diff --git a/controllers/data_plane_policies_workflow.go b/controllers/data_plane_policies_workflow.go index ca7849a19..e948c385f 100644 --- a/controllers/data_plane_policies_workflow.go +++ b/controllers/data_plane_policies_workflow.go @@ -54,7 +54,7 @@ var ( //+kubebuilder:rbac:groups=kuadrant.io,resources=ratelimitpolicies/status,verbs=get;update;patch //+kubebuilder:rbac:groups=kuadrant.io,resources=ratelimitpolicies/finalizers,verbs=update -func NewDataPlanePoliciesWorkflow(client *dynamic.DynamicClient, isIstioInstalled, isEnvoyGatewayInstalled bool) *controller.Workflow { +func NewDataPlanePoliciesWorkflow(client *dynamic.DynamicClient, wasmImagePullSecret string, isIstioInstalled, isEnvoyGatewayInstalled bool) *controller.Workflow { dataPlanePoliciesValidation := &controller.Workflow{ Tasks: []controller.ReconcileFunc{ (&AuthPolicyValidator{}).Subscription().Reconcile, @@ -78,7 +78,7 @@ func NewDataPlanePoliciesWorkflow(client *dynamic.DynamicClient, isIstioInstalle if isIstioInstalled { effectiveDataPlanePoliciesWorkflow.Tasks = append(effectiveDataPlanePoliciesWorkflow.Tasks, (&IstioAuthClusterReconciler{client: client}).Subscription().Reconcile) effectiveDataPlanePoliciesWorkflow.Tasks = append(effectiveDataPlanePoliciesWorkflow.Tasks, (&IstioRateLimitClusterReconciler{client: client}).Subscription().Reconcile) - effectiveDataPlanePoliciesWorkflow.Tasks = append(effectiveDataPlanePoliciesWorkflow.Tasks, (&IstioExtensionReconciler{client: client}).Subscription().Reconcile) + effectiveDataPlanePoliciesWorkflow.Tasks = append(effectiveDataPlanePoliciesWorkflow.Tasks, (&IstioExtensionReconciler{client: client, wasmImagePullSecret: wasmImagePullSecret}).Subscription().Reconcile) } if isEnvoyGatewayInstalled { diff --git a/controllers/istio_extension_reconciler.go b/controllers/istio_extension_reconciler.go index 491b506e7..4f02d4604 100644 --- a/controllers/istio_extension_reconciler.go +++ b/controllers/istio_extension_reconciler.go @@ -31,7 +31,8 @@ import ( // IstioExtensionReconciler reconciles Istio WasmPlugin custom resources type IstioExtensionReconciler struct { - client *dynamic.DynamicClient + client *dynamic.DynamicClient + wasmImagePullSecret string } // IstioExtensionReconciler subscribes to events with potential impact on the Istio WasmPlugin custom resources @@ -78,7 +79,7 @@ func (r *IstioExtensionReconciler) Reconcile(ctx context.Context, _ []controller for _, gateway := range gateways { gatewayKey := k8stypes.NamespacedName{Name: gateway.GetName(), Namespace: gateway.GetNamespace()} - desiredWasmPlugin := buildIstioWasmPluginForGateway(gateway, wasmConfigs[gateway.GetLocator()]) + desiredWasmPlugin := buildIstioWasmPluginForGateway(gateway, wasmConfigs[gateway.GetLocator()], r.wasmImagePullSecret) resource := r.client.Resource(kuadrantistio.WasmPluginsResource).Namespace(desiredWasmPlugin.GetNamespace()) @@ -228,7 +229,7 @@ func hasAuthAccess(actionSet []wasm.Action) bool { } // buildIstioWasmPluginForGateway builds a desired WasmPlugin custom resource for a given gateway and corresponding wasm config -func buildIstioWasmPluginForGateway(gateway *machinery.Gateway, wasmConfig wasm.Config) *istioclientgoextensionv1alpha1.WasmPlugin { +func buildIstioWasmPluginForGateway(gateway *machinery.Gateway, wasmConfig wasm.Config, imagePullSecret string) *istioclientgoextensionv1alpha1.WasmPlugin { wasmPlugin := &istioclientgoextensionv1alpha1.WasmPlugin{ TypeMeta: metav1.TypeMeta{ Kind: kuadrantistio.WasmPluginGroupKind.Kind, @@ -262,6 +263,9 @@ func buildIstioWasmPluginForGateway(gateway *machinery.Gateway, wasmConfig wasm. Phase: istioextensionsv1alpha1.PluginPhase_STATS, // insert the plugin before Istio stats filters and after Istio authorization filters. }, } + if imagePullSecret != "" { + wasmPlugin.Spec.ImagePullSecret = imagePullSecret + } if len(wasmConfig.ActionSets) == 0 { utils.TagObjectToDelete(wasmPlugin) diff --git a/controllers/state_of_the_world.go b/controllers/state_of_the_world.go index df25bcb3a..4363e662f 100644 --- a/controllers/state_of_the_world.go +++ b/controllers/state_of_the_world.go @@ -43,6 +43,7 @@ import ( var ( operatorNamespace = env.GetString("OPERATOR_NAMESPACE", "kuadrant-system") + wasmImagePullSecret = env.GetString("WASM_IMAGE_PULL_SECRET", "") kuadrantManagedLabelKey = "kuadrant.io/managed" ConfigMapGroupKind = schema.GroupKind{Group: corev1.GroupName, Kind: "ConfigMap"} @@ -348,7 +349,7 @@ func (b *BootOptionsBuilder) Reconciler() controller.ReconcileFunc { NewLimitadorReconciler(b.client).Subscription().Reconcile, NewDNSWorkflow(b.client, b.manager.GetScheme()).Run, NewTLSWorkflow(b.client, b.manager.GetScheme(), b.isCertManagerInstalled).Run, - NewDataPlanePoliciesWorkflow(b.client, b.isIstioInstalled, b.isEnvoyGatewayInstalled).Run, + NewDataPlanePoliciesWorkflow(b.client, wasmImagePullSecret, b.isIstioInstalled, b.isEnvoyGatewayInstalled).Run, NewKuadrantStatusUpdater(b.client, b.isIstioInstalled, b.isEnvoyGatewayInstalled).Subscription().Reconcile, }, Postcondition: finalStepsWorkflow(b.client, b.isIstioInstalled, b.isGatewayAPIInstalled).Run, diff --git a/tests/istio/extension_reconciler_test.go b/tests/istio/extension_reconciler_test.go index c6d14bd49..52b3bb2f1 100644 --- a/tests/istio/extension_reconciler_test.go +++ b/tests/istio/extension_reconciler_test.go @@ -4,6 +4,7 @@ package istio_test import ( "context" + "os" "reflect" "time" @@ -59,6 +60,8 @@ var _ = Describe("Rate Limiting WasmPlugin controller", func() { BeforeEach(beforeEachCallback) AfterEach(func(ctx SpecContext) { tests.DeleteNamespace(ctx, testClient(), testNamespace) + // TODO actually add test for enuring this gets used in the WASMPlugin + os.Unsetenv("WASM_IMAGE_PULL_SECRET") }, afterEachTimeOut) Context("Basic tests", func() {