Skip to content

Commit

Permalink
Refactor secrets linking
Browse files Browse the repository at this point in the history
1. when linking secret to SA, don't add it if already present
2. unlink secret from SA upon imageRepository deletion
3. don't link secret anymore to imagePullSecrets (used for the image pod
   is using, task/pipeline bundle image)
4. new option to clean up secret links via spec.credentials.verify-linking
   - It will link secret to service account if link is missing.
   - It will remove duplicate links of secret in service account.
   - It will remove secret from imagePullSecrets in service account.
   - It will unlink secret from service account, if secret doesn't exist (can recreated by using 'regenerate-token').

STONEBLD-2540

Signed-off-by: Robert Cerven <[email protected]>
  • Loading branch information
rcerven committed Jul 11, 2024
1 parent cec0ccb commit 70274be
Show file tree
Hide file tree
Showing 7 changed files with 558 additions and 49 deletions.
23 changes: 22 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,28 @@ spec:
regenerate-token: true
...
```
After token rotation, the `spec.credentials` section will be deleted and `status.credentials.generationTimestamp` updated.
After token rotation, the `spec.credentials.regenerate-token` section will be deleted and `status.credentials.generationTimestamp` updated.

---

### Verify and fix secrets links

It will link secret to service account if link is missing.
It will remove duplicate links of secret in service account.
It will remove secret from imagePullSecrets in service account.
It will unlink secret from service account, if secret doesn't exist (you can recreate secret using 'regenerate-token').
It's possible to request verification and fixing of secrets linking to service account by adding:
```yaml
...
spec:
...
credentials:
verify-linking: true
...
```
After verification, the `spec.credentials.verify-linking` section will be deleted.

---

### Error handling

Expand Down
4 changes: 4 additions & 0 deletions api/v1alpha1/imagerepository_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,10 @@ type ImageCredentials struct {
// Refreshes both, push and pull tokens.
// The field gets cleared after the refresh.
RegenerateToken *bool `json:"regenerate-token,omitempty"`
// VerifyLinking defines a request to verify and fix
// secret linking in pipeline service account.
// The field gets cleared after fixing.
VerifyLinking *bool `json:"verify-linking,omitempty"`
}

type Notifications struct {
Expand Down
5 changes: 5 additions & 0 deletions api/v1alpha1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 5 additions & 0 deletions config/crd/bases/appstudio.redhat.com_imagerepositories.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,11 @@ spec:
accessing credentials. Refreshes both, push and pull tokens.
The field gets cleared after the refresh.
type: boolean
verify-linking:
description: VerifyLinking defines a request to verify and fix
secret linking in pipeline service account. The field gets cleared
after fixing.
type: boolean
type: object
image:
description: Requested image repository configuration.
Expand Down
Loading

0 comments on commit 70274be

Please sign in to comment.