in appconfigmgrv2/api/webhooks/builtins/pod_webhook.go [474:527]
func (a *podAnnotator) handleGCPSecret(ctx context.Context, pod *corev1.Pod, app *appconfig.AppEnvConfigTemplateV2) error {
log.Info("podAnnotator:handleGCPSecret")
secretName := app.Spec.Auth.GCPAccess.SecretInfo.Name
secretNamespace := TODO_FIND_NAMESPACE
secret := &corev1.Secret{}
cl := localMgr.GetClient()
err := cl.Get(ctx, types.NamespacedName{Name: secretName, Namespace: secretNamespace}, secret)
if err != nil {
log.Error(err, "Get Google Key from Secret to generate token")
return errors.New("Secret Not Found")
// Try Create
//err = cl.Create(ctx, kubeSecretFromTemplate(req.Namespace, "google-cloud-key"))
//if err != nil {
// log.Error(err, "Secret:Create")
// return admission.Errored(http.StatusBadRequest, err)
//}
}
log.Info("HandleUpdate:Secret", "secret", secret.Name)
token := string(secret.Data["key.json"])
appSecret := &corev1.Secret{}
err = cl.Get(ctx, types.NamespacedName{Name: "google-cloud-token", Namespace: app.Namespace}, appSecret)
if err != nil {
// avoid using ! in compound statement due to readability
if k8sapierrors.IsNotFound(err) {
err = cl.Create(ctx, kubeSecretFromTemplate(app.Namespace, "google-cloud-token", "key.json", token))
if err != nil {
return err
}
} else {
return err
}
} else {
appSecret.Data["key.json"] = []byte(token)
err = cl.Update(ctx, appSecret)
if err != nil {
return err
}
}
log.Info("HandleUpdate:Volume Mounts", "secret", "google-cloud-token")
updateSecretsVolume(pod, "google-cloud-token")
log.Info("HandleUpdate:Containers", "pod.Labels", pod.GetLabels())
if len(pod.GetLabels()["app"]) > 0 {
log.Info("HandleUpdate:Containers:app", "pod.Labels.app", pod.GetLabels()["app"])
updateContainers(pod, pod.GetLabels()["app"], "google-auth-token",
"/var/run/secrets/google/token", "GOOGLE_APPLICATION_CREDENTIALS")
}
return nil
}