Skip to content

SAP/registry-credential-injector

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

88 Commits

.github/workflows

.github/workflows

 
 

.local

.local

 
 

.reuse

.reuse

 
 

.vscode

.vscode

 
 

LICENSES

LICENSES

 
 

cmd/webhook

cmd/webhook

 
 

hack

hack

 
 

internal

internal

 
 

.dockerignore

.dockerignore

 
 

.gitignore

.gitignore

 
 

CONTRIBUTING.md

CONTRIBUTING.md

 
 

Dockerfile

Dockerfile

 
 

LICENSE

LICENSE

 
 

Makefile

Makefile

 
 

README.md

README.md

 
 

go.mod

go.mod

 
 

go.sum

go.sum

 
 

renovate.json

renovate.json

 
 

Repository files navigation

Kubernetes Registry Credential Injector

REUSE status

About this project

This service can act as a Mutating Kubernetes Admission Webhook for pods, and allows to dynamically inject image pull secrets into specific pods at creation time.

Pods for which the admission webhook is called by the Kubernetes API server will be changed only if:

  • there is an annotation regcred-injector.cs.sap.com/managed: true set at the pod's namespace or
  • there is an annotation regcred-injector.cs.sap.com/managed: true set at the pod itself.

In that case, the webhook will determine the name of the pull secret to be injected as follows:

  • if the inspected pod has an annotation regcred-injector.cs.sap.com/pull-secret, its value will be used for the pull secret
  • otherwise, if the pod's namespace has the annotation regcred-injector.cs.sap.com/pull-secret, its value will be used for the pull secret
  • otherwise, if specified, the default pull secret value (specified by command line flag) will be used
  • if no pull secret value was found by the above sources, the pod will not be changed.

Note: in case this webhook has to reliably work with pods that are created or mutated by other webhooks, this one should be registered with reinvocationPolicy: IfNeeded.

Command line flags

Flag Optional Default Description
-kubeconfig yes Usual kubeconfig fallback locations Path to kubeconfig file
-bind-address string yes :2443 Webhook bind address
-tls-key-file no - File containing the TLS private key used for SSL termination
-tls-cert-file no - File containing the TLS certificate matching the private key
-default-pull-secret yes - Name of the default pull secret to be injected

Requirements and Setup

The recommended deployment method is to use the Helm chart:

helm upgrade -i registry-credential-injector oci://ghcr.io/sap/registry-credential-injector-helm/registry-credential-injector

Documentation

The API reference is here: https://pkg.go.dev/github.com/sap/registry-credential-injector.

Support, Feedback, Contributing

This project is open to feature requests/suggestions, bug reports etc. via GitHub issues. Contribution and feedback are encouraged and always welcome. For more information about how to contribute, the project structure, as well as additional contribution information, see our Contribution Guidelines.

Code of Conduct

We as members, contributors, and leaders pledge to make participation in our community a harassment-free experience for everyone. By participating in this project, you agree to abide by its Code of Conduct at all times.

Licensing

Copyright 2023 SAP SE or an SAP affiliate company and registry-credential-injector contributors. Please see our LICENSE for copyright and license information. Detailed information including third-party components and their licensing/copyright information is available via the REUSE tool.

About

Kubernetes admission webhook to inject registry pull credentials into pods

Topics

sap-cns sap-cs-devops

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct

Security policy

Security policy
Activity
Custom properties

Stars

1 star

Watchers

5 watching

Forks

0 forks
Report repository

Releases 30

v0.4.29 Latest
May 13, 2024
+ 29 releases

Packages 1

 

Contributors 5

Languages