-
Notifications
You must be signed in to change notification settings - Fork 31
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
✨ Add SecretSyncer controller to save pull secret data locally #425
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,111 @@ | ||
/* | ||
Copyright 2024. | ||
|
||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
|
||
http://www.apache.org/licenses/LICENSE-2.0 | ||
|
||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
package core | ||
|
||
import ( | ||
"context" | ||
"fmt" | ||
"os" | ||
|
||
"github.com/go-logr/logr" | ||
|
||
Check failure on line 25 in internal/controllers/core/secretsyncer_controller.go GitHub Actions / lint
|
||
corev1 "k8s.io/api/core/v1" | ||
apierrors "k8s.io/apimachinery/pkg/api/errors" | ||
"k8s.io/apimachinery/pkg/types" | ||
|
||
ctrl "sigs.k8s.io/controller-runtime" | ||
"sigs.k8s.io/controller-runtime/pkg/client" | ||
"sigs.k8s.io/controller-runtime/pkg/log" | ||
"sigs.k8s.io/controller-runtime/pkg/predicate" | ||
) | ||
|
||
// SecretSyncerReconciler reconciles a specific secret object | ||
type SecretSyncerReconciler struct { | ||
client.Client | ||
SecretKey types.NamespacedName | ||
AuthFilePath string | ||
} | ||
|
||
func (r *SecretSyncerReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { | ||
logger := log.FromContext(ctx) | ||
if req.Name != r.SecretKey.Name || req.Namespace != r.SecretKey.Namespace { | ||
logger.Error(fmt.Errorf("received unexpected request for Secret %v/%v", req.Namespace, req.Name), "reconciliation error") | ||
return ctrl.Result{}, nil | ||
} | ||
|
||
secret := &corev1.Secret{} | ||
err := r.Get(ctx, req.NamespacedName, secret) | ||
if err != nil { | ||
if apierrors.IsNotFound(err) { | ||
logger.Info("secret not found") | ||
return r.deleteSecretFile(logger) | ||
} | ||
logger.Error(err, "failed to get Secret") | ||
return ctrl.Result{}, err | ||
} | ||
|
||
return r.writeSecretToFile(logger, secret) | ||
} | ||
|
||
// SetupWithManager sets up the controller with the Manager. | ||
func (r *SecretSyncerReconciler) SetupWithManager(mgr ctrl.Manager) error { | ||
_, err := ctrl.NewControllerManagedBy(mgr). | ||
For(&corev1.Secret{}). | ||
WithEventFilter(newSecretPredicate(r.SecretKey)). | ||
Build(r) | ||
|
||
return err | ||
} | ||
|
||
func newSecretPredicate(key types.NamespacedName) predicate.Predicate { | ||
return predicate.NewPredicateFuncs(func(obj client.Object) bool { | ||
return obj.GetName() == key.Name && obj.GetNamespace() == key.Namespace | ||
}) | ||
} | ||
|
||
// writeSecretToFile writes the secret data to the specified file | ||
func (r *SecretSyncerReconciler) writeSecretToFile(logger logr.Logger, secret *corev1.Secret) (ctrl.Result, error) { | ||
// image registry secrets are always stored with the key .dockerconfigjson | ||
// ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#registry-secret-existing-credentials | ||
dockerConfigJSON, ok := secret.Data[".dockerconfigjson"] | ||
if !ok { | ||
logger.Error(fmt.Errorf("expected secret.Data key not found"), "expected secret Data to contain key .dockerconfigjson") | ||
return ctrl.Result{}, nil | ||
} | ||
// expected format for auth.json | ||
// https://github.com/containers/image/blob/main/docs/containers-auth.json.5.md | ||
err := os.WriteFile(r.AuthFilePath, dockerConfigJSON, 0600) | ||
if err != nil { | ||
return ctrl.Result{}, fmt.Errorf("failed to write secret data to file: %w", err) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. similar comment here as Sid's below re: revealing file location There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I removed the other ones, but I have the urge to keep this one. We'd want to see the specific error message for this when we get a must-gather (logs) for a bug report related to this. |
||
} | ||
logger.Info("saved global pull secret data locally") | ||
return ctrl.Result{}, nil | ||
} | ||
|
||
// deleteSecretFile deletes the auth file if the secret is deleted | ||
func (r *SecretSyncerReconciler) deleteSecretFile(logger logr.Logger) (ctrl.Result, error) { | ||
logger.Info("deleting local auth file", "file", r.AuthFilePath) | ||
if err := os.Remove(r.AuthFilePath); err != nil { | ||
if os.IsNotExist(err) { | ||
logger.Info("auth file does not exist, nothing to delete") | ||
return ctrl.Result{}, nil | ||
} | ||
return ctrl.Result{}, fmt.Errorf("failed to delete secret file: %w", err) | ||
} | ||
logger.Info("auth file deleted successfully") | ||
return ctrl.Result{}, nil | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,96 @@ | ||
package core | ||
|
||
import ( | ||
"context" | ||
"os" | ||
"path/filepath" | ||
"testing" | ||
|
||
Check failure on line 8 in internal/controllers/core/secretsyncer_controller_test.go GitHub Actions / lint
|
||
corev1 "k8s.io/api/core/v1" | ||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | ||
"k8s.io/apimachinery/pkg/types" | ||
ctrl "sigs.k8s.io/controller-runtime" | ||
"sigs.k8s.io/controller-runtime/pkg/client/fake" | ||
|
||
Check failure on line 14 in internal/controllers/core/secretsyncer_controller_test.go GitHub Actions / lint
|
||
"github.com/stretchr/testify/require" | ||
) | ||
|
||
func TestSecretSyncerReconciler(t *testing.T) { | ||
secretData := []byte(`{"auths":{"exampleRegistry": "exampledata"}}`) | ||
authFileName := "test-auth.json" | ||
for _, tt := range []struct { | ||
name string | ||
secret *corev1.Secret | ||
addSecret bool | ||
wantErr string | ||
fileShouldExistBefore bool | ||
fileShouldExistAfter bool | ||
}{ | ||
{ | ||
name: "secret exists, content gets saved to authFile", | ||
secret: &corev1.Secret{ | ||
ObjectMeta: metav1.ObjectMeta{ | ||
Name: "test-secret", | ||
Namespace: "test-secret-namespace", | ||
}, | ||
Data: map[string][]byte{ | ||
".dockerconfigjson": secretData, | ||
}, | ||
}, | ||
addSecret: true, | ||
fileShouldExistBefore: false, | ||
fileShouldExistAfter: true, | ||
}, | ||
{ | ||
name: "secret does not exist, file exists previously, file should get deleted", | ||
secret: &corev1.Secret{ | ||
ObjectMeta: metav1.ObjectMeta{ | ||
Name: "test-secret", | ||
Namespace: "test-secret-namespace", | ||
}, | ||
Data: map[string][]byte{ | ||
".dockerconfigjson": secretData, | ||
}, | ||
}, | ||
addSecret: false, | ||
fileShouldExistBefore: true, | ||
fileShouldExistAfter: false, | ||
}, | ||
} { | ||
t.Run(tt.name, func(t *testing.T) { | ||
ctx := context.Background() | ||
tempAuthFile := filepath.Join(t.TempDir(), authFileName) | ||
clientBuilder := fake.NewClientBuilder() | ||
if tt.addSecret { | ||
clientBuilder = clientBuilder.WithObjects(tt.secret) | ||
} | ||
cl := clientBuilder.Build() | ||
|
||
secretKey := types.NamespacedName{Namespace: tt.secret.Namespace, Name: tt.secret.Name} | ||
r := &SecretSyncerReconciler{ | ||
Client: cl, | ||
SecretKey: secretKey, | ||
AuthFilePath: tempAuthFile, | ||
} | ||
if tt.fileShouldExistBefore { | ||
err := os.WriteFile(tempAuthFile, secretData, 0600) | ||
require.NoError(t, err) | ||
} | ||
res, err := r.Reconcile(ctx, ctrl.Request{NamespacedName: secretKey}) | ||
if tt.wantErr == "" { | ||
require.NoError(t, err) | ||
} else { | ||
require.ErrorContains(t, err, tt.wantErr) | ||
} | ||
require.Equal(t, ctrl.Result{}, res) | ||
|
||
if tt.fileShouldExistAfter { | ||
_, err := os.Stat(tempAuthFile) | ||
require.NoError(t, err) | ||
} else { | ||
_, err := os.Stat(tempAuthFile) | ||
require.True(t, os.IsNotExist(err)) | ||
} | ||
}) | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should this be a warn or error saying it will be unable to pull from pvt registries ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So there's no WARN for this particular logger we're using, only
Info
orError
. I don't think this needs to be an Error, especially since the function we're calling logs additional messages about the auth file being deleted.