From 4c07e0db8bbc60ab0ebc2f517baf5760dd26c5aa Mon Sep 17 00:00:00 2001
From: Maksim Kiselev <maksim.kiselev@flant.com>
Date: Sat, 15 Jun 2024 23:46:14 +0300
Subject: [PATCH] Mutation webhook for secret injection

Signed-off-by: Maksim Kiselev <maksim.kiselev@flant.com>
---
 images/env-injector/main.go                       | 5 +++++
 templates/secrets-store-csi-driver/daemonset.yaml | 6 ++++++
 templates/vault-secrets-webhook/deployment.yaml   | 3 +--
 3 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/images/env-injector/main.go b/images/env-injector/main.go
index 7c0a6af..17c861b 100644
--- a/images/env-injector/main.go
+++ b/images/env-injector/main.go
@@ -205,6 +205,11 @@ func main() {
 
 		os.Exit(1)
 	}
+
+	if len(os.Args) == 2 && os.Args[1] == "--dummy-run" { //check binary can run on node
+		os.Exit(0)
+	}
+
 	if len(os.Args) == 2 && os.Args[1] == "--self-copy" {
 		source, err := os.Open("/bin/env-injector") //open the source file
 		if err != nil {
diff --git a/templates/secrets-store-csi-driver/daemonset.yaml b/templates/secrets-store-csi-driver/daemonset.yaml
index ce9d843..8be29a3 100644
--- a/templates/secrets-store-csi-driver/daemonset.yaml
+++ b/templates/secrets-store-csi-driver/daemonset.yaml
@@ -67,6 +67,12 @@ spec:
       {{- include "ssi.imagePullSecrets" . | nindent 6 }}
       {{- include "helm_lib_tolerations" (tuple . "any-node") | nindent 6 }}
       {{- include "helm_lib_priority_class" (tuple . "cluster-medium") | nindent 6 }}
+      initContainers:
+      - name: injector-puller
+        image: {{ include "helm_lib_module_image" (list . "envInjector") }}
+        command:
+        - /bin/env-injector
+        - --dummy-run
       containers:
         - name: node-driver-registrar
           image: {{ include "helm_lib_module_image" (list . "csiNodeDriverRegistrar") }}
diff --git a/templates/vault-secrets-webhook/deployment.yaml b/templates/vault-secrets-webhook/deployment.yaml
index 1593af8..868d303 100644
--- a/templates/vault-secrets-webhook/deployment.yaml
+++ b/templates/vault-secrets-webhook/deployment.yaml
@@ -51,8 +51,7 @@ spec:
       {{- include "helm_lib_node_selector" (tuple . "master") | nindent 6 }}
       {{- include "helm_lib_tolerations" (tuple . "any-node" "with-uninitialized") | nindent 6 }}
       {{- include "helm_lib_module_pod_security_context_run_as_user_nobody" . | nindent 6 }}
-      imagePullSecrets:
-      - name: deckhouse-registry
+      {{- include "ssi.imagePullSecrets" . | nindent 6 }}
       containers:
       - name: vault-secrets-webhook
         {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 8 }}