github-mirrors/imagepullsecret-injector
1
0
Fork 0
mirror of https://github.com/ysoftdevs/imagepullsecret-injector.git synced 2026-01-14 15:53:44 +01:00
Code Issues Packages Projects Releases 10 Wiki Activity
Files
devel
imagepullsecret-injector/README.md
Martin Šalata ea8755766c Correct the Readme
2021-04-05 22:02:35 +02:00

62 lines
3.6 KiB
Markdown
Raw Permalink Blame History

# Kubernetes Mutating Webhook for ImagePullSecret injection in ServiceAccounts
The responsibility of this webhook is to patch all newly created/updated service account and make sure they all contained proper imagepullsecret configuration.
This repo produces one helm chart available via helm repository https://ysoftdevs.github.io/imagepullsecret-injector. There are also 2 docker images:
- `ghcr.io/ysoftdevs/imagepullsecret-injector/imagepullsecret-injector` - the image containing the webhook itself
- `ghcr.io/ysoftdevs/imagepullsecret-injector/webhook-cert-generator` - helper image responsible for (re)generating the certificates
## Helm description
The helm chart consists of 2 parts: the certificate generator and the webhook configuration itself.
Certificate generation part periodically generates certificates signed by kubernetes' CA and passes them to the webhook where they are used as server-side certificates. The flow works roughly like this:
1. We generate a CSR using openssl and tie the certificate to the webhook's service DNS.
1. We create a k8s CertificateSigningRequest from the openssl CSR.
1. We approve this request using our special ServiceAccount with approve permissions. This makes kubernetes issue the certificate
1. We fetch the certificate from the k8s CSR (at `.status.certificate`) and create a secret from it
1. We also create a CronJob that does this periodically as k8s only issues certificates for 1 year
The main part is the deployment and the web hook configuration. The flow is as follows
1. The MutatingWebhookConfiguration we create instructs k8s to pass all requests for creating/updating all ServiceAccounts to our webhook before finishing the request
1. We check whether the SA has the correctly defined imagepullsecret configuration. if not, we create a patch for the resource
1. We also check whether we have the secret we are using in the imagepullsecret in the SA's namespace. If not, we create it based on our source secret
1. We return the patch to k8s, which applies the changes
Of note is also a fact that the chart runs a lookup to the connected cluster to fetch the CA bundle for the MutatingWebhook. This means `helm template` won't work.
## Running locally
1. Create the prerequisite resources:
```bash
kubectl create ns imagepullsecret-injector
kubectl create secret -n imagepullsecret-injector \
generic acr-dockerconfigjson-source \
--type=kubernetes.io/dockerconfigjson \
--from-literal=.dockerconfigjson='<your .dockerconfigjson configuration file>'
```
1. Build the images and run the chart
``` bash
make build-image
helm upgrade -i imagepullsecret-injector \
-n imagepullsecret-injector \
helm/imagepullsecret-injector
```
Alternatively, you can use the pre-built, publicly available helm chart and docker images:
```bash
helm repo add imagepullsecret-injector https://ysoftdevs.github.io/imagepullsecret-injector
helm repo update
helm upgrade -i imagepullsecret-injector \
-n imagepullsecret-injector \
magepullsecret-injector/imagepullsecret-injector
```
1. To test whether everything works, you can run
```bash
kubectl create ns yolo
kubectl get sa -n yolo default -ojsonpath='{.imagePullSecrets}'
```
The `get` command should display _some_ non-empty result.
## Releasing locally
To authenticate to the docker registry to push the images manually, you will need your own Github Personal Access Token. For more information follow this guide https://docs.github.com/en/packages/guides/migrating-to-github-container-registry-for-docker-images#authenticating-with-the-container-registry
Reference in New Issue View Git Blame Copy Permalink