The responsibility of this webhook is to patch all newly created/updated service account and make sure they all contained proper imagepullsecret configuration.
This repo produces one helm chart available via helm repository https://ysoftdevs.github.io/imagepullsecret-injector. There are also 2 docker images:
ghcr.io/ysoftdevs/imagepullsecret-injector/imagepullsecret-injector- the image containing the webhook itselfghcr.io/ysoftdevs/imagepullsecret-injector/webhook-cert-generator- helper image responsible for (re)generating the certificates
The helm chart consists of 2 parts: the certificate generator and the webhook configuration itself.
Certificate generation part periodically generates certificates signed by kubernetes' CA and passes them to the webhook where they are used as server-side certificates. The flow works roughly like this:
- We generate a CSR using openssl and tie the certificate to the webhook's service DNS.
- We create a k8s CertificateSigningRequest from the openssl CSR.
- We approve this request using our special ServiceAccount with approve permissions. This makes kubernetes issue the certificate
- We fetch the certificate from the k8s CSR (at
.status.certificate) and create a secret from it - We also create a CronJob that does this periodically as k8s only issues certificates for 1 year
The main part is the deployment and the web hook configuration. The flow is as follows
- The MutatingWebhookConfiguration we create instructs k8s to pass all requests for creating/updating all ServiceAccounts to our webhook before finishing the request
- We check whether the SA has the correctly defined imagepullsecret configuration. if not, we create a patch for the resource
- We also check whether we have the secret we are using in the imagepullsecret in the SA's namespace. If not, we create it based on our source secret
- We return the patch to k8s, which applies the changes
Of note is also a fact that the chart runs a lookup to the connected cluster to fetch the CA bundle for the MutatingWebhook. This means helm template won't work.
-
Create the prerequisite resources:
kubectl create ns imagepullsecret-injector kubectl create secret -n imagepullsecret-injector \ generic acr-dockerconfigjson-source \ --type=kubernetes.io/dockerconfigjson \ --from-literal=.dockerconfigjson='<your .dockerconfigjson configuration file>' -
Build the images and run the chart
make build-image helm upgrade -i imagepullsecret-injector \ -n imagepullsecret-injector \ charts/imagepullsecret-injectorAlternatively, you can use the pre-built, publicly available helm chart and docker images:
helm repo add imagepullsecret-injector https://ysoftdevs.github.io/imagepullsecret-injector helm repo update helm upgrade -i imagepullsecret-injector \ -n imagepullsecret-injector \ magepullsecret-injector/imagepullsecret-injector -
To test whether everything works, you can run
kubectl create ns yolo kubectl get sa -n yolo default -ojsonpath='{.imagePullSecrets}'The
getcommand should display some non-empty result.
To authenticate to the docker registry to push the images manually, you will need your own Github Personal Access Token. For more information follow this guide https://docs.github.com/en/packages/guides/migrating-to-github-container-registry-for-docker-images#authenticating-with-the-container-registry