# DaemonSet Secret Injector

A Kubernetes Mutating Webhook that automatically injects a unique, node-specific Secret into Pods belonging to a targeted DaemonSet.

## Features

- **Automatic Injection**: Intercepts Pod creation and injects a Secret volume and mount.
- **Node-Specific Data**: Each Pod gets a unique Secret containing information relevant to the node it resides on.
- **Lifecycle Management**: Automatically creates the Secret upon Pod creation and deletes it when the Pod is removed.
- **Node Authorizer Compatibility**: Secret names are derived from the Pod name, ensuring predictable access control.

## Architecture

1.  **Mutating Webhook**: Intercepts `CREATE` requests for Pods. It calculates the target Node name (from affinity or spec), generates a unique Pod name, creates a Secret, and patches the Pod spec to include the Secret volume.
2.  **Pod Controller**: Watches for Pod deletion events and cleans up the associated Secret from the namespace.
3.  **Test Client**: A helper utility that uses Node credentials (`kubeconfig`) to verify it can read the injected secret.
4.  **Secret Manager**: A CLI tool for managing Kubernetes Secrets from your local machine with automatic decoding. See [cmd/secret-manager/README.md](cmd/secret-manager/README.md) for details.

## Getting Started

### Prerequisites

- Kubernetes cluster (GKE, EKS, Kind, etc.)
- `kubectl` and `docker`
- `openssl` (for certificate generation)

### Configuration

The webhook is configured via command-line arguments in the deployment:
- `--target-namespace`: The namespace to monitor (default: `gps-system`).
- `--target-daemonsets`: Comma-separated list of DaemonSet names to inject.

### Deployment

1.  **Clone the repository**.
2.  **Configure your registry**:
    ```bash
    export REGISTRY=us-docker.pkg.dev/your-project/your-repo
    ```
3.  **Build and Push images**:
    ```bash
    make push REGISTRY=$REGISTRY
    ```
4.  **Setup Certificates**:
    ```bash
    # Create namespace first
    kubectl apply -f deploy/namespace.yaml
    # Generate and upload certs
    make certs
    ```
5.  **Deploy the system**:
    ```bash
    make deploy REGISTRY=$REGISTRY
    ```

## Verification

Check the logs of the test DaemonSet pods to see the successful retrieval of the secret:

```bash
kubectl logs -n gps-system -l app=test-daemonset
```

You should see:
```text
Successfully retrieved secret gps-system/test-daemonset-xxxxx
Key: secret-data, Value: unique-secret-for-test-daemonset-xxxxx-on-node-yyyyy
```

## Cleanup

To remove all resources created by this project:

```bash
make clean
```