ImagePullSecrets Webhook
This is a Kubernetes Mutating Admission Webhook that automatically adds imagePullSecrets to pods based on the registry they're using.
Features
- Automatically injects imagePullSecrets into pods
- Configurable registry-to-secret mappings
- Ignores public registries by default
- Supports both regular and init containers
- Prevents duplicate secret injection
- Uses cert-manager for certificate management
Configuration
The webhook can be configured using environment variables:
DEFAULT_SECRET: Default secret to use for private registriesIGNORED_REGISTRIES: Comma-separated list of registries that don't need secretsREGISTRY_MAPPINGS: Specific registry-to-secret mappings (format: "registry1:secret1,registry2:secret2")
Prerequisites
- cert-manager installed in the cluster
- A ClusterIssuer named "selfsigned-cluster-issuer" (or update the Certificate resource to use a different issuer)
Building
To build the Docker image:
./build.sh
How It Works
- The webhook examines each container's image to determine which registry it's using
- Based on the registry, it determines which imagePullSecret to inject
- Using JSON Patch, it adds the appropriate imagePullSecrets to the pod specification
- Only adds secrets for private registries, leaving public images unaffected
Certificate Management
This webhook uses cert-manager to automatically generate and manage TLS certificates:
- A Certificate resource requests a certificate from the selfsigned-cluster-issuer
- cert-manager creates a Secret containing the TLS certificate and key
- The webhook server mounts this secret and uses the certificates
- The MutatingWebhookConfiguration uses the cert-manager annotation to automatically inject the CA bundle
Deployment
The webhook is deployed using standard Kubernetes manifests:
- Namespace
- Certificate (for cert-manager)
- Deployment
- Service
- MutatingWebhookConfiguration
- ImagePullSecret (to be injected into pods)