Merge pull request #32 from iastewar/watch-namespaces

Added goroutine to watch namespaces and add secrets
GoogleContainerTools · Nov 29, 2022 · 6967a33 · 6967a33
2 parents ac6c872 + 81aabd8
commit 6967a33
Show file tree

Hide file tree

Showing 4 changed files with 638 additions and 93 deletions.
diff --git a/README.md b/README.md
@@ -1,4 +1,21 @@
 # gcp-auth-webhook
-A mutating webhook that will patch any pods in your kubernetes cluster with GCP credentials (whose location is currently hardcoded to /var/lib/minikube/google_application_credentials.json)
 
-Use the image gcr.io/k8s-minikube/gcp-auth-webhook as the image for a Deployment in your Kubernetes manifest and add that to a MutatingWebhookConfiguration.
+A server that includes:
+* A mutating webhook that will patch any newly created pods in your Kubernetes cluster with GCP credentials (whose location is currently hardcoded to /var/lib/minikube/google_application_credentials.json).
+* A mutating webhook that will patch any newly created service accounts in your Kubernetes cluster with an image pull secret.
+* A thread that monitors namespaces to make sure all namespaces include a image pull secret to be able to pull from GCR and AR.
+
+## Deployment
+Use the image `gcr.io/k8s-minikube/gcp-auth-webhook` as the image for a Deployment in your Kubernetes manifest and add that to a MutatingWebhookConfiguration. See [minikube](https://github.com/kubernetes/minikube/blob/master/deploy/addons/gcp-auth/gcp-auth-webhook.yaml.tmpl) for details.
+
+## Running Locally
+The easiest way to run the server locally is:
+* Remove `FROM scratch` in the Dockerfile and replace it with the following to ensure https requests work properly locally:
+```
+FROM alpine
+RUN apk --no-cache add ca-certificates
+```
+* Modify [minikube's](https://github.com/kubernetes/minikube/blob/master/deploy/addons/gcp-auth/gcp-auth-webhook.yaml.tmpl) gcp-auth Deployment image to be `local/gcp-auth-webhook:$(VERSION)` (replace `$(VERSION)` with your version)
+* Build and run minikube
+* Run `eval $(path_to_minikube/minikube docker-env)` and then `make local-image` to make the image available from within minikube
+* Run `path_to_minikube/minikube addons enable gcp-auth` to enable the addon, which creates a pod in the `gcp-auth` namespace with the gcp-auth-webhook server
diff --git a/go.mod b/go.mod
@@ -3,25 +3,48 @@ module github.com/GoogleContainerTools/gcp-auth-webhook
 go 1.18
 
 require (
+	github.com/GoogleCloudPlatform/docker-credential-gcr v2.0.5+incompatible
 	github.com/blang/semver/v4 v4.0.0
-	k8s.io/api v0.24.1
-	k8s.io/apimachinery v0.24.1
+	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8
+	k8s.io/api v0.25.4
+	k8s.io/apimachinery v0.25.4
+	k8s.io/client-go v0.25.4
 )
 
 require (
-	github.com/go-logr/logr v1.2.0 // indirect
+	cloud.google.com/go v0.97.0 // indirect
+	github.com/PuerkitoBio/purell v1.1.1 // indirect
+	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/emicklei/go-restful/v3 v3.8.0 // indirect
+	github.com/go-logr/logr v1.2.3 // indirect
+	github.com/go-openapi/jsonpointer v0.19.5 // indirect
+	github.com/go-openapi/jsonreference v0.19.5 // indirect
+	github.com/go-openapi/swag v0.19.14 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/google/gnostic v0.5.7-v3refs // indirect
 	github.com/google/gofuzz v1.1.0 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/mailru/easyjson v0.7.6 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
-	golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	golang.org/x/net v0.0.0-20220722155237-a158d28d115b // indirect
+	golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f // indirect
+	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect
 	golang.org/x/text v0.3.7 // indirect
+	golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect
+	google.golang.org/appengine v1.6.7 // indirect
+	google.golang.org/protobuf v1.28.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
-	k8s.io/klog/v2 v2.60.1 // indirect
-	k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9 // indirect
-	sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+	k8s.io/klog/v2 v2.70.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1 // indirect
+	k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed // indirect
+	sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
 	sigs.k8s.io/yaml v1.2.0 // indirect
 )