github-mirrors/imagepullsecret-injector
1
0
Fork 0
mirror of https://github.com/ysoftdevs/imagepullsecret-injector.git synced 2026-01-14 15:53:44 +01:00
Code Issues Packages Projects Releases 10 Wiki Activity
3 Commits 10 Branches 24 Tags
44e4d33fba45d1491cf3b547090de0a9a237dca2
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Martin Šalata 44e4d33fba Load certificates for each TLS Hello
2021-04-02 21:47:00 +02:00
.github/workflows
Add github workflow for releasing the helm chart
2021-04-02 21:43:17 +02:00
build
Init commit
2021-04-02 19:22:58 +02:00
cmd
Load certificates for each TLS Hello
2021-04-02 21:47:00 +02:00
helm/imagepullsecret-injector
Init commit
2021-04-02 19:22:58 +02:00
.dockerignore
Init commit
2021-04-02 19:22:58 +02:00
.gitignore
Init commit
2021-04-02 19:22:58 +02:00
go.mod
Init commit
2021-04-02 19:22:58 +02:00
go.sum
Init commit
2021-04-02 19:22:58 +02:00
LICENSE
Init commit
2021-04-02 19:22:58 +02:00
Makefile
Init commit
2021-04-02 19:22:58 +02:00
README.md
Init commit
2021-04-02 19:22:58 +02:00
VERSION
Init commit
2021-04-02 19:22:58 +02:00

README.md

Kubernetes Mutating Webhook for ImagePullSecret injection in ServiceAccounts

The responsibility of this webhook is to patch all newly created/updated service account and make sure they all contained proper imagepullsecret configuration.

Helm description

The helm chart consists of 2 parts: the certificate generator and the webhook configuration itself.

Certificate generation part periodically generates certificates signed by kubernetes' CA and passes them to the webhook where they are used as server-side certificates. The flow works roughly like this:

  1. We generate a CSR using openssl and tie the certificate to the webhook's service DNS.
  2. We create a k8s CertificateSigningRequest from the openssl CSR.
  3. We approve this request using our special ServiceAccount with approve permissions. This makes kubernetes issue the certificate
  4. We fetch the certificate from the k8s CSR (at .status.certificate) and create a secret from it
  5. We also create a CronJob that does this periodically as k8s only issues certificates for 1 year

The main part is the deployment and the web hook configuration. The flow is as follows

  1. The MutatingWebhookConfiguration we create instructs k8s to pass all requests for creating/updating all ServiceAccounts to our webhook before finishing the request
  2. We check whether the SA has the correctly defined imagepullsecret configuration. if not, we create a patch for the resource
  3. We also check whether we have the secret we are using in the imagepullsecret in the SA's namespace. If not, we create it based on our source secret
  4. We return the patch to k8s, which applies the changes

Of note is also a fact that the chart runs a lookup to the connected cluster to fetch the CA bundle for the MutatingWebhook. This means helm template won't work.

Running locally

kubectl create ns imagepullsecret-injector

kubectl create secret -n imagepullsecret-injector \
    generic my-cool-secret-source \
    --from-literal=.dockerconfigjson='<your .dockerconfigjson configuration file>'

make build-image
helm upgrade -i imagepullsecret-injector \
    --create-namespace -n imagepullsecret-injector \
    helm/imagepullsecret-injector

To test whether everything works, you can run

kubectl create ns yolo
kubectl get sa -n yolo default -ojsonpath='{.imagePullSecrets}'

The get command should display some non-empty result.

Reference in New Issue View Git Blame Copy Permalink
Description
No description provided
Readme Apache-2.0 197 KiB
Releases 10
Latest
2022-08-30 12:57:01 +02:00
Languages
Go 70.7%
Makefile 17.7%
Smarty 9.5%
Dockerfile 2.1%