github-mirrors/imagepullsecret-injector
1
0
Fork 0
mirror of https://github.com/ysoftdevs/imagepullsecret-injector.git synced 2026-01-17 09:07:05 +01:00
Code Issues Packages Projects Releases 10 Wiki Activity
Files
da0fc5b1889d4b51154ab23928ae731d7ea7c99f
imagepullsecret-injector/README.md
Martin Šalata da0fc5b188 Initial commit
2021-04-02 21:53:17 +02:00

43 lines
2.3 KiB
Markdown
Raw Blame History

# Kubernetes Mutating Webhook for ImagePullSecret injection in ServiceAccounts
The responsibility of this webhook is to patch all newly created/updated service account and make sure they all contained proper imagepullsecret configuration.
## Helm description
The helm chart consists of 2 parts: the certificate generator and the webhook configuration itself.
Certificate generation part periodically generates certificates signed by kubernetes' CA and passes them to the webhook where they are used as server-side certificates. The flow works roughly like this:
1. We generate a CSR using openssl and tie the certificate to the webhook's service DNS.
1. We create a k8s CertificateSigningRequest from the openssl CSR.
1. We approve this request using our special ServiceAccount with approve permissions. This makes kubernetes issue the certificate
1. We fetch the certificate from the k8s CSR (at `.status.certificate`) and create a secret from it
1. We also create a CronJob that does this periodically as k8s only issues certificates for 1 year
The main part is the deployment and the web hook configuration. The flow is as follows
1. The MutatingWebhookConfiguration we create instructs k8s to pass all requests for creating/updating all ServiceAccounts to our webhook before finishing the request
1. We check whether the SA has the correctly defined imagepullsecret configuration. if not, we create a patch for the resource
1. We also check whether we have the secret we are using in the imagepullsecret in the SA's namespace. If not, we create it based on our source secret
1. We return the patch to k8s, which applies the changes
Of note is also a fact that the chart runs a lookup to the connected cluster to fetch the CA bundle for the MutatingWebhook. This means `helm template` won't work.
## Running locally
```bash
kubectl create ns imagepullsecret-injector
kubectl create secret -n imagepullsecret-injector \
generic my-cool-secret-source \
--from-literal=.dockerconfigjson='<your .dockerconfigjson configuration file>'
make build-image
helm upgrade -i imagepullsecret-injector \
--create-namespace -n imagepullsecret-injector \
helm/imagepullsecret-injector
```
To test whether everything works, you can run
```bash
kubectl create ns yolo
kubectl get sa -n yolo default -ojsonpath='{.imagePullSecrets}'
```
The get command should display _some_ non-empty result.
Reference in New Issue View Git Blame Copy Permalink