draft accept wasm pull secret as env var

Signed-off-by: craig <[email protected]> rh-pre-commit.version: 2.2.0 rh-pre-commit.check-secrets: ENABLED
Kuadrant · Dec 17, 2024 · 9cef099 · 9cef099
1 parent 6195492
commit 9cef099
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 6 deletions.
diff --git a/controllers/data_plane_policies_workflow.go b/controllers/data_plane_policies_workflow.go
@@ -54,7 +54,7 @@ var (
 //+kubebuilder:rbac:groups=kuadrant.io,resources=ratelimitpolicies/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=kuadrant.io,resources=ratelimitpolicies/finalizers,verbs=update
 
-func NewDataPlanePoliciesWorkflow(client *dynamic.DynamicClient, isIstioInstalled, isEnvoyGatewayInstalled bool) *controller.Workflow {
+func NewDataPlanePoliciesWorkflow(client *dynamic.DynamicClient, wasmImagePullSecret string, isIstioInstalled, isEnvoyGatewayInstalled bool) *controller.Workflow {
 	dataPlanePoliciesValidation := &controller.Workflow{
 		Tasks: []controller.ReconcileFunc{
 			(&AuthPolicyValidator{}).Subscription().Reconcile,
@@ -78,7 +78,7 @@ func NewDataPlanePoliciesWorkflow(client *dynamic.DynamicClient, isIstioInstalle
 	if isIstioInstalled {
 		effectiveDataPlanePoliciesWorkflow.Tasks = append(effectiveDataPlanePoliciesWorkflow.Tasks, (&IstioAuthClusterReconciler{client: client}).Subscription().Reconcile)
 		effectiveDataPlanePoliciesWorkflow.Tasks = append(effectiveDataPlanePoliciesWorkflow.Tasks, (&IstioRateLimitClusterReconciler{client: client}).Subscription().Reconcile)
-		effectiveDataPlanePoliciesWorkflow.Tasks = append(effectiveDataPlanePoliciesWorkflow.Tasks, (&IstioExtensionReconciler{client: client}).Subscription().Reconcile)
+		effectiveDataPlanePoliciesWorkflow.Tasks = append(effectiveDataPlanePoliciesWorkflow.Tasks, (&IstioExtensionReconciler{client: client, wasmImagePullSecret: wasmImagePullSecret}).Subscription().Reconcile)
 	}
 
 	if isEnvoyGatewayInstalled {

diff --git a/controllers/istio_extension_reconciler.go b/controllers/istio_extension_reconciler.go
@@ -31,7 +31,8 @@ import (
 
 // IstioExtensionReconciler reconciles Istio WasmPlugin custom resources
 type IstioExtensionReconciler struct {
-	client *dynamic.DynamicClient
+	client              *dynamic.DynamicClient
+	wasmImagePullSecret string
 }
 
 // IstioExtensionReconciler subscribes to events with potential impact on the Istio WasmPlugin custom resources
@@ -78,7 +79,7 @@ func (r *IstioExtensionReconciler) Reconcile(ctx context.Context, _ []controller
 	for _, gateway := range gateways {
 		gatewayKey := k8stypes.NamespacedName{Name: gateway.GetName(), Namespace: gateway.GetNamespace()}
 
-		desiredWasmPlugin := buildIstioWasmPluginForGateway(gateway, wasmConfigs[gateway.GetLocator()])
+		desiredWasmPlugin := buildIstioWasmPluginForGateway(gateway, wasmConfigs[gateway.GetLocator()], r.wasmImagePullSecret)
 
 		resource := r.client.Resource(kuadrantistio.WasmPluginsResource).Namespace(desiredWasmPlugin.GetNamespace())
 
@@ -228,7 +229,7 @@ func hasAuthAccess(actionSet []wasm.Action) bool {
 }
 
 // buildIstioWasmPluginForGateway builds a desired WasmPlugin custom resource for a given gateway and corresponding wasm config
-func buildIstioWasmPluginForGateway(gateway *machinery.Gateway, wasmConfig wasm.Config) *istioclientgoextensionv1alpha1.WasmPlugin {
+func buildIstioWasmPluginForGateway(gateway *machinery.Gateway, wasmConfig wasm.Config, imagePullSecret string) *istioclientgoextensionv1alpha1.WasmPlugin {
 	wasmPlugin := &istioclientgoextensionv1alpha1.WasmPlugin{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       kuadrantistio.WasmPluginGroupKind.Kind,
@@ -262,6 +263,9 @@ func buildIstioWasmPluginForGateway(gateway *machinery.Gateway, wasmConfig wasm.
 			Phase:        istioextensionsv1alpha1.PluginPhase_STATS, // insert the plugin before Istio stats filters and after Istio authorization filters.
 		},
 	}
+	if imagePullSecret != "" {
+		wasmPlugin.Spec.ImagePullSecret = imagePullSecret
+	}
 
 	if len(wasmConfig.ActionSets) == 0 {
 		utils.TagObjectToDelete(wasmPlugin)

diff --git a/controllers/state_of_the_world.go b/controllers/state_of_the_world.go
@@ -43,6 +43,7 @@ import (
 
 var (
 	operatorNamespace       = env.GetString("OPERATOR_NAMESPACE", "kuadrant-system")
+	wasmImagePullSecret     = env.GetString("WASM_IMAGE_PULL_SECRET", "")
 	kuadrantManagedLabelKey = "kuadrant.io/managed"
 
 	ConfigMapGroupKind = schema.GroupKind{Group: corev1.GroupName, Kind: "ConfigMap"}
@@ -348,7 +349,7 @@ func (b *BootOptionsBuilder) Reconciler() controller.ReconcileFunc {
 			NewLimitadorReconciler(b.client).Subscription().Reconcile,
 			NewDNSWorkflow(b.client, b.manager.GetScheme()).Run,
 			NewTLSWorkflow(b.client, b.manager.GetScheme(), b.isCertManagerInstalled).Run,
-			NewDataPlanePoliciesWorkflow(b.client, b.isIstioInstalled, b.isEnvoyGatewayInstalled).Run,
+			NewDataPlanePoliciesWorkflow(b.client, wasmImagePullSecret, b.isIstioInstalled, b.isEnvoyGatewayInstalled).Run,
 			NewKuadrantStatusUpdater(b.client, b.isIstioInstalled, b.isEnvoyGatewayInstalled).Subscription().Reconcile,
 		},
 		Postcondition: finalStepsWorkflow(b.client, b.isIstioInstalled, b.isGatewayAPIInstalled).Run,

diff --git a/tests/istio/extension_reconciler_test.go b/tests/istio/extension_reconciler_test.go
@@ -4,6 +4,7 @@ package istio_test
 
 import (
 	"context"
+	"os"
 	"reflect"
 	"time"
 
@@ -59,6 +60,8 @@ var _ = Describe("Rate Limiting WasmPlugin controller", func() {
 	BeforeEach(beforeEachCallback)
 	AfterEach(func(ctx SpecContext) {
 		tests.DeleteNamespace(ctx, testClient(), testNamespace)
+		// TODO actually add test for enuring this gets used in the WASMPlugin
+		os.Unsetenv("WASM_IMAGE_PULL_SECRET")
 	}, afterEachTimeOut)
 
 	Context("Basic tests", func() {