feat: inject rerouted image pull secret if not already present in the pod

plaffitt · plaffitt · commit bc45e1d51240 · 2025-11-24T15:54:40.000+01:00
diff --git a/internal/webhook/core/v1/pod_webhook.go b/internal/webhook/core/v1/pod_webhook.go
@@ -214,13 +214,22 @@ func (d *PodCustomDefaulter) defaultt(ctx context.Context, pod *corev1.Pod) erro
 			return err
 		}
 
-		d.rerouteContainerImage(ctx, &container, podImagePullSecrets)
+		alternativeSecret := d.rerouteContainerImage(ctx, &container, podImagePullSecrets)
+		alternativeSecretIndex := slices.IndexFunc(pod.Spec.ImagePullSecrets, func(localObjectReference corev1.LocalObjectReference) bool {
+			return localObjectReference.Name == alternativeSecret.Name
+		})
+		// Inject rerouted image pull secret if not already present in the pod
+		if alternativeSecretIndex == -1 {
+			pod.Spec.ImagePullSecrets = append(pod.Spec.ImagePullSecrets, corev1.LocalObjectReference{
+				Name: alternativeSecret.Name,
+			})
+		}
 	}
 
 	return nil
 }
 
-func (d *PodCustomDefaulter) rerouteContainerImage(ctx context.Context, container *Container, pullSecrets []corev1.Secret) {
+func (d *PodCustomDefaulter) rerouteContainerImage(ctx context.Context, container *Container, pullSecrets []corev1.Secret) *corev1.Secret {
 	log := logf.FromContext(ctx)
 
 	for _, image := range container.Images {
@@ -237,9 +246,11 @@ func (d *PodCustomDefaulter) rerouteContainerImage(ctx context.Context, containe
 				log.Info("rerouting image", "container", container.Name, "isInit", container.IsInit, "originalImage", container.Image, "reroutedImage", image.Reference)
 				container.Image = image.Reference
 			}
-			return
+			return image.ImagePullSecret
 		}
 	}
+
+	return nil
 }
 
 func (d *PodCustomDefaulter) checkImageAvailability(ctx context.Context, reference string, pullSecrets []corev1.Secret) (bool, error) {

Original file line number	Diff line number	Diff line change
`@@ -214,13 +214,22 @@ func (d PodCustomDefaulter) defaultt(ctx context.Context, pod corev1.Pod) erro`
`214`	`214`	`return err`
`215`	`215`	`}`
`216`	`216`
`217`		`- d.rerouteContainerImage(ctx, &container, podImagePullSecrets)`
	`217`	`+ alternativeSecret := d.rerouteContainerImage(ctx, &container, podImagePullSecrets)`
	`218`	`+ alternativeSecretIndex := slices.IndexFunc(pod.Spec.ImagePullSecrets, func(localObjectReference corev1.LocalObjectReference) bool {`
	`219`	`+ return localObjectReference.Name == alternativeSecret.Name`
	`220`	`+ })`
	`221`	`+ // Inject rerouted image pull secret if not already present in the pod`
	`222`	`+ if alternativeSecretIndex == -1 {`
	`223`	`+ pod.Spec.ImagePullSecrets = append(pod.Spec.ImagePullSecrets, corev1.LocalObjectReference{`
	`224`	`+ Name: alternativeSecret.Name,`
	`225`	`+ })`
	`226`	`+ }`
`218`	`227`	`}`
`219`	`228`
`220`	`229`	`return nil`
`221`	`230`	`}`
`222`	`231`
`223`		`-func (d PodCustomDefaulter) rerouteContainerImage(ctx context.Context, container Container, pullSecrets []corev1.Secret) {`
	`232`	`+func (d PodCustomDefaulter) rerouteContainerImage(ctx context.Context, container Container, pullSecrets []corev1.Secret) *corev1.Secret {`
`224`	`233`	`log := logf.FromContext(ctx)`
`225`	`234`
`226`	`235`	`for _, image := range container.Images {`
`@@ -237,9 +246,11 @@ func (d *PodCustomDefaulter) rerouteContainerImage(ctx context.Context, containe`
`237`	`246`	`log.Info("rerouting image", "container", container.Name, "isInit", container.IsInit, "originalImage", container.Image, "reroutedImage", image.Reference)`
`238`	`247`	`container.Image = image.Reference`
`239`	`248`	`}`
`240`		`- return`
	`249`	`+ return image.ImagePullSecret`
`241`	`250`	`}`
`242`	`251`	`}`
	`252`	`+`
	`253`	`+ return nil`
`243`	`254`	`}`
`244`	`255`
`245`	`256`	`func (d *PodCustomDefaulter) checkImageAvailability(ctx context.Context, reference string, pullSecrets []corev1.Secret) (bool, error) {`