{"id":47209890,"url":"https://github.com/tamcore/imagepullsecret-patcher","last_synced_at":"2026-03-13T15:41:50.537Z","repository":{"id":332280638,"uuid":"788006802","full_name":"tamcore/imagepullsecret-patcher","owner":"tamcore","description":null,"archived":false,"fork":false,"pushed_at":"2026-03-04T12:25:22.000Z","size":325,"stargazers_count":0,"open_issues_count":3,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2026-03-04T19:39:30.686Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/tamcore.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2024-04-17T15:46:18.000Z","updated_at":"2026-03-02T18:33:10.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/tamcore/imagepullsecret-patcher","commit_stats":null,"previous_names":["tamcore/imagepullsecret-patcher"],"tags_count":14,"template":false,"template_full_name":null,"purl":"pkg:github/tamcore/imagepullsecret-patcher","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tamcore%2Fimagepullsecret-patcher","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tamcore%2Fimagepullsecret-patcher/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tamcore%2Fimagepullsecret-patcher/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tamcore%2Fimagepullsecret-patcher/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/tamcore","download_url":"https://codeload.github.com/tamcore/imagepullsecret-patcher/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tamcore%2Fimagepullsecret-patcher/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30469337,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-13T11:00:43.441Z","status":"ssl_error","status_checked_at":"2026-03-13T11:00:23.173Z","response_time":60,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-03-13T15:41:49.857Z","updated_at":"2026-03-13T15:41:50.525Z","avatar_url":"https://github.com/tamcore.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# imagepullsecret-patcher\n\n[![Build Status](https://img.shields.io/github/actions/workflow/status/tamcore/imagepullsecret-patcher/ci.yaml?branch=master\u0026label=ci\u0026logo=github\u0026style=flat-square)](https://github.com/tamcore/imagepullsecret-patcher/actions?workflow=Go)\n[![Go Report Card](https://goreportcard.com/badge/github.com/tamcore/imagepullsecret-patcher)](https://goreportcard.com/report/github.com/tamcore/imagepullsecret-patcher)\n![Codecov](https://img.shields.io/codecov/c/github/tamcore/imagepullsecret-patcher)\n![GitHub tag (latest SemVer)](https://img.shields.io/github/v/tag/tamcore/imagepullsecret-patcher)\n![GitHub issues](https://img.shields.io/github/issues/tamcore/imagepullsecret-patcher)\n\nA simple Kubernetes controller, that creates and reconciles imagePullSecrets and attaches them to ServiceAccounts in all namespaces, to allow authenticated access to a private container registry.\n\n## Installation and configuration\n\nA helm chart is available in the [deploy](deploy/helm) directory.\n\n```shell\n# fetch chart version\nskopeo list-tags docker://ghcr.io/tamcore/charts/imagepullsecret-patcher\n# or\ncrane ls ghcr.io/tamcore/charts/imagepullsecret-patcher\n\n# deploy\nhelm upgrade --install \\\n    imagepullsecret-patcher \\\n    oci://ghcr.io/tamcore/charts/imagepullsecret-patcher \\\n    --version ${CHART_VERSION} \\\n    --namespace ${NAMESPACE}\n```\n\nAvailable configuration options are\n\n| Config name          | ENV                         | Command flag          | Default value          | Description                                                                                                                                                  |\n| -------------------- | --------------------------- | --------------------- | -----------------------| -------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| debug                | CONFIG_DEBUG                | -debug                | false                  | show DEBUG logs                                                                                                                                              |\n| serviceaccounts      | CONFIG_SERVICEACCOUNTS      | -serviceaccounts      | \"default\"              | comma-separated list of ServiceAccounts to reconcile                                                                                                             |\n| dockerconfigjson     | CONFIG_DOCKERCONFIGJSON     | -dockerconfigjson     | \"\"                     | json credentials for authenticating to container registry                                                                                                        |\n| dockerconfigjsonpath | CONFIG_DOCKERCONFIGJSONPATH | -dockerconfigjsonpath | \"\"                     | absolute path to mounted json credentials                                                                                              |\n| secret name          | CONFIG_SECRETNAME           | -secretname           | \"global-imagepullsecret\"    | name of managed secrets                                                                                                                                      |\n| excluded namespaces  | CONFIG_EXCLUDED_NAMESPACES  | -excluded-namespaces  | \"kube-*\"                     | comma-separated namespaces excluded from processing                                                                                                          |\nAnd here are the annotations available:\n\n| Annotation                                        | Object    | Description                                                                                                       |\n| ------------------------------------------------- | --------- | ----------------------------------------------------------------------------------------------------------------- |\n| pborn.eu/imagepullsecret-patcher-exclude | namespace, secret | If this annotation is set to `true`, the object is excluded from reconciling. |\n\n## Providing credentials\n\nThe desired credentials (or to be more specific, contents of the `.dockerconfigjson`) can be provided in 2 ways.\n\nEither by passing the environment variable `CONFIG_DOCKERCONFIGJSON` containing the raw json, or `CONFIG_DOCKERCONFIGJSONPATH` pointing to the path, where the controller can access the provided credentials from a file. For example from a Secret that has been mounted into the Pod.\n\nThe 2nd option also has the advantage, that mounted secrets can be dynamically updated. Therefore it is not required to restart the controller, when the secret is updated.\n\n## Why\n\nTo deploy images from a private container registry, we have to provide Kubernetes with credentials to pull them. This is done by providing so called imagePullSecrets.\n\nThey're either attached to a\n- `Pod`'s definition (https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod)\n\nThis is done manually by executing the command for each namespace (kubectl create secret..) and each ServiceAccount in it (kubectl patch..)\n\n```\nkubectl create secret docker-registry image-pull-secret \\\n  -n \u003cyour-namespace\u003e \\\n  --docker-server=\u003cyour-registry-server\u003e \\\n  --docker-username=\u003cyour-name\u003e \\\n  --docker-password=\u003cyour-pword\u003e \\\n  --docker-email=\u003cyour-email\u003e\n\nkubectl patch serviceaccount default \\\n  -p \"{\\\"imagePullSecrets\\\": [{\\\"name\\\": \\\"image-pull-secret\\\"}]}\" \\\n  -n \u003cyour-namespace\u003e\n```\n\nor.. we could automate with a small controller like this imagepullsecret-patcher.\n\nUsing the imagepullsecret-patcher also has the advantage, that deployments via ArgoCD for example are automatically caught and newly created ServiceAccounts are automatically patched, as the controller issues a WATCH on ServiceAccount resources and therefore is notified by Kubernetes, if something changes. The same goes for unwanted changes to managed Secrets. That way we can ensure they're not tampered with and always match our source.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftamcore%2Fimagepullsecret-patcher","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftamcore%2Fimagepullsecret-patcher","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftamcore%2Fimagepullsecret-patcher/lists"}