Use WASM pull secret if protected registry

[maleck13]

closes #1077
Signed-off-by: craig [email protected]

rh-pre-commit.version: 2.2.0
rh-pre-commit.check-secrets: ENABLED

[codecov]

Codecov Report

Attention: Patch coverage is 80.76923% with 5 lines in your changes missing coverage. Please review.

Project coverage is 83.77%. Comparing base (cc1b41f) to head (09dbeea).
Report is 69 commits behind head on main.

Files with missing lines	Patch %	Lines
controllers/envoy_gateway_extension_reconciler.go	61.53%	3 Missing and 2 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1083      +/-   ##
==========================================
+ Coverage   76.15%   83.77%   +7.62%     
==========================================
  Files         111       81      -30     
  Lines        8986     6712    -2274     
==========================================
- Hits         6843     5623    -1220     
+ Misses       1852      870     -982     
+ Partials      291      219      -72     

Flag	Coverage Δ
bare-k8s-integration	15.44% <0.00%> (+4.57%)	⬆️
controllers-integration	75.96% <53.84%> (+17.10%)	⬆️
envoygateway-integration	40.53% <19.23%> (+8.02%)	⬆️
gatewayapi-integration	16.05% <0.00%> (+2.61%)	⬆️
istio-integration	43.77% <38.46%> (+9.44%)	⬆️
unit	19.67% <53.84%> (-5.70%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
api/v1beta1 (u)	90.00% <100.00%> (-2.19%)	⬇️
api/v1beta2 (u)	∅ <ø> (∅)
pkg/common (u)	∅ <ø> (∅)
pkg/istio (u)	62.06% <ø> (+15.03%)	⬆️
pkg/log (u)	93.18% <ø> (ø)
pkg/reconcilers (u)	24.67% <ø> (∅)
pkg/rlptools (u)	∅ <ø> (∅)
controllers (i)	86.72% <89.17%> (+2.29%)	⬆️

Files with missing lines	Coverage Δ
controllers/data_plane_policies_workflow.go	100.00% <ø> (ø)
controllers/istio_extension_reconciler.go	87.50% <100.00%> (+4.00%)	⬆️
controllers/envoy_gateway_extension_reconciler.go	83.54% <61.53%> (-1.00%)	⬇️

... and 36 files with indirect coverage changes

[maleck13]

adding an update to the OpenShfit install doc

[eguzki]

Have you considered doing the same for EnvoyGateway (in the EnvoyExtensionPolicy)? (Not asking to do so...)

[eguzki]

I am aware that this is still in draft and design/implementation, however, I drop here some verification steps that should work regardless of the implementation being done.

Verification Steps

• Creating Registry Service Accounts
  https://access.redhat.com/RegistryAuthentication#creating-registry-service-accounts-6

• Setup the environment:

make local-env-setup   

• write credentials

kubectl create secret docker-registry wasm-plugin-pull-secret  -n gateway-system --docker-server=registry.redhat.io --docker-username="*****" --docker-password="****"

• run the operator manually with custom wasm-server image from a authenticated registry.

PROTECTED_REGISTRY=registry.redhat.io RELATED_IMAGE_WASMSHIM=registry.redhat.io/rhcl-1/wasm-shim-rhel9@sha256:458a5ff405922b20142416993f486d22ea23d375f9ef4fc239a42f00649129e4 make run

• Request an instance of Kuadrant:

kubectl -n kuadrant-system apply -f - <<EOF
apiVersion: kuadrant.io/v1beta1
kind: Kuadrant
metadata:
  name: kuadrant
spec: {}
EOF

• Deploy toystore

kubectl apply -f examples/toystore/toystore.yaml

Create a HTTPRoute to route traffic to the service via Istio Ingress Gateway:

kubectl apply -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: toystore
spec:
  parentRefs:
  - name: kuadrant-ingressgateway
    namespace: gateway-system
  hostnames:
  - api.toystore.com
  rules:
  - matches:
    - method: GET
      path:
        type: PathPrefix
        value: "/toys"
    backendRefs:
    - name: toystore
      port: 80
  - matches: # it has to be a separate HTTPRouteRule so we do not rate limit other endpoints
    - method: POST
      path:
        type: Exact
        value: "/toys"
    backendRefs:
    - name: toystore
      port: 80
EOF

Export the gateway hostname and port:

export INGRESS_HOST=$(kubectl get gtw kuadrant-ingressgateway -n gateway-system -o jsonpath='{.status.addresses[0].value}')
export INGRESS_PORT=$(kubectl get gtw kuadrant-ingressgateway -n gateway-system -o jsonpath='{.spec.listeners[?(@.name=="http")].port}')
export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT

Verify the route works:

curl -H 'Host: api.toystore.com' http://$GATEWAY_URL/toys -i
# HTTP/1.1 200 OK

• Enforce auth policy on the Toy Store API

kubectl apply -f - <<EOF
apiVersion: kuadrant.io/v1
kind: AuthPolicy
metadata:
  name: toystore-authn
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: toystore
  defaults:
    strategy: merge
    rules:
      authentication:
        "api-key-authn":
          apiKey:
            selector:
              matchLabels:
                app: toystore
          credentials:
            authorizationHeader:
              prefix: APIKEY
EOF

• Check wasm plugin has been created and it has a image pull secret configured

kubectl get wasmplugin kuadrant-kuadrant-ingressgateway -n gateway-system -o jsonpath="{.spec.imagePullSecret}"

It should return

wasm-plugin-pull-secret

Verify the route works:

curl -H 'Host: api.toystore.com' http://$GATEWAY_URL/toys -i
# HTTP/1.1 401 Unauthorized

• Verify the wasmplugin is reconciled

Stop the operator with CTRL-C, then run it again with defaults (wasm image from public registry quay.io)

make run

• Check wasm plugin URL has been updated

kubectl get wasmplugin kuadrant-kuadrant-ingressgateway -n gateway-system -o jsonpath="{.spec.url}"

• Check wasm plugin imagePullSecret has been reset to avoid conflicts with pull secrets when using unauthenticated registry.

kubectl get wasmplugin kuadrant-kuadrant-ingressgateway -n gateway-system -o jsonpath="{.spec.imagePullSecret}"

Verify the route works:

curl -H 'Host: api.toystore.com' http://$GATEWAY_URL/toys -i
# HTTP/1.1 401 Unauthorized

[maleck13]

@trepel FYI pull secret update

[maleck13]

@smccarthy-ie FYI pull secret change

[eguzki]

Verification steps working like a charm for Istio and EnvoyGateway 🎖️

[eguzki]

LGTM

[eguzki]

@maleck13 One thing I found, worth mentioning, is that the imagePullSecret field is not reconciled, so if the operator is restarted with a new wasm shim image from a "public" registry (like https://quay.io/repository/kuadrant/wasm-shim), the imagePullSecret field is not set to empty or null.

[eguzki]

Updated the verification steps to cover the reconciliation when the url changes

[eguzki]

LGTM

Verification steps passed

Great work 🎖️