Skip to content

Commit

Permalink
Copy pull secrets to SA for eventshub (#615)
Browse files Browse the repository at this point in the history
Co-authored-by: Martin Gencur <[email protected]>
knative-prow-robot and mgencur authored Oct 19, 2023

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
1 parent e52650f commit 7d36fe9
Showing 3 changed files with 49 additions and 4 deletions.
20 changes: 17 additions & 3 deletions pkg/environment/namespace.go
Original file line number Diff line number Diff line change
@@ -122,12 +122,26 @@ func (mr *MagicEnvironment) CreateNamespaceIfNeeded() error {
return fmt.Errorf("error copying the image pull Secret: %s", err)
}

_, err = c.CoreV1().ServiceAccounts(mr.namespace).Patch(context.Background(), sa.Name, types.StrategicMergePatchType,
[]byte(`{"imagePullSecrets":[{"name":"`+mr.imagePullSecretName+`"}]}`), metav1.PatchOptions{})
for _, secret := range sa.ImagePullSecrets {
if secret.Name == mr.imagePullSecretName {
return nil
}
}

// Prevent overwriting existing imagePullSecrets
patch := `[{"op":"add","path":"/imagePullSecrets/-","value":{"name":"` + mr.imagePullSecretName + `"}}]`
if len(sa.ImagePullSecrets) == 0 {
patch = `[{"op":"add","path":"/imagePullSecrets","value":[{"name":"` + mr.imagePullSecretName + `"}]}]`
}

_, err = c.CoreV1().ServiceAccounts(mr.namespace).Patch(context.Background(), sa.Name, types.JSONPatchType,
[]byte(patch), metav1.PatchOptions{})
if err != nil {
return fmt.Errorf("patch failed on NS/SA (%s/%s): %s", mr.namespace, sa.Name, err)
return fmt.Errorf("patch failed on NS/SA (%s/%s): %w",
mr.namespace, sa.Name, err)
}
}

return nil
}

6 changes: 6 additions & 0 deletions pkg/eventshub/rbac/100-sa.yaml
Original file line number Diff line number Diff line change
@@ -17,3 +17,9 @@ kind: ServiceAccount
metadata:
name: {{ .name }}
namespace: {{ .namespace }}
{{ if .withPullSecrets }}
imagePullSecrets:
{{ range $_, $value := .withPullSecrets.secrets }}
- name: {{ $value }}
{{ end }}
{{ end }}
27 changes: 26 additions & 1 deletion pkg/eventshub/rbac/rbac.go
Original file line number Diff line number Diff line change
@@ -21,6 +21,9 @@ import (
"embed"

apierrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
kubeclient "knative.dev/pkg/client/injection/kube/client"
"knative.dev/reconciler-test/pkg/environment"

"knative.dev/reconciler-test/pkg/feature"
"knative.dev/reconciler-test/pkg/manifest"
@@ -30,11 +33,33 @@ import (
var templates embed.FS

// Install creates the necessary ServiceAccount, Role, RoleBinding for the eventshub.
// The resources are named according to the current namespace defined in the environment.
func Install(cfg map[string]interface{}) feature.StepFn {
return func(ctx context.Context, t feature.T) {
WithPullSecrets(ctx, t)(cfg)
if _, err := manifest.InstallYamlFS(ctx, templates, cfg); err != nil && !apierrors.IsAlreadyExists(err) {
t.Fatal(err)
}
}
}

func WithPullSecrets(ctx context.Context, t feature.T) manifest.CfgFn {
namespace := environment.FromContext(ctx).Namespace()
serviceAccount, err := kubeclient.Get(ctx).CoreV1().ServiceAccounts(namespace).Get(ctx, "default", metav1.GetOptions{})
if err != nil {
t.Fatalf("Failed to read default SA in %s namespace: %v", namespace, err)
}

return func(cfg map[string]interface{}) {
if len(serviceAccount.ImagePullSecrets) == 0 {
return
}
if _, set := cfg["withPullSecrets"]; !set {
cfg["withPullSecrets"] = map[string]interface{}{}
}
withPullSecrets := cfg["withPullSecrets"].(map[string]interface{})
withPullSecrets["secrets"] = []string{}
for _, secret := range serviceAccount.ImagePullSecrets {
withPullSecrets["secrets"] = append(withPullSecrets["secrets"].([]string), secret.Name)
}
}
}

0 comments on commit 7d36fe9

Please sign in to comment.