Mutation webhook for secret injection

Signed-off-by: Maksim Kiselev <maksim.kiselev@flant.com>
deckhouse · Jun 15, 2024 · 4c07e0d · 4c07e0d
1 parent 108a693
commit 4c07e0d
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 2 deletions.
diff --git a/images/env-injector/main.go b/images/env-injector/main.go
@@ -205,6 +205,11 @@ func main() {
 
 		os.Exit(1)
 	}
+
+	if len(os.Args) == 2 && os.Args[1] == "--dummy-run" { //check binary can run on node
+		os.Exit(0)
+	}
+
 	if len(os.Args) == 2 && os.Args[1] == "--self-copy" {
 		source, err := os.Open("/bin/env-injector") //open the source file
 		if err != nil {

diff --git a/templates/secrets-store-csi-driver/daemonset.yaml b/templates/secrets-store-csi-driver/daemonset.yaml
@@ -67,6 +67,12 @@ spec:
       {{- include "ssi.imagePullSecrets" . | nindent 6 }}
       {{- include "helm_lib_tolerations" (tuple . "any-node") | nindent 6 }}
       {{- include "helm_lib_priority_class" (tuple . "cluster-medium") | nindent 6 }}
+      initContainers:
+      - name: injector-puller
+        image: {{ include "helm_lib_module_image" (list . "envInjector") }}
+        command:
+        - /bin/env-injector
+        - --dummy-run
       containers:
         - name: node-driver-registrar
           image: {{ include "helm_lib_module_image" (list . "csiNodeDriverRegistrar") }}

diff --git a/templates/vault-secrets-webhook/deployment.yaml b/templates/vault-secrets-webhook/deployment.yaml
@@ -51,8 +51,7 @@ spec:
       {{- include "helm_lib_node_selector" (tuple . "master") | nindent 6 }}
       {{- include "helm_lib_tolerations" (tuple . "any-node" "with-uninitialized") | nindent 6 }}
       {{- include "helm_lib_module_pod_security_context_run_as_user_nobody" . | nindent 6 }}
-      imagePullSecrets:
-      - name: deckhouse-registry
+      {{- include "ssi.imagePullSecrets" . | nindent 6 }}
       containers:
       - name: vault-secrets-webhook
         {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 8 }}