herel/imagepullsecrets-webhook
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3 Commits 1 Branch 0 Tags
main
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Rene Luria 64828c9a3a doc: tell about kustomization in deploy
2025-10-15 12:18:11 +02:00
deploy
initial import
2025-10-15 11:57:36 +02:00
src
initial import
2025-10-15 11:57:36 +02:00
build.sh
initial import
2025-10-15 11:57:36 +02:00
README.md
doc: tell about kustomization in deploy
2025-10-15 12:18:11 +02:00

README.md

ImagePullSecrets Webhook

This is a Kubernetes Mutating Admission Webhook that automatically adds imagePullSecrets to pods based on the registry they're using.

Features

  • Automatically injects imagePullSecrets into pods
  • Configurable registry-to-secret mappings
  • Ignores public registries by default
  • Supports both regular and init containers
  • Prevents duplicate secret injection
  • Uses cert-manager for certificate management

Configuration

The webhook can be configured using environment variables:

  • DEFAULT_SECRET: Default secret to use for private registries
  • IGNORED_REGISTRIES: Comma-separated list of registries that don't need secrets
  • REGISTRY_MAPPINGS: Specific registry-to-secret mappings (format: "registry1:secret1,registry2:secret2")

Prerequisites

  • cert-manager installed in the cluster
  • A ClusterIssuer named "selfsigned-cluster-issuer" (or update the Certificate resource to use a different issuer)

Building

To build the Docker image:

./build.sh

How It Works

  1. The webhook examines each container's image to determine which registry it's using
  2. Based on the registry, it determines which imagePullSecret to inject
  3. Using JSON Patch, it adds the appropriate imagePullSecrets to the pod specification
  4. Only adds secrets for private registries, leaving public images unaffected

Certificate Management

This webhook uses cert-manager to automatically generate and manage TLS certificates:

  1. A Certificate resource requests a certificate from the selfsigned-cluster-issuer
  2. cert-manager creates a Secret containing the TLS certificate and key
  3. The webhook server mounts this secret and uses the certificates
  4. The MutatingWebhookConfiguration uses the cert-manager annotation to automatically inject the CA bundle

Deployment

The webhook is deployed using standard Kubernetes manifests:

  • Namespace
  • Certificate (for cert-manager)
  • Deployment
  • Service
  • MutatingWebhookConfiguration
  • ImagePullSecret (to be injected into pods)

A kustomization file is provided in the deploy directory for easy deployment of the webhook.

Production Configuration

For production use, you should create a configmap with your specific configuration. Create a kustomization.yaml file like this:

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: imagepullsecrets-system
resources:
  - imagepullsecret.yaml
configMapGenerator:
  - name: imagepullsecrets-webhook-config
    envs:
      - imagepullsecret.env
    options:
      disableNameSuffixHash: true

And create an imagepullsecret.env file with your environment variables:

REGISTRY_MAPPINGS=harbor.yourdomain.com:regcred-harbor
IGNORED_REGISTRIES=k8s.gcr.io,gcr.io,quay.io,docker.io
SOURCE_NAMESPACE=imagepullsecrets-system
Reference in New Issue View Git Blame Copy Permalink
Description
No description provided
Readme 46 KiB
Languages
Go 94.9%
Dockerfile 2.7%
Shell 2.4%