feat: support generic secret in docker auth

e2e/deploy/vault/vault.yaml

@@ -146,6 +146,11 @@ spec:
           data:
             DOCKER_REPO_USER: dockerrepouser
             DOCKER_REPO_PASSWORD: dockerrepopassword
+            DOCKER_REPO_JSON_KEY: |
+              _json_key: {
+                "type": "service_account",
+                "project_id": "test"
+              }
       - type: kv
         path: secret/data/mysql
         data:

e2e/test/secret-docker-json-key.yaml

@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: test-secret-docker-json-key
+  annotations:
+    vault.security.banzaicloud.io/vault-addr: "https://vault.default.svc.cluster.local:8200"
+    vault.security.banzaicloud.io/vault-role: "default"
+    vault.security.banzaicloud.io/vault-tls-secret: vault-tls
+    # vault.security.banzaicloud.io/vault-skip-verify: "true"
+    vault.security.banzaicloud.io/vault-path: "kubernetes"
+type: kubernetes.io/dockerconfigjson
+stringData:
+  .dockerconfigjson: |
+    {
+        "auths": {
+            "https://index.docker.io/v1/": {
+                "auth": "dmF1bHQ6c2VjcmV0L2RhdGEvZG9ja2VycmVwbyNET0NLRVJfUkVQT19KU09OX0tFWQ=="
+            }
+        }
+    }

e2e/webhook_test.go

@@ -81,14 +81,62 @@ func TestSecretValueInjection(t *testing.T) {
 			err = json.Unmarshal(secret.Data[".dockerconfigjson"], &dockerconfigjson)
 			require.NoError(t, err)
 
+			dockerrepoauth := base64.StdEncoding.EncodeToString([]byte("dockerrepouser:dockerrepopassword"))
 			assert.Equal(t, "dockerrepouser", dockerconfigjson.Auths.V1.Username)
 			assert.Equal(t, "dockerrepopassword", dockerconfigjson.Auths.V1.Password)
+			assert.Equal(t, dockerrepoauth, dockerconfigjson.Auths.V1.Auth)
 			assert.Equal(t, "Inline: secretId AWS_ACCESS_KEY_ID", string(secret.Data["inline"]))
 
 			return ctx
 		}).
 		Feature()
 
+	secretDockerJsonKey := applyResource(features.New("secret"), "secret-docker-json-key.yaml").
+		Assess("object created", func(ctx context.Context, t *testing.T, cfg *envconf.Config) context.Context {
+			secrets := &v1.SecretList{
+				Items: []v1.Secret{
+					{
+						ObjectMeta: metav1.ObjectMeta{Name: "test-secret-docker-json-key", Namespace: cfg.Namespace()},
+					},
+				},
+			}
+
+			// wait for the secret to become available
+			err := wait.For(conditions.New(cfg.Client().Resources()).ResourcesFound(secrets), wait.WithTimeout(1*time.Minute))
+			require.NoError(t, err)
+
+			return ctx
+		}).
+		Assess("secret values are injected", func(ctx context.Context, t *testing.T, cfg *envconf.Config) context.Context {
+			var secret v1.Secret
+
+			err := cfg.Client().Resources(cfg.Namespace()).Get(ctx, "test-secret-docker-json-key", cfg.Namespace(), &secret)
+			require.NoError(t, err)
+
+			type v1 struct {
+				Auth string `json:"auth"`
+			}
+
+			type auths struct {
+				V1 v1 `json:"https://index.docker.io/v1/"`
+			}
+
+			type dockerconfig struct {
+				Auths auths `json:"auths"`
+			}
+
+			var dockerconfigjson dockerconfig
+
+			err = json.Unmarshal(secret.Data[".dockerconfigjson"], &dockerconfigjson)
+			require.NoError(t, err)
+
+			dockerrepoauth := base64.StdEncoding.EncodeToString([]byte("_json_key: {\n  \"type\": \"service_account\",\n  \"project_id\": \"test\"\n}\n"))
+			assert.Equal(t, dockerrepoauth, dockerconfigjson.Auths.V1.Auth)
+
+			return ctx
+		}).
+		Feature()
+
 	configMap := applyResource(features.New("configmap"), "configmap.yaml").
 		Assess("object created", func(ctx context.Context, t *testing.T, cfg *envconf.Config) context.Context {
 			configMaps := &v1.ConfigMapList{
@@ -120,7 +168,7 @@ func TestSecretValueInjection(t *testing.T) {
 		}).
 		Feature()
 
-	testenv.Test(t, secret, configMap)
+	testenv.Test(t, secret, secretDockerJsonKey, configMap)
 }
 
 func TestPodMutation(t *testing.T) {

pkg/webhook/secret.go

@@ -138,30 +138,42 @@ func (mw *MutatingWebhook) mutateDockerCreds(secret *corev1.Secret, dc *dockerCr
 		auth := string(authBytes)
 		if common.HasVaultPrefix(auth) {
 			split := strings.Split(auth, ":")
-			if len(split) != 4 {
-				return errors.New("splitting auth credentials failed")
-			}
-			username := fmt.Sprintf("%s:%s", split[0], split[1])
-			password := fmt.Sprintf("%s:%s", split[2], split[3])
+			if len(split) == 4 {
+				username := fmt.Sprintf("%s:%s", split[0], split[1])
+				password := fmt.Sprintf("%s:%s", split[2], split[3])
 
-			credentialData := map[string]string{
-				"username": username,
-				"password": password,
-			}
+				credentialData := map[string]string{
+					"username": username,
+					"password": password,
+				}
 
-			dcCreds, err := secretInjector.GetDataFromVault(credentialData)
-			if err != nil {
-				return err
-			}
-			auth = fmt.Sprintf("%s:%s", dcCreds["username"], dcCreds["password"])
-			dockerAuth := dockerAuthConfig{
-				Auth: base64.StdEncoding.EncodeToString([]byte(auth)),
-			}
-			if creds.Username != "" && creds.Password != "" {
-				dockerAuth.Username = dcCreds["username"]
-				dockerAuth.Password = dcCreds["password"]
+				dcCreds, err := secretInjector.GetDataFromVault(credentialData)
+				if err != nil {
+					return err
+				}
+				auth = fmt.Sprintf("%s:%s", dcCreds["username"], dcCreds["password"])
+				dockerAuth := dockerAuthConfig{
+					Auth: base64.StdEncoding.EncodeToString([]byte(auth)),
+				}
+				if creds.Username != "" && creds.Password != "" {
+					dockerAuth.Username = dcCreds["username"]
+					dockerAuth.Password = dcCreds["password"]
+				}
+				assembled.Auths[key] = dockerAuth
+			} else {
+				credentialData := map[string]string{
+					"auth": auth,
+				}
+
+				dcCreds, err := secretInjector.GetDataFromVault(credentialData)
+				if err != nil {
+					return err
+				}
+				dockerAuth := dockerAuthConfig{
+					Auth: base64.StdEncoding.EncodeToString([]byte(dcCreds["auth"])),
+				}
+				assembled.Auths[key] = dockerAuth
 			}
-			assembled.Auths[key] = dockerAuth
 		}
 	}