add ability to control tags for injected containers (#22)

hooksie1 · Dec 16, 2023 · f857cce · f857cce
1 parent 6b2c1dd
commit f857cce
Show file tree

Hide file tree

Showing 5 changed files with 24 additions and 9 deletions.
diff --git a/cmd/deploy.go b/cmd/deploy.go
@@ -42,6 +42,8 @@ func generate(cmd *cobra.Command, args []string) {
 	port := viper.GetInt("port")
 	registry := viper.GetString("registry")
 	version := viper.GetString("version")
+	cmsnrtag := viper.GetString("cmsnrtag")
+	opatag := viper.GetString("opatag")
 
 	mCert, mKey, err := deployment.GenerateCertificate(mService, namespace)
 	if err != nil {
@@ -62,8 +64,8 @@ func generate(cmd *cobra.Command, args []string) {
 	printKind(deployment.NewClusterRole())
 	printKind(deployment.NewClusterRolebinding(namespace))
 	fmt.Println(deployment.NewCRD())
-	printKind(deployment.NewDeployment(mService, namespace, registry, "mutating", mSecret, port, version))
-	printKind(deployment.NewDeployment(vService, namespace, registry, "validating", vSecret, port, version))
+	printKind(deployment.NewDeployment(mService, namespace, registry, "mutating", mSecret, port, version, cmsnrtag, opatag))
+	printKind(deployment.NewDeployment(vService, namespace, registry, "validating", vSecret, port, version, cmsnrtag, opatag))
 	printKind(deployment.NewService(mService, namespace, port))
 	printKind(deployment.NewService(vService, namespace, port))
 	printKind(deployment.CertAsSecret(mCert, mKey, mSecret, namespace))

diff --git a/cmd/mutating.go b/cmd/mutating.go
@@ -39,7 +39,10 @@ func mutateServer(cmd *cobra.Command, args []string) {
 		Client:    mgr.GetClient(),
 		Namespace: namespace,
 		Registry:  registry,
+		CmsnrTag:  viper.GetString("cmsnrtag"),
+		OPATag:    viper.GetString("opatag"),
 	}
+
 	log.Info("setting up server")
 	mgrServer := mgr.GetWebhookServer()
 	mgrServer.Port = port

diff --git a/cmd/root.go b/cmd/root.go
@@ -38,6 +38,10 @@ func init() {
 	rootCmd.PersistentFlags().StringVarP(&namespace, "namespace", "n", "default", "The namespace to use")
 	rootCmd.PersistentFlags().StringP("registry", "r", "hooksie1", "Container registry")
 	viper.BindPFlag("registry", rootCmd.PersistentFlags().Lookup("registry"))
+	rootCmd.PersistentFlags().String("opa-tag", "latest", "Tag for injected OPA server")
+	viper.BindPFlag("opatag", rootCmd.PersistentFlags().Lookup("opa-tag"))
+	rootCmd.PersistentFlags().String("cmsnr-tag", "latest", "Tag for injected cmsnr client")
+	viper.BindPFlag("cmsnrtag", rootCmd.PersistentFlags().Lookup("cmsnr-tag"))
 
 	rootCmd.PersistentPreRunE = func(cmd *cobra.Command, args []string) error {
 		if err := setLogLevel(v); err != nil {

diff --git a/pkg/deployment/deployment.go b/pkg/deployment/deployment.go
@@ -16,9 +16,11 @@ type Deployment struct {
 	Port       int
 	Version    string
 	Registry   string
+	OpaTag     string
+	CmsnrTag   string
 }
 
-func NewDeployment(name, namespace, registry, serverType, secretName string, port int, version string) *appsv1.Deployment {
+func NewDeployment(name, namespace, registry, serverType, secretName string, port int, version, cmsnrtag, opatag string) *appsv1.Deployment {
 	dep := Deployment{
 		Name:       name,
 		Namespace:  namespace,
@@ -27,6 +29,8 @@ func NewDeployment(name, namespace, registry, serverType, secretName string, por
 		Port:       port,
 		Version:    version,
 		Registry:   registry,
+		CmsnrTag:   cmsnrtag,
+		OpaTag:     opatag,
 	}
 
 	return dep.newDeployment()
@@ -68,7 +72,7 @@ func (d *Deployment) getTemplate() corev1.PodTemplateSpec {
 					Image:           fmt.Sprintf("%s/cmsnr:%s", d.Registry, d.Version),
 					ImagePullPolicy: "Always",
 					Name:            d.Name,
-					Args:            []string{"server", "start", fmt.Sprintf("--registry=%s", d.Registry), d.ServerType, fmt.Sprintf("-n=%s", d.Namespace)},
+					Args:            []string{"server", "start", fmt.Sprintf("--registry=%s", d.Registry), fmt.Sprintf("--opa-tag=%s", d.OpaTag), fmt.Sprintf("--cmsnr-tag=%s", d.CmsnrTag), d.ServerType, fmt.Sprintf("-n=%s", d.Namespace)},
 					Ports: []corev1.ContainerPort{
 						{
 							Name:          "https",

diff --git a/pkg/server/injector.go b/pkg/server/injector.go
@@ -19,23 +19,25 @@ type Config struct {
 type SidecarInjector struct {
 	Namespace string
 	Registry  string
+	OPATag    string
+	CmsnrTag  string
 	Client    client.Client
 	decoder   *admission.Decoder
 }
 
-func getContainers(namespace, depName, registry string) []corev1.Container {
+func (s *SidecarInjector) getContainers(depName string) []corev1.Container {
 	return []corev1.Container{
 		{
 			Name:            "opa",
-			Image:           "openpolicyagent/opa:latest-static",
+			Image:           fmt.Sprintf("openpolicyagent/opa:%s", s.OPATag),
 			ImagePullPolicy: corev1.PullPolicy("IfNotPresent"),
 			Args:            []string{"run", "--server"},
 		},
 		{
 			Name:            "cmsnr-client",
-			Image:           fmt.Sprintf("%s/cmsnr:latest", registry),
+			Image:           fmt.Sprintf("%s/cmsnr:%s", s.Registry, s.CmsnrTag),
 			ImagePullPolicy: corev1.PullPolicy("IfNotPresent"),
-			Args:            []string{"opa", "watch", fmt.Sprintf("-d=%s", depName), fmt.Sprintf("-n=%s", namespace)},
+			Args:            []string{"opa", "watch", fmt.Sprintf("-d=%s", depName), fmt.Sprintf("-n=%s", s.Namespace)},
 		},
 	}
 }
@@ -63,7 +65,7 @@ func (s *SidecarInjector) Handle(ctx context.Context, r admission.Request) admis
 
 	if checkInject(pod) {
 		log.Infof("Injecting sidecar for %s", pod.Name)
-		pod.Spec.Containers = append(pod.Spec.Containers, getContainers(s.Namespace, pod.Annotations["cmsnr.com/deploymentName"], s.Registry)...)
+		pod.Spec.Containers = append(pod.Spec.Containers, s.getContainers(pod.Annotations["cmsnr.com/deploymentName"])...)
 		if pod.Spec.ServiceAccountName == "default" {
 			log.Info("no service account defined, adding cmsnr account")
 			pod.Spec.ServiceAccountName = "cmsnr"