haopengzhan/k8s-ds-secret-injection
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: implement pod-specific secret injection for DaemonSets with automated lifecycle management

Browse Source
This commit is contained in:
Pengzhan Hao
2026-01-21 07:00:48 +00:00
commit cffe13168f
15 changed files with 973 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Makefile
+51
View File
@@ -0,0 +1,51 @@
# Image Registry Configuration
REGISTRY ?= git.pengzhan.dev/haopengzhan/k8s-ds-secret-injection
WEBHOOK_IMAGE = $(REGISTRY)/webhook:latest
CLIENT_IMAGE = $(REGISTRY)/test-client:latest
NAMESPACE = gps-system
.PHONY: all build build-images push deploy clean certs
all: build
build:
go build -o bin/webhook ./cmd/webhook
go build -o bin/test-client ./cmd/test-client
go build -o bin/secret-manager ./cmd/secret-manager
build-images:
docker build -f Dockerfile.webhook -t $(WEBHOOK_IMAGE) .
docker build -f Dockerfile.test-client -t $(CLIENT_IMAGE) .
push: build-images
docker push $(WEBHOOK_IMAGE)
docker push $(CLIENT_IMAGE)
certs:
@echo "Generating self-signed certificates..."
kubectl apply -f deploy/namespace.yaml
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes \
-subj "/CN=inject-ds-webhook.$(NAMESPACE).svc" \
-addext "subjectAltName = DNS:inject-ds-webhook.$(NAMESPACE).svc"
kubectl create secret tls inject-ds-webhook-certs --cert=cert.pem --key=key.pem -n $(NAMESPACE) --dry-run=client -o yaml | kubectl apply -f -
@echo "Updating CA Bundle in webhook configuration..."
@CA_BUNDLE=$$(cat cert.pem | base64 | tr -d '\n') && \
sed -i "s/caBundle: .*/caBundle: $$CA_BUNDLE/" deploy/webhook.yaml
deploy:
kubectl apply -f deploy/namespace.yaml
kubectl apply -f deploy/rbac.yaml
# Ensure images in manifests match our registry
sed -i "s|image: .*/inject-ds-webhook:latest|image: $(WEBHOOK_IMAGE)|" deploy/webhook.yaml
sed -i "s|image: .*/test-client:latest|image: $(CLIENT_IMAGE)|" deploy/test-ds.yaml
kubectl apply -f deploy/webhook.yaml
@echo "Waiting for webhook to be ready..."
kubectl wait --for=condition=available --timeout=60s deployment/inject-ds-webhook -n $(NAMESPACE)
kubectl apply -f deploy/test-ds.yaml
clean:
kubectl delete -f deploy/test-ds.yaml --ignore-not-found
kubectl delete -f deploy/webhook.yaml --ignore-not-found
kubectl delete -f deploy/rbac.yaml --ignore-not-found
kubectl delete namespace $(NAMESPACE) --ignore-not-found
rm -rf bin/ key.pem cert.pem