Adding pull secrets to service accounts in OpenShift automatically

Question

In our project we use Openshift with an external image registry. (Artifactory)

To make that work I need to make sure that every service account contains the corresponding pull secret.

Especially when operators (like strimzi) create service accounts on their own, that's tricky.

Openshift already automatically adds secrets to any new service account. (e.g. to access the internal registry.)

Is it possible to tell Openshift to also add the credentials for Artifactory automatically?

Looks like the UI offers a way to configure a "Default Pull Secret" which seems to fit exactly that situation. - Unfortunately I don't see any effect in setting that. - What exactly should it do?

Looks like the code for that is here. (But I don't know jsx well enough to understand what exactly it is doing.)

Answer 1

More often you would do this for each pod rather than each service account, but the answer is the same either way: write a mutating admission webhook. Or use an existing one that does the same thing, for example https://github.com/jainishshah17/tugger

Answer 2

There are multiple options to solve this in OpenShift, each on a different level:

• Cluster-level
• Project (namespace) level
• Different for each project

Most of these will need to be configured by your OpenShift administrator.

First possibility is to define a global cluster pull secret which is described in the documentation and will be applied to all namespaces / projects:

$ oc set data secret/pull-secret -n openshift-config --from-file=.dockerconfigjson=<pull-secret-location>

As an alternative, you can also add a default pull secret to each new project by using the "new project template" feature: https://docs.openshift.com/container-platform/4.6/applications/projects/configuring-project-creation.html#modifying-template-for-new-projects_configuring-project-creation

As a cluster administrator, you can modify the default project template so that new projects are created using your custom requirements.

So your OpenShift Administrator needs to edit the new project template add a Secret and ServiceAccount that is automatically created for each new project:

- apiVersion: v1
  kind: Secret
  metadata:
    name: my-default-secret
  data:
    .dockercfg: <Output of "cat .dockercfg | base64">
- apiVersion: v1
  kind: ServiceAccount
  metadata:
    name: my-serviceaccount
  imagePullSecrets:
  - name: my-default-secret

If you require different pull secrets per project then you'll need to do it via some other functionality (templates, kustomize, ...).