gcp-auth-webhook
A server that includes:
- A mutating webhook that will patch any newly created pods in your Kubernetes cluster with GCP credentials (whose location is currently hardcoded to /var/lib/minikube/google_application_credentials.json).
- A mutating webhook that will patch any newly created service accounts in your Kubernetes cluster with an image pull secret.
- A thread that monitors namespaces to make sure all namespaces include a image pull secret to be able to pull from GCR and AR.
Setting the environment variable MOCK_GOOGLE_TOKEN
to true
will prevent using the google application credentials to fetch the token used for the image pull secret. Instead the token will be mocked.
Deployment
Use the image gcr.io/k8s-minikube/gcp-auth-webhook
as the image for a Deployment in your Kubernetes manifest and add that to a MutatingWebhookConfiguration. See minikube for details.
Running Locally
The easiest way to run the server locally is:
- Modify minikube's gcp-auth Deployment image to be
local/gcp-auth-webhook:$(VERSION)
(replace$(VERSION)
with your version) - Build and run minikube
- Run
eval $(path_to_minikube/minikube docker-env)
and thenmake local-image
to make the image available from within minikube - Run
path_to_minikube/minikube addons enable gcp-auth
to enable the addon, which creates a pod in thegcp-auth
namespace with the gcp-auth-webhook server