github-mirrors/imagepullsecret-injector
1
0
Fork 0
mirror of https://github.com/ysoftdevs/imagepullsecret-injector.git synced 2026-01-11 14:30:42 +01:00
Code Issues Packages Projects Releases 10 Wiki Activity
30 Commits 10 Branches 24 Tags
imagepullsecret-injector-0.0.14
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Martin Šalata 42be5e1041 Ignore webhook failures to allow entering hibernation
2021-04-04 21:23:00 +02:00
.github/workflows
Fix chart-releaser condition
2021-04-02 23:57:56 +02:00
build
Setup release of docker images to dockerhub
2021-04-02 23:15:08 +02:00
cmd
Allow ignoring secret creating errors to preserve _some_ k8s functionality in case of issues
2021-04-03 13:38:21 +02:00
helm/imagepullsecret-injector
Ignore webhook failures to allow entering hibernation
2021-04-04 21:23:00 +02:00
.dockerignore
Init commit
2021-04-02 19:22:58 +02:00
.gitignore
Init commit
2021-04-02 19:22:58 +02:00
go.mod
Init commit
2021-04-02 19:22:58 +02:00
go.sum
Init commit
2021-04-02 19:22:58 +02:00
LICENSE
Init commit
2021-04-02 19:22:58 +02:00
Makefile
Fix make fmt target
2021-04-03 13:25:27 +02:00
README.md
Add secret type in readme
2021-04-04 18:47:02 +02:00
VERSION
Bump docker and helm versions
2021-04-04 18:47:19 +02:00

README.md

Kubernetes Mutating Webhook for ImagePullSecret injection in ServiceAccounts

The responsibility of this webhook is to patch all newly created/updated service account and make sure they all contained proper imagepullsecret configuration.

This repo produces one helm chart available via helm repository https://ysoftdevs.github.io/imagepullsecret-injector. There are also 2 docker images:

  • marshallmarshall/imagepullsecret-injector - the image containing the webhook itself
  • marshallmarshall/webhook-cert-generator - helper image responsible for (re)generating the certificates

Helm description

The helm chart consists of 2 parts: the certificate generator and the webhook configuration itself.

Certificate generation part periodically generates certificates signed by kubernetes' CA and passes them to the webhook where they are used as server-side certificates. The flow works roughly like this:

  1. We generate a CSR using openssl and tie the certificate to the webhook's service DNS.
  2. We create a k8s CertificateSigningRequest from the openssl CSR.
  3. We approve this request using our special ServiceAccount with approve permissions. This makes kubernetes issue the certificate
  4. We fetch the certificate from the k8s CSR (at .status.certificate) and create a secret from it
  5. We also create a CronJob that does this periodically as k8s only issues certificates for 1 year

The main part is the deployment and the web hook configuration. The flow is as follows

  1. The MutatingWebhookConfiguration we create instructs k8s to pass all requests for creating/updating all ServiceAccounts to our webhook before finishing the request
  2. We check whether the SA has the correctly defined imagepullsecret configuration. if not, we create a patch for the resource
  3. We also check whether we have the secret we are using in the imagepullsecret in the SA's namespace. If not, we create it based on our source secret
  4. We return the patch to k8s, which applies the changes

Of note is also a fact that the chart runs a lookup to the connected cluster to fetch the CA bundle for the MutatingWebhook. This means helm template won't work.

Running locally

  1. Create the prerequisite resources:

    kubectl create ns imagepullsecret-injector

kubectl create secret -n imagepullsecret-injector \
    generic acr-dockerconfigjson-source \
    --type=kubernetes.io/dockerconfigjson \
    --from-literal=.dockerconfigjson='<your .dockerconfigjson configuration file>'

  2. Build the images and run the chart

    make build-image
helm upgrade -i imagepullsecret-injector \
    -n imagepullsecret-injector \
    helm/imagepullsecret-injector

    Alternatively, you can use the pre-built, publicly available helm chart and docker images:

    helm repo add imagepullsecret-injector https://ysoftdevs.github.io/imagepullsecret-injector
helm repo update
helm upgrade -i imagepullsecret-injector \
    -n imagepullsecret-injector \
    magepullsecret-injector/imagepullsecret-injector

  3. To test whether everything works, you can run

    kubectl create ns yolo
kubectl get sa -n yolo default -ojsonpath='{.imagePullSecrets}'

    The get command should display some non-empty result.

Reference in New Issue View Git Blame Copy Permalink
Description
No description provided
Readme Apache-2.0 197 KiB
Releases 10
Latest
2022-08-30 12:57:01 +02:00
Languages
Go 70.7%
Makefile 17.7%
Smarty 9.5%
Dockerfile 2.1%