR and  send to k8s API
+# create server cert/key CSR and  send to k8s API
-cat <<EOF | kubectl create -f -
+jq -n --arg request "$(< "${tmpdir}"/server.csr base64)" \
-apiVersion: certificates.k8s.io/v1
+  --arg namespace "$namespace" \
-kind: CertificateSigningRequest
+  --arg csrName "$csrName" '{
-metadata:
+    apiVersion: "certificates.k8s.io/v1",
-  name: ${csrName}
+    kind: "CertificateSigningRequest",
-spec:
+    metadata: {
-  signerName: kubernetes.io/kubelet-serving
+      name: $csrName,
-  groups:
+      namespace: $namespace
-  - system:authenticated
+    },
-  request: $(< "${tmpdir}"/server.csr base64 | tr -d '\n')
+    spec: {
-  usages:
+      signerName: "kubernetes.io/kubelet-serving",
-  - digital signature
+      groups: ["system:authenticated"],
-  - key encipherment
+      request: $request,
-  - server auth
+      usages: [
-EOF
+        "digital signature",
+        "key encipherment",
+        "server auth"
+      ]
+    }
+  }' | kubectl create -f -
 
 # verify CSR has been created
 while true; do

charts/imagepullsecret-injector/templates/certificate-gen/cronjob-certificate-gen.yaml

@@ -1,17 +1,18 @@
 apiVersion: batch/v1beta1
 kind: CronJob
 metadata:
-  name: "{{ .Release.Name }}"
+  name: "{{ .Release.Name }}-cert-gen-cron-job"
   labels:
     {{- include "imagepullsecret-injector.labels" . | nindent 4 }}
 spec:
-  schedule: '* * * * *'
+  schedule: '* * * * 0'
   jobTemplate:
     metadata:
       name: "{{ .Release.Name }}"
       labels:
         {{- include "imagepullsecret-injector.labels" . | nindent 8 }}
     spec:
+      ttlSecondsAfterFinished: 30
       template:
         spec:
           serviceAccountName: imagepullsecret-injector-cert-gen
@@ -21,9 +22,12 @@ spec:
               image: "{{ .Values.certificateGeneratorImage.registry }}/{{ .Values.certificateGeneratorImage.repository }}:{{ .Values.certificateGeneratorImage.tag | default .Chart.AppVersion }}"
               command: ["/entrypoint/entrypoint.sh"]
               args:
-                - --service="{{ include "imagepullsecret-injector.serviceName" . }}"
+                - --service
-                - --namespace="{{ .Release.Namespace }}"
+                - "{{ include "imagepullsecret-injector.serviceName" . }}"
-                - --secret="{{ include "imagepullsecret-injector.certificateSecretName" . }}"
+                - --namespace
+                - "{{ .Release.Namespace }}"
+                - --secret
+                - "{{ include "imagepullsecret-injector.certificateSecretName" . }}"
               volumeMounts:
                 - mountPath: "/entrypoint"
                   name: entrypoint

charts/imagepullsecret-injector/templates/certificate-gen/job-certificate-gen.yaml

@@ -1,10 +1,11 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: "{{ .Release.Name }}"
+  name: "{{ .Release.Name }}-cert-gen-job"
   labels:
     {{- include "imagepullsecret-injector.labels" . | nindent 4 }}
 spec:
+  ttlSecondsAfterFinished: 30
   template:
     spec:
       serviceAccountName: imagepullsecret-injector-cert-gen
@@ -14,9 +15,12 @@ spec:
           image: "{{ .Values.certificateGeneratorImage.registry }}/{{ .Values.certificateGeneratorImage.repository }}:{{ .Values.certificateGeneratorImage.tag | default .Chart.AppVersion }}"
           command: ["/entrypoint/entrypoint.sh"]
           args:
-            - --service="{{ include "imagepullsecret-injector.serviceName" . }}"
+            - --service
-            - --namespace="{{ .Release.Namespace }}"
+            - "{{ include "imagepullsecret-injector.serviceName" . }}"
-            - --secret="{{ include "imagepullsecret-injector.certificateSecretName" . }}"
+            - --namespace
+            - "{{ .Release.Namespace }}"
+            - --secret
+            - "{{ include "imagepullsecret-injector.certificateSecretName" . }}"
           volumeMounts:
             - mountPath: "/entrypoint"
               name: entrypoint

charts/imagepullsecret-injector/templates/certificate-gen/rbac-certificate-gen.yaml

@@ -30,15 +30,16 @@ rules:
       - list
       - get
   - apiGroups:
-      - "certificates.k8s.io/v1"
+      - certificates.k8s.io
     resources:
       - certificatesigningrequests
     verbs:
       - create
       - list
       - get
+      - delete
   - apiGroups:
-      - "certificates.k8s.io/v1"
+      - certificates.k8s.io
     resources:
       - certificatesigningrequests/approval
     verbs:

charts/imagepullsecret-injector/templates/deployment.yaml

@@ -36,10 +36,14 @@ spec:
               value: {{ join "," .Values.imagepullsecretInjector.excludeNamespaces | quote }}
             - name: CONFIG_SERVICE_ACCOUNTS
               value: {{ join "," .Values.imagepullsecretInjector.saNames | quote }}
+            - name: CONFIG_TARGET_IMAGE_PULL_SECRET_NAME
+              value: {{ .Values.imagepullsecretInjector.targetSecretName | quote }}
             - name: CONFIG_SOURCE_IMAGE_PULL_SECRET_NAME
               value: {{ .Values.imagepullsecretInjector.dockerconfigjsonRef.secretName | quote }}
             - name: CONFIG_SOURCE_IMAGE_PULL_SECRET_NAMESPACE
               value: {{ .Values.imagepullsecretInjector.dockerconfigjsonRef.secretNamespace | default .Release.Namespace | quote }}
+            - name: CONFIG_IGNORE_SECRET_CREATION_ERROR
+              value: {{ .Values.imagepullsecretInjector.ignoreSecretCreationError | quote }}
             - name: CONFIG_ALL_SERVICE_ACCOUNTS
               value: {{ .Values.imagepullsecretInjector.allSaNames | quote }}
           volumeMounts:

charts/imagepullsecret-injector/templates/mutatingwebhook.yaml

@@ -21,3 +21,5 @@ webhooks:
     resources: ["serviceaccounts"]
   admissionReviewVersions: ["v1", "v1beta1"]
   sideEffects: None
+  # The default "Fail" option prevents Gardener cluster to be hibernated
+  failurePolicy: Ignore

charts/imagepullsecret-injector/templates/rbac.yaml

@@ -25,6 +25,7 @@ rules:
       - create
       - get
       - delete
+      - update
   - apiGroups:
       - ""
     resources:

charts/imagepullsecret-injector/values.yaml

@@ -1,20 +1,22 @@
 image:
-  registry: marshallmarshall
+  registry: ghcr.io/ysoftdevs/imagepullsecret-injector
   repository: imagepullsecret-injector
   pullPolicy: Always
   # Overrides the image tag whose default is the chart appVersion.
   tag: ""
 
 certificateGeneratorImage:
-  registry: marshallmarshall
+  registry: ghcr.io/ysoftdevs/imagepullsecret-injector
   repository: webhook-cert-generator
   tag: ""
 
 imagepullsecretInjector:
   dockerconfigjsonRef:
-    secretName: my-cool-secret-source
+    secretName: acr-dockerconfigjson-source
     secretNamespace: ""
 
+  targetSecretName: acr-dockerconfigjson
+  ignoreSecretCreationError: false
   allSaNames: false
   saNames:
     - default

cmd/main.go

@@ -8,40 +8,11 @@ import (
 	"net/http"
 	"os"
 	"os/signal"
-	"strconv"
 	"syscall"
 
 	"github.com/golang/glog"
 )
 
-func LookupStringEnv(envName string, defVal string) string {
-	if envVal, exists := os.LookupEnv(envName); exists {
-		return envVal
-	}
-
-	return defVal
-}
-
-func LookupBoolEnv(envName string, defVal bool) bool {
-	if envVal, exists := os.LookupEnv(envName); exists {
-		if boolVal, err := strconv.ParseBool(envVal); err == nil {
-			return boolVal
-		}
-	}
-
-	return defVal
-}
-
-func LookupIntEnv(envName string, defVal int) int {
-	if envVal, exists := os.LookupEnv(envName); exists {
-		if intVal, err := strconv.Atoi(envVal); err == nil {
-			return intVal
-		}
-	}
-
-	return defVal
-}
-
 func main() {
 	parameters := DefaultParametersObject()
 
@@ -51,16 +22,18 @@ func main() {
 	flag.StringVar(&parameters.keyFile, "tlsKeyFile", LookupStringEnv("CONFIG_KEY_PATH", parameters.keyFile), "File containing the x509 private key to --tlsCertFile.")
 	flag.StringVar(&parameters.excludeNamespaces, "excludeNamespaces", LookupStringEnv("CONFIG_EXCLUDE_NAMESPACES", parameters.excludeNamespaces), "Comma-separated namespace names to ignore.")
 	flag.StringVar(&parameters.serviceAccounts, "serviceAccounts", LookupStringEnv("CONFIG_SERVICE_ACCOUNTS", parameters.serviceAccounts), "Comma-separated service account names to watch.")
+	flag.StringVar(&parameters.targetImagePullSecretName, "targetImagePullSecretName", LookupStringEnv("CONFIG_TARGET_IMAGE_PULL_SECRET_NAME", parameters.targetImagePullSecretName), "Name of the imagePullSecret secret we will create in the namespace of the mutated service account")
 	flag.StringVar(&parameters.sourceImagePullSecretName, "sourceImagePullSecretName", LookupStringEnv("CONFIG_SOURCE_IMAGE_PULL_SECRET_NAME", parameters.sourceImagePullSecretName), "Name of the imagePullSecret secret we use as source.")
 	flag.StringVar(&parameters.sourceImagePullSecretNamespace, "sourceImagePullSecretNamespace", LookupStringEnv("CONFIG_SOURCE_IMAGE_PULL_SECRET_NAMESPACE", parameters.sourceImagePullSecretNamespace), "Namespace of the imagePullSecret secret we use as source.")
 	flag.BoolVar(&parameters.allServiceAccounts, "allServiceAccounts", LookupBoolEnv("CONFIG_ALL_SERVICE_ACCOUNTS", parameters.allServiceAccounts), "Switch for watching all service accounts. If true, serviceAccounts parameter is ignored")
+	flag.BoolVar(&parameters.ignoreSecretCreationError, "ignoreSecretCreationError", LookupBoolEnv("CONFIG_IGNORE_SECRET_CREATION_ERROR", parameters.ignoreSecretCreationError), "If true, failed creation/update of secrets in the target namespace will not cause the webhook to fail")
 	flag.Parse()
 
 	glog.Infof("Running with config: %+v", parameters)
 
-	whsvr := &WebhookServer{
+	whsvr, err := NewWebhookServer(
-		config: &parameters,
+		&parameters,
-		server: &http.Server{
+		&http.Server{
 			Addr: fmt.Sprintf(":%v", parameters.port),
 			// This is quite inefficient as it loads file contents on every TLS ClientHello, but ¯\_(ツ)_/¯
 			TLSConfig: &tls.Config{GetCertificate: func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
@@ -69,6 +42,9 @@ func main() {
 				return &cert, err
 			}},
 		},
+	)
+	if err != nil {
+		glog.Exitf("Could not create the Webhook server: %v", err)
 	}
 
 	// define http server and server handler

cmd/utils.go

@@ -0,0 +1,55 @@
+package main
+
+import (
+	"io/ioutil"
+	"os"
+	"strconv"
+	"strings"
+)
+
+// LookupStringEnv either returns the the value of the env variable, or the provided default value, if the env doesn't exist
+func LookupStringEnv(envName string, defVal string) string {
+	if envVal, exists := os.LookupEnv(envName); exists {
+		return envVal
+	}
+
+	return defVal
+}
+
+// LookupBoolEnv either returns the the value of the env variable, or the provided default value, if the env doesn't exist
+func LookupBoolEnv(envName string, defVal bool) bool {
+	if envVal, exists := os.LookupEnv(envName); exists {
+		if boolVal, err := strconv.ParseBool(envVal); err == nil {
+			return boolVal
+		}
+	}
+
+	return defVal
+}
+
+// LookupIntEnv either returns the the value of the env variable, or the provided default value, if the env doesn't exist
+func LookupIntEnv(envName string, defVal int) int {
+	if envVal, exists := os.LookupEnv(envName); exists {
+		if intVal, err := strconv.Atoi(envVal); err == nil {
+			return intVal
+		}
+	}
+
+	return defVal
+}
+
+func getCurrentNamespace() string {
+	// Check whether we have overridden the namespace
+	if ns, ok := os.LookupEnv("POD_NAMESPACE"); ok {
+		return ns
+	}
+
+	// Fall back to the namespace associated with the service account token, if available (this should exist if running in a K8S pod)
+	if data, err := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/namespace"); err == nil {
+		if ns := strings.TrimSpace(string(data)); len(ns) > 0 {
+			return ns
+		}
+	}
+
+	return "default"
+}

cmd/webhook.go

@@ -6,7 +6,6 @@ import (
 	"io/ioutil"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"net/http"
-	"os"
 	"strings"
 
 	"github.com/golang/glog"
@@ -27,25 +26,24 @@ var (
 	deserializer  = codecs.UniversalDeserializer()
 )
 
-const (
-	imagePullSecretName       = "my-cool-secret"
-)
-
 type WebhookServer struct {
 	server *http.Server
 	config *WhSvrParameters
+	client *kubernetes.Clientset
 }
 
-// Webhook Server parameters
+// WhSvrParameters represents all configuration options available though cmd parameters or env variables
 type WhSvrParameters struct {
-	port                           int    // webhook server port
+	port                           int
-	certFile                       string // path to the x509 certificate for https
+	certFile                       string
-	keyFile                        string // path to the x509 private key matching `CertFile`
+	keyFile                        string
 	excludeNamespaces              string
 	serviceAccounts                string
 	allServiceAccounts             bool
+	targetImagePullSecretName      string
 	sourceImagePullSecretName      string
 	sourceImagePullSecretNamespace string
+	ignoreSecretCreationError      bool
 }
 
 var (
@@ -59,6 +57,28 @@ var (
 	}
 )
 
+// NewWebhookServer constructor for WebhookServer
+func NewWebhookServer(parameters *WhSvrParameters, server *http.Server) (*WebhookServer, error) {
+	config, err := rest.InClusterConfig()
+	if err != nil {
+		glog.Errorf("Could not create k8s client: %v", err)
+		return nil, err
+	}
+	clientset, err := kubernetes.NewForConfig(config)
+	if err != nil {
+		glog.Errorf("Could not create k8s clientset: %v", err)
+		return nil, err
+	}
+
+	return &WebhookServer{
+		config: parameters,
+		server: server,
+		client: clientset,
+	}, nil
+
+}
+
+// DefaultParametersObject returns a parameters object with the default values
 func DefaultParametersObject() WhSvrParameters {
 	return WhSvrParameters{
 		port:                           8443,
@@ -67,8 +87,10 @@ func DefaultParametersObject() WhSvrParameters {
 		excludeNamespaces:              strings.Join(defaultIgnoredNamespaces, ","),
 		serviceAccounts:                strings.Join(defaultServiceAccounts, ","),
 		allServiceAccounts:             false,
+		targetImagePullSecretName:      "my-cool-secret",
 		sourceImagePullSecretName:      "my-cool-secret-source",
 		sourceImagePullSecretNamespace: "default",
+		ignoreSecretCreationError:      false,
 	}
 }
 
@@ -107,65 +129,44 @@ func addImagePullSecret(target, added []corev1.LocalObjectReference, basePath st
 	return patch
 }
 
-func getCurrentNamespace() string {
+// ensureSecrets looks up the source secret and makes sure the namespace the patched SA is in contains it too
-	// This way assumes you've set the POD_NAMESPACE environment variable using the downward API.
-	// This check has to be done first for backwards compatibility with the way InClusterConfig was originally set up
-	if ns, ok := os.LookupEnv("POD_NAMESPACE"); ok {
-		return ns
-	}
-
-	// Fall back to the namespace associated with the service account token, if available
-	if data, err := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/namespace"); err == nil {
-		if ns := strings.TrimSpace(string(data)); len(ns) > 0 {
-			return ns
-		}
-	}
-
-	return "default"
-}
-
 func (whsvr *WebhookServer) ensureSecrets(ar *v1beta1.AdmissionReview) error {
 	glog.Infof("Ensuring existing secrets")
-	namespace := ar.Request.Namespace
+	targetNamespace := ar.Request.Namespace
 
-	config, err := rest.InClusterConfig()
-	if err != nil {
-		glog.Errorf("Could not create k8s client: %v", err)
-		return err
-	}
-	clientset, err := kubernetes.NewForConfig(config)
-	if err != nil {
-		glog.Errorf("Could not create k8s clientset: %v", err)
-		return err
-	}
 	currentNamespace := getCurrentNamespace()
 
 	glog.Infof("Looking for the source secret")
-	sourceSecret, err := clientset.CoreV1().Secrets(whsvr.config.sourceImagePullSecretNamespace).Get(whsvr.config.sourceImagePullSecretName, metav1.GetOptions{})
+	sourceSecret, err := whsvr.client.CoreV1().Secrets(whsvr.config.sourceImagePullSecretNamespace).Get(whsvr.config.sourceImagePullSecretName, metav1.GetOptions{})
 	if err != nil {
 		glog.Errorf("Could not fetch source secret %s in namespace %s: %v", whsvr.config.sourceImagePullSecretName, currentNamespace, err)
 		return err
 	}
+	if sourceSecret.Type != corev1.SecretTypeDockerConfigJson {
+		err := fmt.Errorf("source secret %s in namespace %s exists, but has incorrect type (is %s, should be %s)", whsvr.config.sourceImagePullSecretName, currentNamespace, sourceSecret.Type, corev1.SecretTypeDockerConfigJson)
+		glog.Errorf("%v", err)
+		return err
+	}
 	glog.Infof("Source secret found")
 
 	glog.Infof("Looking for the existing target secret")
-	secret, err := clientset.CoreV1().Secrets(namespace).Get(imagePullSecretName, metav1.GetOptions{})
+	secret, err := whsvr.client.CoreV1().Secrets(targetNamespace).Get(whsvr.config.targetImagePullSecretName, metav1.GetOptions{})
 	if err != nil && !errors.IsNotFound(err) {
-		glog.Errorf("Could not fetch secret %s in namespace %s: %v", imagePullSecretName, namespace, err)
+		glog.Errorf("Could not fetch secret %s in namespace %s: %v", whsvr.config.targetImagePullSecretName, targetNamespace, err)
 		return err
 	}
 
 	if err != nil && errors.IsNotFound(err) {
 		glog.Infof("Target secret not found, creating a new one")
-		if _, createErr := clientset.CoreV1().Secrets(namespace).Create(&corev1.Secret{
+		if _, createErr := whsvr.client.CoreV1().Secrets(targetNamespace).Create(&corev1.Secret{
 			ObjectMeta: metav1.ObjectMeta{
-				Name:      imagePullSecretName,
+				Name:      whsvr.config.targetImagePullSecretName,
-				Namespace: namespace,
+				Namespace: targetNamespace,
 			},
 			Data: sourceSecret.Data,
 			Type: sourceSecret.Type,
 		}); createErr != nil {
-			glog.Errorf("Could not create secret %s in namespace %s: %v", imagePullSecretName, namespace, err)
+			glog.Errorf("Could not create secret %s in namespace %s: %v", whsvr.config.targetImagePullSecretName, targetNamespace, err)
 			return err
 		}
 		glog.Infof("Target secret created successfully")
@@ -174,8 +175,8 @@ func (whsvr *WebhookServer) ensureSecrets(ar *v1beta1.AdmissionReview) error {
 
 	glog.Infof("Target secret found, updating")
 	secret.Data = sourceSecret.Data
-	if _, err := clientset.CoreV1().Secrets(namespace).Update(secret); err != nil {
+	if _, err := whsvr.client.CoreV1().Secrets(targetNamespace).Update(secret); err != nil {
-		glog.Errorf("Could not update secret %s in namespace %s: %v", imagePullSecretName, namespace, err)
+		glog.Errorf("Could not update secret %s in namespace %s: %v", whsvr.config.targetImagePullSecretName, targetNamespace, err)
 		return err
 	}
 	glog.Infof("Target secret updated successfully")
@@ -183,6 +184,7 @@ func (whsvr *WebhookServer) ensureSecrets(ar *v1beta1.AdmissionReview) error {
 	return nil
 }
 
+// shouldMutate goes through all filters and determines whether the incoming SA matches them
 func (whsvr *WebhookServer) shouldMutate(sa corev1.ServiceAccount) bool {
 	for _, excludedNamespace := range strings.Split(whsvr.config.excludeNamespaces, ",") {
 		if sa.Namespace == excludedNamespace {
@@ -203,6 +205,7 @@ func (whsvr *WebhookServer) shouldMutate(sa corev1.ServiceAccount) bool {
 	return false
 }
 
+// mutateServiceAccount contains the whole mutation logic
 func (whsvr *WebhookServer) mutateServiceAccount(ar *v1beta1.AdmissionReview) *v1beta1.AdmissionResponse {
 	req := ar.Request
 	glog.Infof("Unmarshalling the ServiceAccount object from request")
@@ -230,7 +233,7 @@ func (whsvr *WebhookServer) mutateServiceAccount(ar *v1beta1.AdmissionReview) *v
 	if sa.ImagePullSecrets != nil {
 		glog.Infof("ServiceAccount is already in the correct state, skipping")
 		for _, lor := range sa.ImagePullSecrets {
-			if imagePullSecretName == lor.Name {
+			if whsvr.config.targetImagePullSecretName == lor.Name {
 				return &v1beta1.AdmissionResponse{
 					Allowed: true,
 				}
@@ -241,7 +244,7 @@ func (whsvr *WebhookServer) mutateServiceAccount(ar *v1beta1.AdmissionReview) *v
 	glog.Infof("ServiceAccount is missing ImagePullSecrets configuration, creating a patch")
 
 	var patch []patchOperation
-	patch = append(patch, addImagePullSecret(sa.ImagePullSecrets, []corev1.LocalObjectReference{{Name: imagePullSecretName}}, "/imagePullSecrets")...)
+	patch = append(patch, addImagePullSecret(sa.ImagePullSecrets, []corev1.LocalObjectReference{{Name: whsvr.config.targetImagePullSecretName}}, "/imagePullSecrets")...)
 	patchBytes, err := json.Marshal(patch)
 	if err != nil {
 		glog.Errorf("Could not marshal patch object: %v", err)
@@ -254,11 +257,15 @@ func (whsvr *WebhookServer) mutateServiceAccount(ar *v1beta1.AdmissionReview) *v
 
 	if err := whsvr.ensureSecrets(ar); err != nil {
 		glog.Errorf("Could not ensure existence of the imagePullSecret")
-		return &v1beta1.AdmissionResponse{
+		if !whsvr.config.ignoreSecretCreationError {
-			Result: &metav1.Status{
+			glog.Errorf("Failing the mutation process")
-				Message: err.Error(),
+			return &v1beta1.AdmissionResponse{
-			},
+				Result: &metav1.Status{
+					Message: err.Error(),
+				},
+			}
 		}
+		glog.Infof("ignoreSecretCreationError is true, ignoring")
 	}
 
 	return &v1beta1.AdmissionResponse{
@@ -271,8 +278,8 @@ func (whsvr *WebhookServer) mutateServiceAccount(ar *v1beta1.AdmissionReview) *v
 	}
 }
 
-// Serve method for webhook server
+func parseIncomingRequest(r *http.Request) (v1beta1.AdmissionReview, *errors.StatusError) {
-func (whsvr *WebhookServer) serve(w http.ResponseWriter, r *http.Request) {
+	var ar v1beta1.AdmissionReview
 	var body []byte
 	if r.Body != nil {
 		if data, err := ioutil.ReadAll(r.Body); err == nil {
@@ -280,50 +287,69 @@ func (whsvr *WebhookServer) serve(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 	if len(body) == 0 {
-		glog.Error("empty body")
+		glog.Error("Empty body")
-		http.Error(w, "empty body", http.StatusBadRequest)
+		return ar, errors.NewBadRequest("Empty body")
-		return
 	}
 
 	// verify the content type is accurate
 	contentType := r.Header.Get("Content-Type")
 	if contentType != "application/json" {
 		glog.Errorf("Content-Type=%s, expect application/json", contentType)
-		http.Error(w, "invalid Content-Type, expect `application/json`", http.StatusUnsupportedMediaType)
+		err := &errors.StatusError{ErrStatus: metav1.Status{
-		return
+			Status:  metav1.StatusFailure,
+			Message: fmt.Sprintf("Content-Type=%s, expect application/json", contentType),
+			Reason:  metav1.StatusReasonUnsupportedMediaType,
+			Code:    http.StatusUnsupportedMediaType,
+		}}
+		return ar, err
 	}
 
-	var admissionResponse *v1beta1.AdmissionResponse
-	ar := v1beta1.AdmissionReview{}
 	if _, _, err := deserializer.Decode(body, nil, &ar); err != nil {
-		glog.Errorf("Can't decode body: %v", err)
+		glog.Error("Could not parse the request body")
-		admissionResponse = &v1beta1.AdmissionResponse{
+		return ar, errors.NewBadRequest(fmt.Sprintf("Could not parse the request body: %+v", err))
-			Result: &metav1.Status{
-				Message: err.Error(),
-			},
-		}
-	} else {
-		admissionResponse = whsvr.mutateServiceAccount(&ar)
 	}
 
-	admissionReview := v1beta1.AdmissionReview{
+	return ar, nil
-		TypeMeta: metav1.TypeMeta{Kind: "AdmissionReview", APIVersion: "admission.k8s.io/v1"},
+}
-	}
-	if admissionResponse != nil {
-		admissionReview.Response = admissionResponse
-		if ar.Request != nil {
-			admissionReview.Response.UID = ar.Request.UID
-		}
-	}
 
+func (whsvr *WebhookServer) sendResponse(w http.ResponseWriter, admissionReview v1beta1.AdmissionReview) error {
 	resp, err := json.Marshal(admissionReview)
 	if err != nil {
 		glog.Errorf("Can't encode response: %v", err)
 		http.Error(w, fmt.Sprintf("could not encode response: %v", err), http.StatusInternalServerError)
+		return err
 	}
-	glog.Infof("Ready to write reponse ...")
+	glog.Infof("Writing response")
 	if _, err := w.Write(resp); err != nil {
 		glog.Errorf("Can't write response: %v", err)
 		http.Error(w, fmt.Sprintf("could not write response: %v", err), http.StatusInternalServerError)
+		return err
+	}
+
+	return nil
+}
+
+// serve parses the raw incoming request, calls the mutation logic and sends the proper response
+func (whsvr *WebhookServer) serve(w http.ResponseWriter, r *http.Request) {
+	admissionReviewIn, statusErr := parseIncomingRequest(r)
+	if statusErr != nil {
+		http.Error(w, statusErr.ErrStatus.Message, int(statusErr.ErrStatus.Code))
+		return
+	}
+
+	admissionResponse := whsvr.mutateServiceAccount(&admissionReviewIn)
+
+	admissionReviewOut := v1beta1.AdmissionReview{
+		TypeMeta: metav1.TypeMeta{Kind: "AdmissionReview", APIVersion: "admission.k8s.io/v1"},
+	}
+	if admissionResponse != nil {
+		admissionReviewOut.Response = admissionResponse
+		if admissionReviewIn.Request != nil {
+			admissionReviewOut.Response.UID = admissionReviewIn.Request.UID
+		}
+	}
+
+	if err := whsvr.sendResponse(w, admissionReviewOut); err != nil {
+		glog.Errorf("Could not send response %v", err)
 	}
 }