From de4b05c2c86ccd8428ebb7f222d4ea1b24e165e6 Mon Sep 17 00:00:00 2001 From: Todd Baert Date: Mon, 3 Jun 2024 17:01:15 -0400 Subject: [PATCH] fixup: support image pull secret Signed-off-by: Todd Baert --- chart/open-feature-operator/values.yaml | 5 ++-- common/flagdproxy/flagdproxy.go | 7 +++++- common/flagdproxy/flagdproxy_test.go | 24 ++++++++++++------- config/overlays/helm/manager.yaml | 5 ++-- .../core/featureflagsource/controller_test.go | 3 ++- controllers/core/flagd/common/common.go | 15 ++++++------ controllers/core/flagd/config.go | 5 ++-- .../core/flagd/resources/deployment.go | 8 +++++-- main.go | 9 +++++-- 9 files changed, 52 insertions(+), 29 deletions(-) diff --git a/chart/open-feature-operator/values.yaml b/chart/open-feature-operator/values.yaml index 51f02454b..822cfc010 100644 --- a/chart/open-feature-operator/values.yaml +++ b/chart/open-feature-operator/values.yaml @@ -2,9 +2,8 @@ ## @section Global ## @param defaultNamespace To override the namespace use the `--namespace` flag. This default is provided to ensure that the kustomize build charts in `/templates` deploy correctly when no `namespace` is provided via the `-n` flag. defaultNamespace: open-feature-operator-system - -# -- Secrets with credentials to pull images from a private registry. Registry secret names as an array. -imagePullSecrets: [] +## @param imagePullSecret Secret containing credentials for images pulled by the operator (flagdProxyConfiguration.image, flagdConfiguration.image, controllerManager.manager.image, controllerManager.kubeRbacProxy.image). +imagePullSecret: "" ## @section Sidecar configuration sidecarConfiguration: diff --git a/common/flagdproxy/flagdproxy.go b/common/flagdproxy/flagdproxy.go index f410b5c0b..d4357615a 100644 --- a/common/flagdproxy/flagdproxy.go +++ b/common/flagdproxy/flagdproxy.go @@ -38,9 +38,10 @@ type FlagdProxyConfiguration struct { Tag string Namespace string OperatorDeploymentName string + ImagePullSecret string } -func NewFlagdProxyConfiguration(env types.EnvConfig) *FlagdProxyConfiguration { +func NewFlagdProxyConfiguration(env types.EnvConfig, imagePullSecret string) *FlagdProxyConfiguration { return &FlagdProxyConfiguration{ Image: env.FlagdProxyImage, Tag: env.FlagdProxyTag, @@ -49,6 +50,7 @@ func NewFlagdProxyConfiguration(env types.EnvConfig) *FlagdProxyConfiguration { Port: env.FlagdProxyPort, ManagementPort: env.FlagdProxyManagementPort, DebugLogging: env.FlagdProxyDebugLogging, + ImagePullSecret: imagePullSecret, } } @@ -172,6 +174,9 @@ func (f *FlagdProxyHandler) newFlagdProxyManifest(ownerReference *metav1.OwnerRe }, Spec: corev1.PodSpec{ ServiceAccountName: FlagdProxyServiceAccountName, + ImagePullSecrets: []corev1.LocalObjectReference{ + {Name: f.config.ImagePullSecret}, + }, Containers: []corev1.Container{ { Image: fmt.Sprintf("%s:%s", f.config.Image, f.config.Tag), diff --git a/common/flagdproxy/flagdproxy_test.go b/common/flagdproxy/flagdproxy_test.go index 4a2fcc8e4..112336fc3 100644 --- a/common/flagdproxy/flagdproxy_test.go +++ b/common/flagdproxy/flagdproxy_test.go @@ -19,11 +19,14 @@ import ( "sigs.k8s.io/controller-runtime/pkg/client/fake" ) +const pullSecret = "test-pullSecret" + func TestNewFlagdProxyConfiguration(t *testing.T) { + kpConfig := NewFlagdProxyConfiguration(types.EnvConfig{ FlagdProxyPort: 8015, FlagdProxyManagementPort: 8016, - }) + }, pullSecret) require.NotNil(t, kpConfig) require.Equal(t, &FlagdProxyConfiguration{ @@ -31,6 +34,7 @@ func TestNewFlagdProxyConfiguration(t *testing.T) { ManagementPort: 8016, DebugLogging: false, OperatorDeploymentName: common.OperatorDeploymentName, + ImagePullSecret: pullSecret, }, kpConfig) } @@ -44,7 +48,7 @@ func TestNewFlagdProxyConfiguration_OverrideEnvVars(t *testing.T) { FlagdProxyDebugLogging: true, } - kpConfig := NewFlagdProxyConfiguration(env) + kpConfig := NewFlagdProxyConfiguration(env, pullSecret) require.NotNil(t, kpConfig) require.Equal(t, &FlagdProxyConfiguration{ @@ -55,11 +59,12 @@ func TestNewFlagdProxyConfiguration_OverrideEnvVars(t *testing.T) { Tag: "my-tag", Namespace: "my-namespace", OperatorDeploymentName: common.OperatorDeploymentName, + ImagePullSecret: pullSecret, }, kpConfig) } func TestNewFlagdProxyHandler(t *testing.T) { - kpConfig := NewFlagdProxyConfiguration(types.EnvConfig{}) + kpConfig := NewFlagdProxyConfiguration(types.EnvConfig{}, pullSecret) require.NotNil(t, kpConfig) @@ -95,7 +100,7 @@ func TestDoesFlagdProxyExist(t *testing.T) { }, } - kpConfig := NewFlagdProxyConfiguration(env) + kpConfig := NewFlagdProxyConfiguration(env, pullSecret) require.NotNil(t, kpConfig) @@ -123,7 +128,7 @@ func TestFlagdProxyHandler_HandleFlagdProxy_ProxyExistsWithBadVersion(t *testing env := types.EnvConfig{ PodNamespace: "ns", } - kpConfig := NewFlagdProxyConfiguration(env) + kpConfig := NewFlagdProxyConfiguration(env, pullSecret) require.NotNil(t, kpConfig) @@ -182,7 +187,7 @@ func TestFlagdProxyHandler_HandleFlagdProxy_ProxyExistsWithoutLabel(t *testing.T env := types.EnvConfig{ PodNamespace: "ns", } - kpConfig := NewFlagdProxyConfiguration(env) + kpConfig := NewFlagdProxyConfiguration(env, pullSecret) require.NotNil(t, kpConfig) @@ -231,7 +236,7 @@ func TestFlagdProxyHandler_HandleFlagdProxy_ProxyExistsWithNewestVersion(t *test env := types.EnvConfig{ PodNamespace: "ns", } - kpConfig := NewFlagdProxyConfiguration(env) + kpConfig := NewFlagdProxyConfiguration(env, pullSecret) require.NotNil(t, kpConfig) @@ -275,7 +280,7 @@ func TestFlagdProxyHandler_HandleFlagdProxy_CreateProxy(t *testing.T) { FlagdProxyManagementPort: 90, FlagdProxyDebugLogging: true, } - kpConfig := NewFlagdProxyConfiguration(env) + kpConfig := NewFlagdProxyConfiguration(env, pullSecret) require.NotNil(t, kpConfig) @@ -356,6 +361,9 @@ func TestFlagdProxyHandler_HandleFlagdProxy_CreateProxy(t *testing.T) { }, Spec: corev1.PodSpec{ ServiceAccountName: FlagdProxyServiceAccountName, + ImagePullSecrets: []corev1.LocalObjectReference{ + {Name: pullSecret}, + }, Containers: []corev1.Container{ { Image: "image:tag", diff --git a/config/overlays/helm/manager.yaml b/config/overlays/helm/manager.yaml index b119d78fa..e2c48c051 100644 --- a/config/overlays/helm/manager.yaml +++ b/config/overlays/helm/manager.yaml @@ -7,10 +7,8 @@ spec: replicas: 0{{ .Values.controllerManager.replicas }} template: spec: - {{- with .Values.imagePullSecrets }} imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} + - name: "{{ .Values.imagePullSecret }}" containers: - name: manager image: "{{ .Values.controllerManager.manager.image.repository }}:{{ .Values.controllerManager.manager.image.tag }}" @@ -94,6 +92,7 @@ spec: - --sidecar-ram-limit={{ .Values.sidecarConfiguration.resources.limits.memory }} - --sidecar-cpu-request={{ .Values.sidecarConfiguration.resources.requests.cpu }} - --sidecar-ram-request={{ .Values.sidecarConfiguration.resources.requests.memory }} + - --image-pull-secret={{ .Values.imagePullSecret }} - name: kube-rbac-proxy image: "{{ .Values.controllerManager.kubeRbacProxy.image.repository }}:{{ .Values.controllerManager.kubeRbacProxy.image.tag }}" resources: diff --git a/controllers/core/featureflagsource/controller_test.go b/controllers/core/featureflagsource/controller_test.go index ea4b1e821..b1069ef83 100644 --- a/controllers/core/featureflagsource/controller_test.go +++ b/controllers/core/featureflagsource/controller_test.go @@ -27,6 +27,7 @@ func TestFeatureFlagSourceReconciler_Reconcile(t *testing.T) { testNamespace = "test-namespace" fsConfigName = "test-config" deploymentName = "test-deploy" + pullSecret = "test-pullsecret" ) tests := []struct { @@ -92,7 +93,7 @@ func TestFeatureFlagSourceReconciler_Reconcile(t *testing.T) { kpConfig := flagdproxy.NewFlagdProxyConfiguration(commontypes.EnvConfig{ FlagdProxyImage: "ghcr.io/open-feature/flagd-proxy", FlagdProxyTag: flagdProxyTag, - }) + }, pullSecret) kpConfig.Namespace = testNamespace kph := flagdproxy.NewFlagdProxyHandler( diff --git a/controllers/core/flagd/common/common.go b/controllers/core/flagd/common/common.go index 2ca793707..b66abe506 100644 --- a/controllers/core/flagd/common/common.go +++ b/controllers/core/flagd/common/common.go @@ -1,13 +1,14 @@ package resources type FlagdConfiguration struct { - FlagdPort int - OFREPPort int - SyncPort int - ManagementPort int - DebugLogging bool - Image string - Tag string + FlagdPort int + OFREPPort int + SyncPort int + ManagementPort int + DebugLogging bool + Image string + Tag string + ImagePullSecret string OperatorNamespace string OperatorDeploymentName string diff --git a/controllers/core/flagd/config.go b/controllers/core/flagd/config.go index 3b0548966..624301954 100644 --- a/controllers/core/flagd/config.go +++ b/controllers/core/flagd/config.go @@ -3,10 +3,10 @@ package flagd import ( "github.com/open-feature/open-feature-operator/common" "github.com/open-feature/open-feature-operator/common/types" - "github.com/open-feature/open-feature-operator/controllers/core/flagd/common" + resources "github.com/open-feature/open-feature-operator/controllers/core/flagd/common" ) -func NewFlagdConfiguration(env types.EnvConfig) resources.FlagdConfiguration { +func NewFlagdConfiguration(env types.EnvConfig, imagePullSecret string) resources.FlagdConfiguration { return resources.FlagdConfiguration{ Image: env.FlagdImage, Tag: env.FlagdTag, @@ -16,5 +16,6 @@ func NewFlagdConfiguration(env types.EnvConfig) resources.FlagdConfiguration { SyncPort: env.FlagdSyncPort, ManagementPort: env.FlagdManagementPort, DebugLogging: env.FlagdDebugLogging, + ImagePullSecret: imagePullSecret, } } diff --git a/controllers/core/flagd/resources/deployment.go b/controllers/core/flagd/resources/deployment.go index 285f8f285..2fe769eea 100644 --- a/controllers/core/flagd/resources/deployment.go +++ b/controllers/core/flagd/resources/deployment.go @@ -10,7 +10,7 @@ import ( api "github.com/open-feature/open-feature-operator/apis/core/v1beta1" "github.com/open-feature/open-feature-operator/common" "github.com/open-feature/open-feature-operator/common/flagdinjector" - "github.com/open-feature/open-feature-operator/controllers/core/flagd/common" + resources "github.com/open-feature/open-feature-operator/controllers/core/flagd/common" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -95,7 +95,11 @@ func (r *FlagdDeployment) GetResource(ctx context.Context, flagd *api.Flagd) (cl } // override settings for the injected container for flagd standalone deployment mode - + deployment.Spec.Template.Spec.ImagePullSecrets = []corev1.LocalObjectReference{ + { + Name: r.FlagdConfig.ImagePullSecret, + }, + } deployment.Spec.Template.Spec.Containers[0].Image = fmt.Sprintf("%s:%s", r.FlagdConfig.Image, r.FlagdConfig.Tag) deployment.Spec.Template.Spec.Containers[0].Ports = []corev1.ContainerPort{ diff --git a/main.go b/main.go index 754efe87d..db1bd940c 100644 --- a/main.go +++ b/main.go @@ -65,6 +65,8 @@ const ( sidecarRamLimitDefault = "64M" sidecarCpuRequestDefault = "0.2" sidecarRamRequestDefault = "32M" + imagePullSecretFlagName = "image-pull-secret" + imagePullSecretDefault = "" ) var ( @@ -75,6 +77,7 @@ var ( probeAddr string verbose bool sidecarCpuLimit, sidecarRamLimit, sidecarCpuRequest, sidecarRamRequest string + imagePullSecret string ) func init() { @@ -103,6 +106,8 @@ func main() { flag.StringVar(&sidecarCpuRequest, sidecarCpuRequestFlagName, sidecarCpuRequestDefault, "sidecar CPU minimum, in cores. (500m = .5 cores)") flag.StringVar(&sidecarRamRequest, sidecarRamRequestFlagName, sidecarRamRequestDefault, "sidecar memory minimum, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024)") + flag.StringVar(&imagePullSecret, imagePullSecretFlagName, imagePullSecretDefault, "secret containing credentials to pull images.") + flag.Parse() level := zapcore.InfoLevel @@ -178,7 +183,7 @@ func main() { } kph := flagdproxy.NewFlagdProxyHandler( - flagdproxy.NewFlagdProxyConfiguration(env), + flagdproxy.NewFlagdProxyConfiguration(env, imagePullSecret), mgr.GetClient(), ctrl.Log.WithName("FeatureFlagSource FlagdProxyHandler"), ) @@ -210,7 +215,7 @@ func main() { Scheme: mgr.GetScheme(), Log: flagdControllerLogger, } - flagdConfig := flagd.NewFlagdConfiguration(env) + flagdConfig := flagd.NewFlagdConfiguration(env, imagePullSecret) if err = (&flagd.FlagdReconciler{ Client: mgr.GetClient(),