Add imagePullSecrets change

Author: paretl

CHANGELOG.md

@@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.9.0] - 2025-03-20
+### Added
+- Add imagePullSecrets update when an image is modified
+
 ## [0.8.1] - 2025-03-17
 ### Fixed
 - Fixed chart pdb rendering

Makefile

@@ -17,7 +17,7 @@ DOCKER_BUILDX_BUILDER ?= "harbor-container-webhook"
 all: $(addprefix build-,$(ARCH))
 
 # Image registry for build/push image targets
-IMAGE_REGISTRY ?= ghcr.io/indeedeng/harbor-container-webhook
+IMAGE_REGISTRY ?= harbor.monitoring-lz800.mindee.net/mindee/harbor-container-webhook
 
 HELM_DIR    ?= deploy/charts/harbor-container-webhook
 

README.md

@@ -44,6 +44,8 @@ reference which matches at least one match rule and none of the exclusion rules,
 by the `replace` contents of the rule. If `checkUpstream` is enabled, the webhook will first fetch the manifest
 the rewritten container image reference and verify it exists before rewriting the image.
 
+You can also update the `imagePullSecrets` of a modified pod to have the right docker secret to connect to the modified registry. For that, put `replaceImagePullSecrets` to `true` and be sure that `authSecretName` is set with the Kubernetes secret that you want to add to `imagePullSecrets`. If `imagePullSecrets` already contains a secret, the `authSecretName` will be added to the list anyway.
+
 Example configuration:
 ```yaml
 port: 9443
@@ -67,6 +69,12 @@ rules:
     replace: 'harbor.example.com/ubuntu-proxy'
     checkUpstream: true # tests if the manifest for the rewritten image exists
     authSecretName: harbor-example-image-pull-secret # optional, defaults to "" - secret in the webhook namespace for authenticating to harbor.example.com
+  - name: 'docker.io rewrite rule with imagePullSecrets update'
+    matches:
+      - '^docker.io'
+    replace: 'harbor.example.com/dockerhub-proxy'
+    replaceImagePullSecrets: true # enable imagePullSecrets change for modified images
+    authSecretName: harbor-example-image-pull-secret # secret to add to imagePullSecrets on the modified pod
 ```
 Local Development
 ===

deploy/charts/harbor-container-webhook/Chart.yaml

@@ -3,7 +3,7 @@ name: harbor-container-webhook
 description: Webhook to configure pods with harbor proxy cache projects
 type: application
 version: 0.8.1
-appVersion: "0.8.0"
+appVersion: "0.9.0"
 kubeVersion: ">= 1.16.0-0"
 home: https://github.com/IndeedEng/harbor-container-webhook
 maintainers:

deploy/charts/harbor-container-webhook/values.yaml

@@ -113,6 +113,12 @@ rules: []
 #    platforms: # defaults to linux/amd64, only used if checkUpstream is set
 #      - linux/amd64
 #      - linux/arm64
+#  - name: 'docker.io rewrite rule with imagePullSecrets update'
+#    matches:
+#      - '^docker.io'
+#    replace: 'harbor.example.com/dockerhub-proxy'
+#    replaceImagePullSecrets: true # enable imagePullSecrets change for modified images
+#    authSecretName: harbor-example-image-pull-secret # secret to add to imagePullSecrets on the modified pod
 
 extraRules: []
 

hack/config.yaml

@@ -18,4 +18,11 @@ rules:
       - '^docker.io/(library/)?ubuntu:.*$'
     replace: 'harbor-v2.awscmhqa2.k8s.indeed.tech/dockerhub-proxy-auth'
     checkUpstream: true # tests if the manifest for the rewritten image exists
-    authSecretName: "harborv2-qa"
+    authSecretName: "harborv2-qa"
+  - name: 'docker.io rewrite rule with imagePullSecret change'
+    # image refs must match at least one of the rules, and not match any excludes
+    matches:
+      - '^docker.io'
+    replace: 'harbor.example.com/dockerhub-proxy'
+    authSecretName: "harborv2-qa"
+    replaceImagePullSecrets: true

hack/test/admission.json

@@ -13,6 +13,11 @@
       "metadata": {
       },
       "spec": {
+        "imagePullSecrets": [
+          {
+            "name": "foo"
+          }
+        ],
         "containers": [
           {
             "name": "foo",

hack/test/no-op.json

@@ -13,6 +13,11 @@
       "metadata": {
       },
       "spec": {
+        "imagePullSecrets": [
+          {
+            "name": "foo"
+          }
+        ],
         "containers": [
           {
             "name": "foo",

internal/config/config.go

@@ -79,10 +79,13 @@ type ProxyRule struct {
 	// If the webhook lacks permissions to fetch the image manifest or the registry is down, the image
 	// will not be rewritten. Experimental.
 	CheckUpstream bool `yaml:"checkUpstream"`
+	// ReplaceImagePullSecrets enables the replacement of the imagePullSecrets of the pod in addition to the image
+	ReplaceImagePullSecrets bool `yaml:"replaceImagePullSecrets"`
 	// List of the required platforms to check for if CheckUpstream is set. Defaults to "linux/amd64" if unset.
 	Platforms []string `yaml:"platforms"`
 	// AuthSecretName is a reference to an image pull secret (must be .dockerconfigjson type) which
-	// will be used to authenticate if `checkUpstream` is set. Unused if not specified or `checkUpstream` is false.
+	// will be used to authenticate if `checkUpstream` is set or to modify the imagePullSecrets if
+	// `replaceImagePullSecrets` is set.
 	AuthSecretName string `yaml:"authSecretName"`
 	// Namespace that the webhook is running in, used for accessing secrets for authenticated proxy rules
 	Namespace string

internal/webhook/mutate.go

@@ -38,6 +38,7 @@ func (p *PodContainerProxier) Handle(ctx context.Context, req admission.Request)
 		return admission.Errored(http.StatusBadRequest, err)
 	}
 
+	// container images
 	initContainers, updatedInit, err := p.updateContainers(ctx, pod.Spec.InitContainers, "init")
 	if err != nil {
 		return admission.Errored(http.StatusInternalServerError, err)
@@ -52,6 +53,16 @@ func (p *PodContainerProxier) Handle(ctx context.Context, req admission.Request)
 	pod.Spec.InitContainers = initContainers
 	pod.Spec.Containers = containers
 
+	// imagePullSecrets
+	imagePullSecrets, updatedImagePullSecrets, err := p.updateImagePullSecrets(pod.Spec.ImagePullSecrets)
+	if err != nil {
+		return admission.Errored(http.StatusInternalServerError, err)
+	}
+	if !updatedImagePullSecrets {
+		return admission.Allowed("no updates")
+	}
+	pod.Spec.ImagePullSecrets = imagePullSecrets
+
 	marshaledPod, err := json.Marshal(pod)
 	if err != nil {
 		return admission.Errored(http.StatusInternalServerError, err)
@@ -68,7 +79,7 @@ func (p *PodContainerProxier) lookupNodeArchAndOS(ctx context.Context, restClien
 	return node.Status.NodeInfo.Architecture, node.Status.NodeInfo.OperatingSystem, nil
 }
 
-func (p *PodContainerProxier) updateContainers(ctx context.Context, containers []corev1.Container, kind string) ([]corev1.Container, bool, error) {
+func (p *PodContainerProxier) updateContainers(ctx context.Context, containers []corev1.Container, _ string) ([]corev1.Container, bool, error) {
 	containersReplacement := make([]corev1.Container, 0, len(containers))
 	updated := false
 	for i := range containers {
@@ -118,3 +129,15 @@ func (p *PodContainerProxier) InjectDecoder(d admission.Decoder) error {
 	p.Decoder = d
 	return nil
 }
+
+func (p *PodContainerProxier) updateImagePullSecrets(imagePullSecrets []corev1.LocalObjectReference) (newImagePullSecrets []corev1.LocalObjectReference, updated bool, err error) {
+	pod := &corev1.Pod{}
+	for _, transformer := range p.Transformers {
+		updated, newImagePullSecrets, err = transformer.RewriteImagePullSecrets(imagePullSecrets)
+		if err != nil {
+			return imagePullSecrets, false, err
+		}
+		logger.Info(fmt.Sprintf("rewriting the imagePullSecrets of the pod %q from %q to %q", pod.ObjectMeta.Name, imagePullSecrets, newImagePullSecrets))
+	}
+	return newImagePullSecrets, updated, nil
+}