Skip to content

Commit

Permalink
allow for the image url changing for an existing wasmplugin or extent…
Browse files Browse the repository at this point in the history
…ionpolicy

Signed-off-by: craig <[email protected]>

rh-pre-commit.version: 2.2.0
rh-pre-commit.check-secrets: ENABLED
  • Loading branch information
maleck13 committed Dec 18, 2024
1 parent 116d618 commit 7ad031b
Show file tree
Hide file tree
Showing 4 changed files with 78 additions and 30 deletions.
2 changes: 1 addition & 1 deletion controllers/data_plane_policies_workflow.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ const (
var (
WASMFilterImageURL = env.GetString("RELATED_IMAGE_WASMSHIM", "oci://quay.io/kuadrant/wasm-shim:latest")
// protectedRegistry this defines a default protected registry. If this is in the wasm image URL we add a pull secret name to the WASMPLugin resource
ProtectedRegistry = env.GetString("PROTECTED_REGISTRY", "registry.redhat.com")
ProtectedRegistry = env.GetString("PROTECTED_REGISTRY", "registry.redhat.io")

// registryPullSecretName this is the pull secret name we will add to the WASMPlugin if the URL for he image is from the defined PROTECTED_REGISTRY
RegistryPullSecretName = "wasm-plugin-pull-secret"
Expand Down
16 changes: 10 additions & 6 deletions controllers/envoy_gateway_extension_reconciler.go
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,7 @@ func (r *EnvoyGatewayExtensionReconciler) Reconcile(ctx context.Context, _ []con

for _, gateway := range gateways {
gatewayKey := k8stypes.NamespacedName{Name: gateway.GetName(), Namespace: gateway.GetNamespace()}
desiredEnvoyExtensionPolicy := buildEnvoyExtensionPolicyForGateway(gateway, wasmConfigs[gateway.GetLocator()], ProtectedRegistry)
desiredEnvoyExtensionPolicy := buildEnvoyExtensionPolicyForGateway(gateway, wasmConfigs[gateway.GetLocator()], ProtectedRegistry, WASMFilterImageURL)

resource := r.client.Resource(kuadrantenvoygateway.EnvoyExtensionPoliciesResource).Namespace(desiredEnvoyExtensionPolicy.GetNamespace())

Expand Down Expand Up @@ -218,7 +218,7 @@ func (r *EnvoyGatewayExtensionReconciler) buildWasmConfigs(ctx context.Context,
}

// buildEnvoyExtensionPolicyForGateway builds a desired EnvoyExtensionPolicy custom resource for a given gateway and corresponding wasm config
func buildEnvoyExtensionPolicyForGateway(gateway *machinery.Gateway, wasmConfig wasm.Config, protectedRegistry string) *envoygatewayv1alpha1.EnvoyExtensionPolicy {
func buildEnvoyExtensionPolicyForGateway(gateway *machinery.Gateway, wasmConfig wasm.Config, protectedRegistry, imageURL string) *envoygatewayv1alpha1.EnvoyExtensionPolicy {
envoyPolicy := &envoygatewayv1alpha1.EnvoyExtensionPolicy{
TypeMeta: metav1.TypeMeta{
Kind: kuadrantenvoygateway.EnvoyExtensionPolicyGroupKind.Kind,
Expand Down Expand Up @@ -258,7 +258,7 @@ func buildEnvoyExtensionPolicyForGateway(gateway *machinery.Gateway, wasmConfig
Code: envoygatewayv1alpha1.WasmCodeSource{
Type: envoygatewayv1alpha1.ImageWasmCodeSourceType,
Image: &envoygatewayv1alpha1.ImageWasmCodeSource{
URL: WASMFilterImageURL,
URL: imageURL,
},
},
Config: nil,
Expand All @@ -270,9 +270,13 @@ func buildEnvoyExtensionPolicyForGateway(gateway *machinery.Gateway, wasmConfig
},
},
}

if protectedRegistry != "" && strings.Contains(WASMFilterImageURL, protectedRegistry) {
for _, wasm := range envoyPolicy.Spec.Wasm {
for _, wasm := range envoyPolicy.Spec.Wasm {
if wasm.Code.Image.PullSecretRef != nil {
//reset it to empty this will remove it if the image is now public registry
wasm.Code.Image.PullSecretRef = nil
}

Check warning on line 277 in controllers/envoy_gateway_extension_reconciler.go

View check run for this annotation

Codecov / codecov/patch

controllers/envoy_gateway_extension_reconciler.go#L275-L277

Added lines #L275 - L277 were not covered by tests
// if we are in a protected registry set the object
if protectedRegistry != "" && strings.Contains(imageURL, protectedRegistry) {
wasm.Code.Image.PullSecretRef = &gwapiv1b1.SecretObjectReference{Name: v1.ObjectName(RegistryPullSecretName)}
}
}
Expand Down
78 changes: 60 additions & 18 deletions controllers/extenstion_reconciler_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -38,14 +38,15 @@ var (
func Test_buildIstioWasmPluginForGateway(t *testing.T) {
testCases := []struct {
Name string
setWASMImageURL func()
WASMImageURLS func() []string
ProtectedRegistryPrefix string
Assert func(t *testing.T, plugin *istioclientgoextensionv1alpha1.WasmPlugin)
}{
{
Name: "ensure image pull secret is set in wasmPlugin for protected registry",
setWASMImageURL: func() {
WASMFilterImageURL = protectedRegImage
WASMImageURLS: func() []string {
// note currently this is a package global
return []string{protectedRegImage}
},
ProtectedRegistryPrefix: registry,
Assert: func(t *testing.T, plugin *istioclientgoextensionv1alpha1.WasmPlugin) {
Expand All @@ -59,25 +60,44 @@ func Test_buildIstioWasmPluginForGateway(t *testing.T) {
},
{
Name: "ensure image pull secret is NOT set in wasmPlugin for unprotected registry",
setWASMImageURL: func() {
WASMFilterImageURL = defaultWasmImage
WASMImageURLS: func() []string {
return []string{WASMFilterImageURL}
},
Assert: func(t *testing.T, plugin *istioclientgoextensionv1alpha1.WasmPlugin) {
if plugin == nil {
t.Fatalf("Expected a wasmplugin")
}
if plugin.Spec.ImagePullSecret != "" {
t.Fatalf("Expected wasm plugin to have not imagePullSecret %s", plugin.Spec.ImagePullSecret)
t.Fatalf("Expected wasm plugin to NOT have imagePullSecret %v", plugin.Spec.ImagePullSecret)
}
},
},
{
Name: "ensure image pull secret is set in wasmPlugin for protected registry and unset for unprotected registry",
WASMImageURLS: func() []string {
return []string{ProtectedRegistry, WASMFilterImageURL}
},
Assert: func(t *testing.T, plugin *istioclientgoextensionv1alpha1.WasmPlugin) {
if plugin == nil {
t.Fatalf("Expected a wasmplugin")
}
if plugin.Spec.Url == protectedRegImage && plugin.Spec.ImagePullSecret == "" {
t.Fatalf("Expected wasm plugin to have imagePullSecret set but got none")
}
if plugin.Spec.Url == WASMFilterImageURL && plugin.Spec.ImagePullSecret != "" {
t.Fatalf("Expected wasm plugin to not have imagePullSecret set but got %v", plugin.Spec.ImagePullSecret)
}
},
},
}

for _, testCase := range testCases {
t.Run(testCase.Name, func(t *testing.T) {
testCase.setWASMImageURL()
plugin := buildIstioWasmPluginForGateway(testGateway, testWasmConfig, testCase.ProtectedRegistryPrefix)
testCase.Assert(t, plugin)
images := testCase.WASMImageURLS()
for _, image := range images {
plugin := buildIstioWasmPluginForGateway(testGateway, testWasmConfig, testCase.ProtectedRegistryPrefix, image)
testCase.Assert(t, plugin)
}
})
}

Expand All @@ -86,14 +106,14 @@ func Test_buildIstioWasmPluginForGateway(t *testing.T) {
func Test_buildEnvoyExtensionPolicyForGateway(t *testing.T) {
testCases := []struct {
Name string
setWASMImageURL func()
WASMImageURLS func() []string
ProtectedRegistryPrefix string
Assert func(t *testing.T, policy *envoygatewayv1alpha1.EnvoyExtensionPolicy)
}{
{
Name: "ensure image pull secret is set in ExtensionPolicy for protected registry",
setWASMImageURL: func() {
WASMFilterImageURL = protectedRegImage
WASMImageURLS: func() []string {
return []string{protectedRegImage}
},
ProtectedRegistryPrefix: registry,
Assert: func(t *testing.T, policy *envoygatewayv1alpha1.EnvoyExtensionPolicy) {
Expand All @@ -102,7 +122,7 @@ func Test_buildEnvoyExtensionPolicyForGateway(t *testing.T) {
}
for _, w := range policy.Spec.Wasm {
if w.Code.Image.PullSecretRef == nil {
t.Fatalf("Expected extension to have imagePullSecret %s but no pullSecretRef", RegistryPullSecretName)
t.Fatalf("Expected extension to have imagePullSecret %v but no pullSecretRef", RegistryPullSecretName)
}
if w.Code.Image.PullSecretRef.Name != v1.ObjectName(RegistryPullSecretName) {
t.Fatalf("expected the pull secret name to be %s but got %v", RegistryPullSecretName, w.Code.Image.PullSecretRef.Name)
Expand All @@ -112,8 +132,8 @@ func Test_buildEnvoyExtensionPolicyForGateway(t *testing.T) {
},
{
Name: "ensure image pull secret is NOT set in wasmPlugin for unprotected registry",
setWASMImageURL: func() {
WASMFilterImageURL = defaultWasmImage
WASMImageURLS: func() []string {
return []string{defaultWasmImage}
},
Assert: func(t *testing.T, policy *envoygatewayv1alpha1.EnvoyExtensionPolicy) {
if policy == nil {
Expand All @@ -126,11 +146,33 @@ func Test_buildEnvoyExtensionPolicyForGateway(t *testing.T) {
}
},
},
{
Name: "ensure image pull secret is set in extension for protected registry and unset for unprotected registry",
WASMImageURLS: func() []string {
return []string{ProtectedRegistry, WASMFilterImageURL}
},
Assert: func(t *testing.T, policy *envoygatewayv1alpha1.EnvoyExtensionPolicy) {
if policy == nil {
t.Fatalf("Expected a wasmplugin")
}
for _, w := range policy.Spec.Wasm {
if w.Code.Image.PullSecretRef == nil && w.Code.Image.URL == protectedRegImage {
t.Fatalf("Expected policy to have imagePullSecret set but got none")
}
if w.Code.Image.PullSecretRef != nil && w.Code.Image.URL == WASMFilterImageURL {
t.Fatalf("Expected policy to not have imagePullSecret set but got %v", w.Code.Image.PullSecretRef)
}
}

},
},
}

for _, testCase := range testCases {
testCase.setWASMImageURL()
policy := buildEnvoyExtensionPolicyForGateway(testGateway, testWasmConfig, testCase.ProtectedRegistryPrefix)
testCase.Assert(t, policy)
images := testCase.WASMImageURLS()
for _, image := range images {
policy := buildEnvoyExtensionPolicyForGateway(testGateway, testWasmConfig, testCase.ProtectedRegistryPrefix, image)
testCase.Assert(t, policy)
}
}
}
12 changes: 7 additions & 5 deletions controllers/istio_extension_reconciler.go
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,7 @@ func (r *IstioExtensionReconciler) Reconcile(ctx context.Context, _ []controller
for _, gateway := range gateways {
gatewayKey := k8stypes.NamespacedName{Name: gateway.GetName(), Namespace: gateway.GetNamespace()}

desiredWasmPlugin := buildIstioWasmPluginForGateway(gateway, wasmConfigs[gateway.GetLocator()], ProtectedRegistry)
desiredWasmPlugin := buildIstioWasmPluginForGateway(gateway, wasmConfigs[gateway.GetLocator()], ProtectedRegistry, WASMFilterImageURL)

resource := r.client.Resource(kuadrantistio.WasmPluginsResource).Namespace(desiredWasmPlugin.GetNamespace())

Expand Down Expand Up @@ -229,7 +229,7 @@ func hasAuthAccess(actionSet []wasm.Action) bool {
}

// buildIstioWasmPluginForGateway builds a desired WasmPlugin custom resource for a given gateway and corresponding wasm config
func buildIstioWasmPluginForGateway(gateway *machinery.Gateway, wasmConfig wasm.Config, protectedRegistry string) *istioclientgoextensionv1alpha1.WasmPlugin {
func buildIstioWasmPluginForGateway(gateway *machinery.Gateway, wasmConfig wasm.Config, protectedRegistry, imageURL string) *istioclientgoextensionv1alpha1.WasmPlugin {
wasmPlugin := &istioclientgoextensionv1alpha1.WasmPlugin{
TypeMeta: metav1.TypeMeta{
Kind: kuadrantistio.WasmPluginGroupKind.Kind,
Expand Down Expand Up @@ -258,13 +258,15 @@ func buildIstioWasmPluginForGateway(gateway *machinery.Gateway, wasmConfig wasm.
Name: gateway.GetName(),
},
},
Url: WASMFilterImageURL,
Url: imageURL,
PluginConfig: nil,
Phase: istioextensionsv1alpha1.PluginPhase_STATS, // insert the plugin before Istio stats filters and after Istio authorization filters.
},
}

if protectedRegistry != "" && strings.Contains(WASMFilterImageURL, protectedRegistry) {
// reset to empty to allow fo the image having moved to a public registry
wasmPlugin.Spec.ImagePullSecret = ""
// only set to pull secret if we are in a protected registry
if protectedRegistry != "" && strings.Contains(imageURL, protectedRegistry) {
wasmPlugin.Spec.ImagePullSecret = RegistryPullSecretName
}

Expand Down

0 comments on commit 7ad031b

Please sign in to comment.