feat: implement pod-specific secret injection for DaemonSets with automated lifecycle management

2026-01-21 07:00:48 +00:00
commit cffe13168f
15 changed files with 973 additions and 0 deletions
@@ -0,0 +1,73 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: inject-ds-webhook
+  namespace: gps-system
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: inject-ds-webhook
+  template:
+    metadata:
+      labels:
+        app: inject-ds-webhook
+    spec:
+      serviceAccountName: inject-ds-webhook
+      containers:
+      - name: webhook
+        image: REPO_PLACEHOLDER/inject-ds-webhook:latest
+        args:
+        - --target-namespace=gps-system
+        - --target-daemonsets=test-daemonset
+        ports:
+        - containerPort: 9443
+          name: webhook-api
+        volumeMounts:
+        - name: webhook-certs
+          mountPath: /tmp/k8s-webhook-server/serving-certs
+          readOnly: true
+      volumes:
+      - name: webhook-certs
+        secret:
+          secretName: inject-ds-webhook-certs
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: inject-ds-webhook
+  namespace: gps-system
+spec:
+  ports:
+  - port: 443
+    targetPort: 9443
+  selector:
+    app: inject-ds-webhook
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: inject-ds-webhook
+webhooks:
+- name: inject-ds.example.com
+  clientConfig:
+    service:
+      name: inject-ds-webhook
+      namespace: gps-system
+      path: "/mutate-pod"
+    caBundle: Cg==
+  rules:
+  - operations: ["CREATE"]
+    apiGroups: [""]
+    apiVersions: ["v1"]
+    resources: ["pods"]
+  admissionReviewVersions: ["v1"]
+  sideEffects: None
+  namespaceSelector:
+    matchLabels:
+      kubernetes.io/metadata.name: gps-system
+  objectSelector:
+    matchExpressions:
+    - key: app
+      operator: NotIn
+      values: ["inject-ds-webhook"]