feat: implement pod-specific secret injection for DaemonSets with automated lifecycle management

deploy/namespace.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: gps-system
+  labels:
+    kubernetes.io/metadata.name: gps-system

deploy/rbac.yaml

@@ -0,0 +1,36 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: inject-ds-webhook
+  namespace: gps-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: inject-ds-webhook-role
+rules:
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get", "list", "watch", "update", "patch"]
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["create", "delete", "get", "list", "patch", "update"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: inject-ds-webhook-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: inject-ds-webhook-role
+subjects:
+- kind: ServiceAccount
+  name: inject-ds-webhook
+  namespace: gps-system
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: test-ds-sa
+  namespace: gps-system

deploy/test-ds.yaml

@@ -0,0 +1,68 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: test-daemonset
+  namespace: gps-system
+spec:
+  selector:
+    matchLabels:
+      app: test-daemonset
+  template:
+    metadata:
+      labels:
+        app: test-daemonset
+    spec:
+      serviceAccountName: test-ds-sa
+      terminationGracePeriodSeconds: 0
+      containers:
+      - name: test-client
+        image: REPO_PLACEHOLDER/test-client:latest
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        command: ["/bin/sh", "-c"]
+        args:
+        - |
+          /app/test-client --namespace=$(POD_NAMESPACE) --secret=$(POD_NAME)
+          echo "Test client finished. Sleeping forever..."
+          sleep infinity
+        volumeMounts:
+        - name: kubeconfig
+          mountPath: /var/lib/kubelet/kubeconfig
+          readOnly: true
+        - name: gke-bin
+          mountPath: /home/kubernetes/bin
+          readOnly: true
+        - name: pki
+          mountPath: /etc/srv/kubernetes/pki
+          readOnly: true
+        - name: kubelet-pki
+          mountPath: /var/lib/kubelet/pki
+          readOnly: true
+      volumes:
+      - name: kubeconfig
+        hostPath:
+          path: /var/lib/kubelet/kubeconfig
+          type: File
+      - name: gke-bin
+        hostPath:
+          path: /home/kubernetes/bin
+          type: Directory
+      - name: pki
+        hostPath:
+          path: /etc/srv/kubernetes/pki
+          type: Directory
+      - name: kubelet-pki
+        hostPath:
+          path: /var/lib/kubelet/pki
+          type: Directory

deploy/webhook.yaml

@@ -0,0 +1,73 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: inject-ds-webhook
+  namespace: gps-system
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: inject-ds-webhook
+  template:
+    metadata:
+      labels:
+        app: inject-ds-webhook
+    spec:
+      serviceAccountName: inject-ds-webhook
+      containers:
+      - name: webhook
+        image: REPO_PLACEHOLDER/inject-ds-webhook:latest
+        args:
+        - --target-namespace=gps-system
+        - --target-daemonsets=test-daemonset
+        ports:
+        - containerPort: 9443
+          name: webhook-api
+        volumeMounts:
+        - name: webhook-certs
+          mountPath: /tmp/k8s-webhook-server/serving-certs
+          readOnly: true
+      volumes:
+      - name: webhook-certs
+        secret:
+          secretName: inject-ds-webhook-certs
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: inject-ds-webhook
+  namespace: gps-system
+spec:
+  ports:
+  - port: 443
+    targetPort: 9443
+  selector:
+    app: inject-ds-webhook
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: inject-ds-webhook
+webhooks:
+- name: inject-ds.example.com
+  clientConfig:
+    service:
+      name: inject-ds-webhook
+      namespace: gps-system
+      path: "/mutate-pod"
+    caBundle: Cg==
+  rules:
+  - operations: ["CREATE"]
+    apiGroups: [""]
+    apiVersions: ["v1"]
+    resources: ["pods"]
+  admissionReviewVersions: ["v1"]
+  sideEffects: None
+  namespaceSelector:
+    matchLabels:
+      kubernetes.io/metadata.name: gps-system
+  objectSelector:
+    matchExpressions:
+    - key: app
+      operator: NotIn
+      values: ["inject-ds-webhook"]