✨ Support serviceaccount pull secrets #2005

tmshort · 2025-06-03T19:39:49Z

Serviceaccounts reference pull secrets!

Determine our serviceaccount (via the new internal/shared/util/sa package).
Use a common pull_secret_controller
Update the pull_secret_controller to know about the service account
Update the pull_secret_controller to watch the namespace-local secrets
Update caching to include sa, and use filters for additional secrets
Add RBAC to access these secrets and sa
Update writing the auth.json file to handle dockercfg and dockerconfigjson
Update writing the auth.json file to include multiple secrets

Description

Reviewer Checklist

API Go Documentation
Tests: Unit Tests (and E2E Tests, if appropriate)
Comprehensive Commit Messages
Links to related GitHub Issue(s)

netlify · 2025-06-03T19:39:54Z

✅ Deploy Preview for olmv1 ready!

Name	Link
🔨 Latest commit	`f53a858`
🔍 Latest deploy log	https://app.netlify.com/projects/olmv1/deploys/684b42424d4a820008369179
😎 Deploy Preview	https://deploy-preview-2005--olmv1.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

codecov · 2025-06-03T20:19:20Z

Codecov Report

Attention: Patch coverage is 66.25514% with 82 lines in your changes missing coverage. Please review.

Project coverage is 73.55%. Comparing base (8f81c23) to head (de52a82).
Report is 9 commits behind head on main.

Files with missing lines	Patch %	Lines
...ernal/shared/controllers/pull_secret_controller.go	66.66%	38 Missing and 11 partials ⚠️
cmd/catalogd/main.go	54.16%	7 Missing and 4 partials ⚠️
cmd/operator-controller/main.go	54.16%	7 Missing and 4 partials ⚠️
...nal/shared/util/pullsecretcache/pullsecretcache.go	72.41%	7 Missing and 1 partial ⚠️
internal/shared/util/sa/serviceaccount.go	84.21%	2 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2005      +/-   ##
==========================================
+ Coverage   69.17%   73.55%   +4.37%     
==========================================
  Files          79       80       +1     
  Lines        7037     7146     +109     
==========================================
+ Hits         4868     5256     +388     
+ Misses       1887     1565     -322     
- Partials      282      325      +43

Flag	Coverage Δ
e2e	`44.10% <42.79%> (+1.09%)`	⬆️
unit	`59.82% <32.09%> (-0.24%)`	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

tmshort · 2025-06-04T02:34:06Z

/hold
Until I do some additional manual testing.

tmshort · 2025-06-04T02:34:23Z

/approve

tmshort · 2025-06-04T21:46:43Z

/unhold

config/base/catalogd/rbac/role.yaml

internal/shared/controllers/pull_secret_controller.go

joelanford · 2025-06-06T17:37:39Z

internal/shared/controllers/pull_secret_controller.go

+	AuthFilePath              string
+}
+
+func (r *PullSecretReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {


Is req used anywhere other than logging? If not, I think I'd suggest dropping it (e.g. rename to _). And changing the logging to just generically say something like "reconciling pull secrets".

The name/namespace of the request without the type info might be a little confusing to show up in the log. But maybe we could log the events that pass our predicate in our predicate where we do have type information. That way there's still detail about what is causing our reconciler to be triggered?

Interestingly... the logger has a lot of additional information added to it, so you can tell what type of resource triggered the event, I wrapped the log below to make it easier to read:

I0606 18:43:42.641045 1 pull_secret_controller.go:113] "found secret" logger="pull-secret-reconciler" controller="service-account-controller" controllerGroup="" controllerKind="ServiceAccount" ServiceAccount="olmv1-system/operator-controller-controller-manager" reconcileID="26404229-a2d3-495d-86ee-0da390a1e8f4" name="pull-dockercfg" namespace="olmv1-system"

And when a pull secret is modified:

I0606 18:58:10.831129 1 pull_secret_controller.go:113] "found secret" logger="pull-secret-reconciler" controller="pull-secret-controller" controllerGroup="" controllerKind="Secret" Secret="olmv1-system/pull-dockercfg" reconcileID="a783ca58-0213-4fe3-a19d-3ed7ca21f5ae" name="pull-dockercfg" namespace="olmv1-system"

joelanford · 2025-06-06T17:39:15Z

internal/shared/controllers/pull_secret_controller.go

+	_, err := ctrl.NewControllerManagedBy(mgr).
+		For(&corev1.Secret{}).
+		Named("pull-secret-controller").
+		WithEventFilter(newSecretPredicate(r)).
+		Build(r)
+	if err != nil {
+		return err
+	}
+
+	_, err = ctrl.NewControllerManagedBy(mgr).
+		For(&corev1.ServiceAccount{}).
+		Named("service-account-controller").
+		WithEventFilter(newNamespacedPredicate(r.ServiceAccountKey)).
+		Build(r)


I don't think I'd setup two separate controllers. IIRC, there's a way to have a single controller with multiple watches. You may need to drop down to the lower-level controller package though (can't remember if For is required).

TBH, having two controllers actually seems the cleanest, in that we get different invocations that recognize ServiceAccount vs. Secret, and it's clear what triggered the reconcile (i.e. the logger clearly indicates what resource is the trigger). With a single controller, we have to somehow map the ServiceAccount to a set of Secrets (which we may not yet know about yet), which feels kinda kludgy. Otherwise, the Secret controller is getting a ServiceAccount for the request, rather than a Secret.

tmshort · 2025-06-06T18:26:17Z

lint doesn't like my logging trick...

camilamacedo86 · 2025-06-10T16:29:24Z

cmd/catalogd/main.go

+		setupLog.Error(err, "Unable to get pod namesapce and serviceaccount")
+		return err


Suggested change

setupLog.Error(err, "Unable to get pod namesapce and serviceaccount")

return err

setupLog.Error(err, "Failed to extract namespace/serviceaccount from JWT token")

return fmt.Errorf("failed to get service account identity from token: %w", err)

It's a bit redundant to wrap the error, since it's also logged.

camilamacedo86 · 2025-06-10T16:30:00Z

cmd/catalogd/main.go

+		return err
+	}
+
+	setupLog.Info("Read token", "serviceaccount", saKey)


Suggested change

setupLog.Info("Read token", "serviceaccount", saKey)

if saKey.Namespace == "" || saKey.Name == "" {

setupLog.Error(nil, "Extracted service account name or namespace is empty", "saKey", saKey)

return fmt.Errorf("invalid service account identity extracted: %v", saKey)

}

setupLog.Info("Successfully extracted serviceaccount identity from token", "namespace", saKey.Namespace, "name", saKey.Name)

There's no point in checking for an empty name or namespace, as the sautil.GetServiceAccount() function should (will) error out if both can't be retrieved.

camilamacedo86 · 2025-06-10T16:31:42Z

cmd/operator-controller/main.go

+		return err
+	}
+
+	setupLog.Info("Read token", "serviceaccount", saKey)


The block below appears identical in both cmd/catalogd/main.go and cmd/operator-controller/main.go.
Could we move this logic into a helper function under pkg/shared/util/sa and call it from both main.go files? That would reduce duplication and help with future changes

Yup, I can try to consolidate a bit.

camilamacedo86

Just a few suggestions on possible improvements, mostly around structuring and reusability — nothing blocking though.

The overall implementation looks good for me.
Great work! 🎉

Otherwise, all good from my side — LGTM

Serviceaccounts reference pull secrets! * Determine our serviceaccount (via the new internal/shared/util/sa package). * Use a common pull_secret_controller * Update the pull_secret_controller to know about the service account * Update the pull_secret_controller to watch the namespace-local secrets * Update caching to include sa, and use filters for additional secrets * Add RBAC to access these secrets and sa * Update writing the auth.json file to handle dockercfg and dockerconfigjson * Update writing the auth.json file to include multiple secrets Signed-off-by: Todd Short <[email protected]>

Signed-off-by: Todd Short <[email protected]>

camilamacedo86 · 2025-06-12T21:34:58Z

/lgtm

openshift-ci · 2025-06-12T21:35:24Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: camilamacedo86, joelanford, tmshort

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [camilamacedo86,joelanford,tmshort]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

tmshort requested a review from a team as a code owner June 3, 2025 19:39

openshift-ci bot requested a review from oceanc80 June 3, 2025 19:39

openshift-ci bot requested a review from OchiengEd June 3, 2025 19:39

tmshort force-pushed the use-sa-pull-secret branch from d09d1b8 to 26246b6 Compare June 3, 2025 20:10

openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 4, 2025

openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 4, 2025

tmshort force-pushed the use-sa-pull-secret branch 2 times, most recently from 11579bc to 1c0e4dd Compare June 4, 2025 18:05

openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 4, 2025