allow for the image url changing for an existing wasmplugin or extent…

…ionpolicy Signed-off-by: craig <[email protected]> rh-pre-commit.version: 2.2.0 rh-pre-commit.check-secrets: ENABLED
Kuadrant · Dec 18, 2024 · dc3a828 · dc3a828
1 parent 116d618
commit dc3a828
Show file tree

Hide file tree

Showing 4 changed files with 78 additions and 30 deletions.
diff --git a/controllers/data_plane_policies_workflow.go b/controllers/data_plane_policies_workflow.go
@@ -26,7 +26,7 @@ const (
 var (
 	WASMFilterImageURL = env.GetString("RELATED_IMAGE_WASMSHIM", "oci://quay.io/kuadrant/wasm-shim:latest")
 	// protectedRegistry this defines a default protected registry. If this is in the wasm image URL we add a pull secret name to the WASMPLugin resource
-	ProtectedRegistry = env.GetString("PROTECTED_REGISTRY", "registry.redhat.com")
+	ProtectedRegistry = env.GetString("PROTECTED_REGISTRY", "registry.redhat.io")
 
 	// registryPullSecretName this is the pull secret name we will add to the WASMPlugin if the URL for he image is from the defined PROTECTED_REGISTRY
 	RegistryPullSecretName = "wasm-plugin-pull-secret"

diff --git a/controllers/envoy_gateway_extension_reconciler.go b/controllers/envoy_gateway_extension_reconciler.go
@@ -79,7 +79,7 @@ func (r *EnvoyGatewayExtensionReconciler) Reconcile(ctx context.Context, _ []con
 
 	for _, gateway := range gateways {
 		gatewayKey := k8stypes.NamespacedName{Name: gateway.GetName(), Namespace: gateway.GetNamespace()}
-		desiredEnvoyExtensionPolicy := buildEnvoyExtensionPolicyForGateway(gateway, wasmConfigs[gateway.GetLocator()], ProtectedRegistry)
+		desiredEnvoyExtensionPolicy := buildEnvoyExtensionPolicyForGateway(gateway, wasmConfigs[gateway.GetLocator()], ProtectedRegistry, WASMFilterImageURL)
 
 		resource := r.client.Resource(kuadrantenvoygateway.EnvoyExtensionPoliciesResource).Namespace(desiredEnvoyExtensionPolicy.GetNamespace())
 
@@ -218,7 +218,7 @@ func (r *EnvoyGatewayExtensionReconciler) buildWasmConfigs(ctx context.Context,
 }
 
 // buildEnvoyExtensionPolicyForGateway builds a desired EnvoyExtensionPolicy custom resource for a given gateway and corresponding wasm config
-func buildEnvoyExtensionPolicyForGateway(gateway *machinery.Gateway, wasmConfig wasm.Config, protectedRegistry string) *envoygatewayv1alpha1.EnvoyExtensionPolicy {
+func buildEnvoyExtensionPolicyForGateway(gateway *machinery.Gateway, wasmConfig wasm.Config, protectedRegistry, imageURL string) *envoygatewayv1alpha1.EnvoyExtensionPolicy {
 	envoyPolicy := &envoygatewayv1alpha1.EnvoyExtensionPolicy{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       kuadrantenvoygateway.EnvoyExtensionPolicyGroupKind.Kind,
@@ -258,7 +258,7 @@ func buildEnvoyExtensionPolicyForGateway(gateway *machinery.Gateway, wasmConfig
 					Code: envoygatewayv1alpha1.WasmCodeSource{
 						Type: envoygatewayv1alpha1.ImageWasmCodeSourceType,
 						Image: &envoygatewayv1alpha1.ImageWasmCodeSource{
-							URL: WASMFilterImageURL,
+							URL: imageURL,
 						},
 					},
 					Config: nil,
@@ -270,9 +270,13 @@ func buildEnvoyExtensionPolicyForGateway(gateway *machinery.Gateway, wasmConfig
 			},
 		},
 	}
-
-	if protectedRegistry != "" && strings.Contains(WASMFilterImageURL, protectedRegistry) {
-		for _, wasm := range envoyPolicy.Spec.Wasm {
+	for _, wasm := range envoyPolicy.Spec.Wasm {
+		if wasm.Code.Image.PullSecretRef != nil {
+			//reset it to empty this will remove it if the image is now public registry
+			wasm.Code.Image.PullSecretRef = nil
+		}
+		// if we are in a protected registery set the object
+		if protectedRegistry != "" && strings.Contains(imageURL, protectedRegistry) {
 			wasm.Code.Image.PullSecretRef = &gwapiv1b1.SecretObjectReference{Name: v1.ObjectName(RegistryPullSecretName)}
 		}
 	}

diff --git a/controllers/extenstion_reconciler_test.go b/controllers/extenstion_reconciler_test.go
@@ -38,14 +38,15 @@ var (
 func Test_buildIstioWasmPluginForGateway(t *testing.T) {
 	testCases := []struct {
 		Name                    string
-		setWASMImageURL         func()
+		WASMImageURLS           func() []string
 		ProtectedRegistryPrefix string
 		Assert                  func(t *testing.T, plugin *istioclientgoextensionv1alpha1.WasmPlugin)
 	}{
 		{
 			Name: "ensure image pull secret is set in wasmPlugin for protected registry",
-			setWASMImageURL: func() {
-				WASMFilterImageURL = protectedRegImage
+			WASMImageURLS: func() []string {
+				// note currently this is a package global
+				return []string{protectedRegImage}
 			},
 			ProtectedRegistryPrefix: registry,
 			Assert: func(t *testing.T, plugin *istioclientgoextensionv1alpha1.WasmPlugin) {
@@ -59,25 +60,44 @@ func Test_buildIstioWasmPluginForGateway(t *testing.T) {
 		},
 		{
 			Name: "ensure image pull secret is NOT set in wasmPlugin for unprotected registry",
-			setWASMImageURL: func() {
-				WASMFilterImageURL = defaultWasmImage
+			WASMImageURLS: func() []string {
+				return []string{WASMFilterImageURL}
 			},
 			Assert: func(t *testing.T, plugin *istioclientgoextensionv1alpha1.WasmPlugin) {
 				if plugin == nil {
 					t.Fatalf("Expected a wasmplugin")
 				}
 				if plugin.Spec.ImagePullSecret != "" {
-					t.Fatalf("Expected wasm plugin to have not imagePullSecret %s", plugin.Spec.ImagePullSecret)
+					t.Fatalf("Expected wasm plugin to NOT have imagePullSecret %v", plugin.Spec.ImagePullSecret)
+				}
+			},
+		},
+		{
+			Name: "ensure image pull secret is set in wasmPlugin for protected registry and unset for unprotected registry",
+			WASMImageURLS: func() []string {
+				return []string{ProtectedRegistry, WASMFilterImageURL}
+			},
+			Assert: func(t *testing.T, plugin *istioclientgoextensionv1alpha1.WasmPlugin) {
+				if plugin == nil {
+					t.Fatalf("Expected a wasmplugin")
+				}
+				if plugin.Spec.Url == protectedRegImage && plugin.Spec.ImagePullSecret == "" {
+					t.Fatalf("Expected wasm plugin to have imagePullSecret set but got none")
+				}
+				if plugin.Spec.Url == WASMFilterImageURL && plugin.Spec.ImagePullSecret != "" {
+					t.Fatalf("Expected wasm plugin to not have imagePullSecret set but got %v", plugin.Spec.ImagePullSecret)
 				}
 			},
 		},
 	}
 
 	for _, testCase := range testCases {
 		t.Run(testCase.Name, func(t *testing.T) {
-			testCase.setWASMImageURL()
-			plugin := buildIstioWasmPluginForGateway(testGateway, testWasmConfig, testCase.ProtectedRegistryPrefix)
-			testCase.Assert(t, plugin)
+			images := testCase.WASMImageURLS()
+			for _, image := range images {
+				plugin := buildIstioWasmPluginForGateway(testGateway, testWasmConfig, testCase.ProtectedRegistryPrefix, image)
+				testCase.Assert(t, plugin)
+			}
 		})
 	}
 
@@ -86,14 +106,14 @@ func Test_buildIstioWasmPluginForGateway(t *testing.T) {
 func Test_buildEnvoyExtensionPolicyForGateway(t *testing.T) {
 	testCases := []struct {
 		Name                    string
-		setWASMImageURL         func()
+		WASMImageURLS           func() []string
 		ProtectedRegistryPrefix string
 		Assert                  func(t *testing.T, policy *envoygatewayv1alpha1.EnvoyExtensionPolicy)
 	}{
 		{
 			Name: "ensure image pull secret is set in ExtensionPolicy for protected registry",
-			setWASMImageURL: func() {
-				WASMFilterImageURL = protectedRegImage
+			WASMImageURLS: func() []string {
+				return []string{protectedRegImage}
 			},
 			ProtectedRegistryPrefix: registry,
 			Assert: func(t *testing.T, policy *envoygatewayv1alpha1.EnvoyExtensionPolicy) {
@@ -102,7 +122,7 @@ func Test_buildEnvoyExtensionPolicyForGateway(t *testing.T) {
 				}
 				for _, w := range policy.Spec.Wasm {
 					if w.Code.Image.PullSecretRef == nil {
-						t.Fatalf("Expected extension to have imagePullSecret %s but no pullSecretRef", RegistryPullSecretName)
+						t.Fatalf("Expected extension to have imagePullSecret %v but no pullSecretRef", RegistryPullSecretName)
 					}
 					if w.Code.Image.PullSecretRef.Name != v1.ObjectName(RegistryPullSecretName) {
 						t.Fatalf("expected the pull secret name to be %s but got %v", RegistryPullSecretName, w.Code.Image.PullSecretRef.Name)
@@ -112,8 +132,8 @@ func Test_buildEnvoyExtensionPolicyForGateway(t *testing.T) {
 		},
 		{
 			Name: "ensure image pull secret is NOT set in wasmPlugin for unprotected registry",
-			setWASMImageURL: func() {
-				WASMFilterImageURL = defaultWasmImage
+			WASMImageURLS: func() []string {
+				return []string{defaultWasmImage}
 			},
 			Assert: func(t *testing.T, policy *envoygatewayv1alpha1.EnvoyExtensionPolicy) {
 				if policy == nil {
@@ -126,11 +146,33 @@ func Test_buildEnvoyExtensionPolicyForGateway(t *testing.T) {
 				}
 			},
 		},
+		{
+			Name: "ensure image pull secret is set in extension for protected registry and unset for unprotected registry",
+			WASMImageURLS: func() []string {
+				return []string{ProtectedRegistry, WASMFilterImageURL}
+			},
+			Assert: func(t *testing.T, policy *envoygatewayv1alpha1.EnvoyExtensionPolicy) {
+				if policy == nil {
+					t.Fatalf("Expected a wasmplugin")
+				}
+				for _, w := range policy.Spec.Wasm {
+					if w.Code.Image.PullSecretRef == nil && w.Code.Image.URL == protectedRegImage {
+						t.Fatalf("Expected policy to have imagePullSecret set but got none")
+					}
+					if w.Code.Image.PullSecretRef != nil && w.Code.Image.URL == WASMFilterImageURL {
+						t.Fatalf("Expected policy to not have imagePullSecret set but got %v", w.Code.Image.PullSecretRef)
+					}
+				}
+
+			},
+		},
 	}
 
 	for _, testCase := range testCases {
-		testCase.setWASMImageURL()
-		policy := buildEnvoyExtensionPolicyForGateway(testGateway, testWasmConfig, testCase.ProtectedRegistryPrefix)
-		testCase.Assert(t, policy)
+		images := testCase.WASMImageURLS()
+		for _, image := range images {
+			policy := buildEnvoyExtensionPolicyForGateway(testGateway, testWasmConfig, testCase.ProtectedRegistryPrefix, image)
+			testCase.Assert(t, policy)
+		}
 	}
 }
diff --git a/controllers/istio_extension_reconciler.go b/controllers/istio_extension_reconciler.go
@@ -79,7 +79,7 @@ func (r *IstioExtensionReconciler) Reconcile(ctx context.Context, _ []controller
 	for _, gateway := range gateways {
 		gatewayKey := k8stypes.NamespacedName{Name: gateway.GetName(), Namespace: gateway.GetNamespace()}
 
-		desiredWasmPlugin := buildIstioWasmPluginForGateway(gateway, wasmConfigs[gateway.GetLocator()], ProtectedRegistry)
+		desiredWasmPlugin := buildIstioWasmPluginForGateway(gateway, wasmConfigs[gateway.GetLocator()], ProtectedRegistry, WASMFilterImageURL)
 
 		resource := r.client.Resource(kuadrantistio.WasmPluginsResource).Namespace(desiredWasmPlugin.GetNamespace())
 
@@ -229,7 +229,7 @@ func hasAuthAccess(actionSet []wasm.Action) bool {
 }
 
 // buildIstioWasmPluginForGateway builds a desired WasmPlugin custom resource for a given gateway and corresponding wasm config
-func buildIstioWasmPluginForGateway(gateway *machinery.Gateway, wasmConfig wasm.Config, protectedRegistry string) *istioclientgoextensionv1alpha1.WasmPlugin {
+func buildIstioWasmPluginForGateway(gateway *machinery.Gateway, wasmConfig wasm.Config, protectedRegistry, imageURL string) *istioclientgoextensionv1alpha1.WasmPlugin {
 	wasmPlugin := &istioclientgoextensionv1alpha1.WasmPlugin{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       kuadrantistio.WasmPluginGroupKind.Kind,
@@ -258,13 +258,15 @@ func buildIstioWasmPluginForGateway(gateway *machinery.Gateway, wasmConfig wasm.
 					Name:  gateway.GetName(),
 				},
 			},
-			Url:          WASMFilterImageURL,
+			Url:          imageURL,
 			PluginConfig: nil,
 			Phase:        istioextensionsv1alpha1.PluginPhase_STATS, // insert the plugin before Istio stats filters and after Istio authorization filters.
 		},
 	}
-
-	if protectedRegistry != "" && strings.Contains(WASMFilterImageURL, protectedRegistry) {
+	// reset to empty to allow fo the image having moved to a public registry
+	wasmPlugin.Spec.ImagePullSecret = ""
+	// only set to pull secret if we are in a protected registry
+	if protectedRegistry != "" && strings.Contains(imageURL, protectedRegistry) {
 		wasmPlugin.Spec.ImagePullSecret = RegistryPullSecretName
 	}