diff --git a/controllers/data_plane_policies_workflow.go b/controllers/data_plane_policies_workflow.go index ffde2d236..53a0b0fd5 100644 --- a/controllers/data_plane_policies_workflow.go +++ b/controllers/data_plane_policies_workflow.go @@ -26,7 +26,7 @@ const ( var ( WASMFilterImageURL = env.GetString("RELATED_IMAGE_WASMSHIM", "oci://quay.io/kuadrant/wasm-shim:latest") // protectedRegistry this defines a default protected registry. If this is in the wasm image URL we add a pull secret name to the WASMPLugin resource - ProtectedRegistry = env.GetString("PROTECTED_REGISTRY", "registry.redhat.com") + ProtectedRegistry = env.GetString("PROTECTED_REGISTRY", "registry.redhat.io") // registryPullSecretName this is the pull secret name we will add to the WASMPlugin if the URL for he image is from the defined PROTECTED_REGISTRY RegistryPullSecretName = "wasm-plugin-pull-secret" diff --git a/controllers/envoy_gateway_extension_reconciler.go b/controllers/envoy_gateway_extension_reconciler.go index 32b6aebc3..e82d66fab 100644 --- a/controllers/envoy_gateway_extension_reconciler.go +++ b/controllers/envoy_gateway_extension_reconciler.go @@ -79,7 +79,7 @@ func (r *EnvoyGatewayExtensionReconciler) Reconcile(ctx context.Context, _ []con for _, gateway := range gateways { gatewayKey := k8stypes.NamespacedName{Name: gateway.GetName(), Namespace: gateway.GetNamespace()} - desiredEnvoyExtensionPolicy := buildEnvoyExtensionPolicyForGateway(gateway, wasmConfigs[gateway.GetLocator()], ProtectedRegistry) + desiredEnvoyExtensionPolicy := buildEnvoyExtensionPolicyForGateway(gateway, wasmConfigs[gateway.GetLocator()], ProtectedRegistry, WASMFilterImageURL) resource := r.client.Resource(kuadrantenvoygateway.EnvoyExtensionPoliciesResource).Namespace(desiredEnvoyExtensionPolicy.GetNamespace()) @@ -218,7 +218,7 @@ func (r *EnvoyGatewayExtensionReconciler) buildWasmConfigs(ctx context.Context, } // buildEnvoyExtensionPolicyForGateway builds a desired EnvoyExtensionPolicy custom resource for a given gateway and corresponding wasm config -func buildEnvoyExtensionPolicyForGateway(gateway *machinery.Gateway, wasmConfig wasm.Config, protectedRegistry string) *envoygatewayv1alpha1.EnvoyExtensionPolicy { +func buildEnvoyExtensionPolicyForGateway(gateway *machinery.Gateway, wasmConfig wasm.Config, protectedRegistry, imageURL string) *envoygatewayv1alpha1.EnvoyExtensionPolicy { envoyPolicy := &envoygatewayv1alpha1.EnvoyExtensionPolicy{ TypeMeta: metav1.TypeMeta{ Kind: kuadrantenvoygateway.EnvoyExtensionPolicyGroupKind.Kind, @@ -258,7 +258,7 @@ func buildEnvoyExtensionPolicyForGateway(gateway *machinery.Gateway, wasmConfig Code: envoygatewayv1alpha1.WasmCodeSource{ Type: envoygatewayv1alpha1.ImageWasmCodeSourceType, Image: &envoygatewayv1alpha1.ImageWasmCodeSource{ - URL: WASMFilterImageURL, + URL: imageURL, }, }, Config: nil, @@ -270,9 +270,13 @@ func buildEnvoyExtensionPolicyForGateway(gateway *machinery.Gateway, wasmConfig }, }, } - - if protectedRegistry != "" && strings.Contains(WASMFilterImageURL, protectedRegistry) { - for _, wasm := range envoyPolicy.Spec.Wasm { + for _, wasm := range envoyPolicy.Spec.Wasm { + if wasm.Code.Image.PullSecretRef != nil { + //reset it to empty this will remove it if the image is now public registry + wasm.Code.Image.PullSecretRef = nil + } + // if we are in a protected registery set the object + if protectedRegistry != "" && strings.Contains(imageURL, protectedRegistry) { wasm.Code.Image.PullSecretRef = &gwapiv1b1.SecretObjectReference{Name: v1.ObjectName(RegistryPullSecretName)} } } diff --git a/controllers/extenstion_reconciler_test.go b/controllers/extenstion_reconciler_test.go index aad7fb28d..31e35ecdb 100644 --- a/controllers/extenstion_reconciler_test.go +++ b/controllers/extenstion_reconciler_test.go @@ -38,14 +38,15 @@ var ( func Test_buildIstioWasmPluginForGateway(t *testing.T) { testCases := []struct { Name string - setWASMImageURL func() + WASMImageURLS func() []string ProtectedRegistryPrefix string Assert func(t *testing.T, plugin *istioclientgoextensionv1alpha1.WasmPlugin) }{ { Name: "ensure image pull secret is set in wasmPlugin for protected registry", - setWASMImageURL: func() { - WASMFilterImageURL = protectedRegImage + WASMImageURLS: func() []string { + // note currently this is a package global + return []string{protectedRegImage} }, ProtectedRegistryPrefix: registry, Assert: func(t *testing.T, plugin *istioclientgoextensionv1alpha1.WasmPlugin) { @@ -59,15 +60,32 @@ func Test_buildIstioWasmPluginForGateway(t *testing.T) { }, { Name: "ensure image pull secret is NOT set in wasmPlugin for unprotected registry", - setWASMImageURL: func() { - WASMFilterImageURL = defaultWasmImage + WASMImageURLS: func() []string { + return []string{WASMFilterImageURL} }, Assert: func(t *testing.T, plugin *istioclientgoextensionv1alpha1.WasmPlugin) { if plugin == nil { t.Fatalf("Expected a wasmplugin") } if plugin.Spec.ImagePullSecret != "" { - t.Fatalf("Expected wasm plugin to have not imagePullSecret %s", plugin.Spec.ImagePullSecret) + t.Fatalf("Expected wasm plugin to NOT have imagePullSecret %v", plugin.Spec.ImagePullSecret) + } + }, + }, + { + Name: "ensure image pull secret is set in wasmPlugin for protected registry and unset for unprotected registry", + WASMImageURLS: func() []string { + return []string{ProtectedRegistry, WASMFilterImageURL} + }, + Assert: func(t *testing.T, plugin *istioclientgoextensionv1alpha1.WasmPlugin) { + if plugin == nil { + t.Fatalf("Expected a wasmplugin") + } + if plugin.Spec.Url == protectedRegImage && plugin.Spec.ImagePullSecret == "" { + t.Fatalf("Expected wasm plugin to have imagePullSecret set but got none") + } + if plugin.Spec.Url == WASMFilterImageURL && plugin.Spec.ImagePullSecret != "" { + t.Fatalf("Expected wasm plugin to not have imagePullSecret set but got %v", plugin.Spec.ImagePullSecret) } }, }, @@ -75,9 +93,11 @@ func Test_buildIstioWasmPluginForGateway(t *testing.T) { for _, testCase := range testCases { t.Run(testCase.Name, func(t *testing.T) { - testCase.setWASMImageURL() - plugin := buildIstioWasmPluginForGateway(testGateway, testWasmConfig, testCase.ProtectedRegistryPrefix) - testCase.Assert(t, plugin) + images := testCase.WASMImageURLS() + for _, image := range images { + plugin := buildIstioWasmPluginForGateway(testGateway, testWasmConfig, testCase.ProtectedRegistryPrefix, image) + testCase.Assert(t, plugin) + } }) } @@ -86,14 +106,14 @@ func Test_buildIstioWasmPluginForGateway(t *testing.T) { func Test_buildEnvoyExtensionPolicyForGateway(t *testing.T) { testCases := []struct { Name string - setWASMImageURL func() + WASMImageURLS func() []string ProtectedRegistryPrefix string Assert func(t *testing.T, policy *envoygatewayv1alpha1.EnvoyExtensionPolicy) }{ { Name: "ensure image pull secret is set in ExtensionPolicy for protected registry", - setWASMImageURL: func() { - WASMFilterImageURL = protectedRegImage + WASMImageURLS: func() []string { + return []string{protectedRegImage} }, ProtectedRegistryPrefix: registry, Assert: func(t *testing.T, policy *envoygatewayv1alpha1.EnvoyExtensionPolicy) { @@ -102,7 +122,7 @@ func Test_buildEnvoyExtensionPolicyForGateway(t *testing.T) { } for _, w := range policy.Spec.Wasm { if w.Code.Image.PullSecretRef == nil { - t.Fatalf("Expected extension to have imagePullSecret %s but no pullSecretRef", RegistryPullSecretName) + t.Fatalf("Expected extension to have imagePullSecret %v but no pullSecretRef", RegistryPullSecretName) } if w.Code.Image.PullSecretRef.Name != v1.ObjectName(RegistryPullSecretName) { t.Fatalf("expected the pull secret name to be %s but got %v", RegistryPullSecretName, w.Code.Image.PullSecretRef.Name) @@ -112,8 +132,8 @@ func Test_buildEnvoyExtensionPolicyForGateway(t *testing.T) { }, { Name: "ensure image pull secret is NOT set in wasmPlugin for unprotected registry", - setWASMImageURL: func() { - WASMFilterImageURL = defaultWasmImage + WASMImageURLS: func() []string { + return []string{defaultWasmImage} }, Assert: func(t *testing.T, policy *envoygatewayv1alpha1.EnvoyExtensionPolicy) { if policy == nil { @@ -126,11 +146,33 @@ func Test_buildEnvoyExtensionPolicyForGateway(t *testing.T) { } }, }, + { + Name: "ensure image pull secret is set in extension for protected registry and unset for unprotected registry", + WASMImageURLS: func() []string { + return []string{ProtectedRegistry, WASMFilterImageURL} + }, + Assert: func(t *testing.T, policy *envoygatewayv1alpha1.EnvoyExtensionPolicy) { + if policy == nil { + t.Fatalf("Expected a wasmplugin") + } + for _, w := range policy.Spec.Wasm { + if w.Code.Image.PullSecretRef == nil && w.Code.Image.URL == protectedRegImage { + t.Fatalf("Expected policy to have imagePullSecret set but got none") + } + if w.Code.Image.PullSecretRef != nil && w.Code.Image.URL == WASMFilterImageURL { + t.Fatalf("Expected policy to not have imagePullSecret set but got %v", w.Code.Image.PullSecretRef) + } + } + + }, + }, } for _, testCase := range testCases { - testCase.setWASMImageURL() - policy := buildEnvoyExtensionPolicyForGateway(testGateway, testWasmConfig, testCase.ProtectedRegistryPrefix) - testCase.Assert(t, policy) + images := testCase.WASMImageURLS() + for _, image := range images { + policy := buildEnvoyExtensionPolicyForGateway(testGateway, testWasmConfig, testCase.ProtectedRegistryPrefix, image) + testCase.Assert(t, policy) + } } } diff --git a/controllers/istio_extension_reconciler.go b/controllers/istio_extension_reconciler.go index 1e7c5af90..23710b9d4 100644 --- a/controllers/istio_extension_reconciler.go +++ b/controllers/istio_extension_reconciler.go @@ -79,7 +79,7 @@ func (r *IstioExtensionReconciler) Reconcile(ctx context.Context, _ []controller for _, gateway := range gateways { gatewayKey := k8stypes.NamespacedName{Name: gateway.GetName(), Namespace: gateway.GetNamespace()} - desiredWasmPlugin := buildIstioWasmPluginForGateway(gateway, wasmConfigs[gateway.GetLocator()], ProtectedRegistry) + desiredWasmPlugin := buildIstioWasmPluginForGateway(gateway, wasmConfigs[gateway.GetLocator()], ProtectedRegistry, WASMFilterImageURL) resource := r.client.Resource(kuadrantistio.WasmPluginsResource).Namespace(desiredWasmPlugin.GetNamespace()) @@ -229,7 +229,7 @@ func hasAuthAccess(actionSet []wasm.Action) bool { } // buildIstioWasmPluginForGateway builds a desired WasmPlugin custom resource for a given gateway and corresponding wasm config -func buildIstioWasmPluginForGateway(gateway *machinery.Gateway, wasmConfig wasm.Config, protectedRegistry string) *istioclientgoextensionv1alpha1.WasmPlugin { +func buildIstioWasmPluginForGateway(gateway *machinery.Gateway, wasmConfig wasm.Config, protectedRegistry, imageURL string) *istioclientgoextensionv1alpha1.WasmPlugin { wasmPlugin := &istioclientgoextensionv1alpha1.WasmPlugin{ TypeMeta: metav1.TypeMeta{ Kind: kuadrantistio.WasmPluginGroupKind.Kind, @@ -258,13 +258,15 @@ func buildIstioWasmPluginForGateway(gateway *machinery.Gateway, wasmConfig wasm. Name: gateway.GetName(), }, }, - Url: WASMFilterImageURL, + Url: imageURL, PluginConfig: nil, Phase: istioextensionsv1alpha1.PluginPhase_STATS, // insert the plugin before Istio stats filters and after Istio authorization filters. }, } - - if protectedRegistry != "" && strings.Contains(WASMFilterImageURL, protectedRegistry) { + // reset to empty to allow fo the image having moved to a public registry + wasmPlugin.Spec.ImagePullSecret = "" + // only set to pull secret if we are in a protected registry + if protectedRegistry != "" && strings.Contains(imageURL, protectedRegistry) { wasmPlugin.Spec.ImagePullSecret = RegistryPullSecretName }