Skip to content

Commit

Permalink
Add support for ImagePullSecrets (#335)
Browse files Browse the repository at this point in the history 
* scaffold passing credentials through whole controller

* use proper data type

* put parseCredentialsOption into a separate unction

* go mod tidy

* make linter happy

* add tests for pull_credentials helper

* test parseCredentials

* get it kinda working

* use raw API client to read secrets and skip cache
  • Loading branch information
@halamix2
halamix2 authored Nov 6, 2024
1 parent 8d68df6 commit 14f810c
Show file tree
Hide file tree
Showing 20 changed files with 493 additions and 117 deletions.
6 changes: 4 additions & 2 deletions cmd/admission/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,13 +4,13 @@ import (
"context"
"flag"
"fmt"
"os"

"github.com/kyma-project/warden/internal/env"
"github.com/kyma-project/warden/internal/logging"
"github.com/kyma-project/warden/internal/validate"
"github.com/kyma-project/warden/internal/webhook"
"go.uber.org/zap/zapcore"
"k8s.io/apimachinery/pkg/fields"
"os"
"sigs.k8s.io/controller-runtime/pkg/cache"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/healthz"
Expand All @@ -22,6 +22,7 @@ import (
"go.uber.org/zap"
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/fields"
"k8s.io/apimachinery/pkg/runtime"
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/manager"
Expand Down Expand Up @@ -164,6 +165,7 @@ func main() {
predefinedUserAllowedRegistries := validate.ParseAllowedRegistries(appConfig.Notary.PredefinedUserAllowedRegistries)
whs.Register(admission.DefaultingPath, &ctrlwebhook.Admission{
Handler: admission.NewDefaultingWebhook(mgr.GetClient(),
mgr.GetAPIReader(),
validatorSvc, validate.NewValidatorSvcFactory(predefinedUserAllowedRegistries...),
appConfig.Admission.Timeout, appConfig.Admission.StrictMode,
decoder, logger.With("webhook", "defaulting")),
Expand Down
1 change: 1 addition & 0 deletions cmd/operator/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -131,6 +131,7 @@ func main() {

if err = (controllers.NewPodReconciler(
mgr.GetClient(),
mgr.GetAPIReader(),
mgr.GetScheme(),
podValidator,
validate.NewValidatorSvcFactory(predefinedUserAllowedRegistries...),
Expand Down
2 changes: 1 addition & 1 deletion go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ toolchain go1.23.1

require (
github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869
github.com/docker/cli v27.1.1+incompatible
github.com/docker/distribution v2.8.3+incompatible
github.com/fsnotify/fsnotify v1.7.0
github.com/go-logr/zapr v1.3.0
Expand Down Expand Up @@ -33,7 +34,6 @@ require (
github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/distribution/reference v0.6.0 // indirect
github.com/docker/cli v27.1.1+incompatible // indirect
github.com/docker/docker-credential-helpers v0.8.1 // indirect
github.com/docker/go v1.5.1-1.0.20160303222718-d30aec9fd63c // indirect
github.com/docker/go-metrics v0.0.0-20180209012529-399ea8c73916 // indirect
Expand Down
18 changes: 13 additions & 5 deletions internal/admission/defaulting.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,10 @@ import (
"context"
"encoding/json"
"fmt"
"net/http"
"strings"
"time"

"github.com/kyma-project/warden/internal/annotations"
"github.com/kyma-project/warden/internal/helpers"
"github.com/kyma-project/warden/internal/validate"
Expand All @@ -13,11 +17,8 @@ import (
admissionv1 "k8s.io/api/admission/v1"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"net/http"
k8sclient "sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
"strings"
"time"
)

const (
Expand All @@ -31,17 +32,19 @@ type DefaultingWebHook struct {
userValidationSvcFactory validate.ValidatorSvcFactory
timeout time.Duration
client k8sclient.Client
reader k8sclient.Reader
decoder *admission.Decoder
baseLogger *zap.SugaredLogger
strictMode bool
}

func NewDefaultingWebhook(client k8sclient.Client,
func NewDefaultingWebhook(client k8sclient.Client, reader k8sclient.Reader,
systemValidator validate.PodValidator, userValidationSvcFactory validate.ValidatorSvcFactory,
timeout time.Duration, strictMode bool,
decoder *admission.Decoder, logger *zap.SugaredLogger) *DefaultingWebHook {
return &DefaultingWebHook{
client: client,
reader: reader,
systemValidator: systemValidator,
userValidationSvcFactory: userValidationSvcFactory,
baseLogger: logger,
Expand Down Expand Up @@ -90,7 +93,12 @@ func (w *DefaultingWebHook) handle(ctx context.Context, req admission.Request) a
}
}

result, err := validator.ValidatePod(ctx, pod, ns)
imagePullCredentials, err := helpers.GetRemotePullCredentials(ctx, w.reader, pod)
if err != nil {
return admission.Errored(http.StatusInternalServerError, err)
}

result, err := validator.ValidatePod(ctx, pod, ns, imagePullCredentials)
if err != nil {
return admission.Errored(http.StatusInternalServerError, err)
}
Expand Down
Loading

0 comments on commit 14f810c

Please sign in to comment.