Feature/multi pull secrets #83
Conversation
… by one when necessary
github-actions
bot
added
the
size/L
|
@derkoe can you also please take a look at my implementation |
There was a problem hiding this comment.
Thanks for your PR @steelion, much appreciated.
This fits the needs for my proposed solution of #76 (comment).
The main topics about my comments:
- The name of the parameter
- The structure of the
ContainerImagestruct. - The iteration through the secrets: The struct always has to be "valid", so no
niland empty states should be there before the iteration through the secrets has started. - The reason for this: The "Job-Image"-Feature from the 0.10.0 release must not break. (see the
jobpackage and thejob-imagesfolder for details) There are two possibilities:- The serialized job-config still only use the first secret
- The
imageConfigstruct has to be changed to hold multiple secrets, which also needs changes to thevcnandcasjob-imageentrypoint.shfiles.
For now: We should be fine with the first option for the job-feature.
If you need help, please contact me, I can support you by integrating this PR 😉
internal/kubernetes/kubernetes.go
Outdated
| sbomOperatorNamespace, _, err = kubeConfig.Namespace() | ||
| if err != nil { | ||
| logrus.WithError(err).Fatal("namespace could not be read!") | ||
| } |
There was a problem hiding this comment.
I'm not sure if the namespace of the in-cluster kubeconfig is always correct here.
Please use the POD_NAMESPACE environment variable here (as already used in the job-package).
With this the job package can be refactored a bit, as the namespace is than already known from the kubernetes package and the parameter from CreateJob and CreateJobSecret could be removed.
The POD_NAMESPACE env-variable is than mandatory for the manifests and th helm-chart.
There was a problem hiding this comment.
sbom-operator is now using only the POD_NAMESPACE env variable for fetching the fallback secret
but i tried it to be no breaking change. in case POD_NAMESPACES is not set, the fallbacksecret will not be read, and a debug message tells the user every time that this env-var should be set too.
unfortunately i had no time yet to check where to get the own namespace reliably.
There was a problem hiding this comment.
The log-message is good, but please use Debug instead of Info.
There was a problem hiding this comment.
Just saw the Debug message below in the logic, please remove one of them and use Debug level for the other.
There was a problem hiding this comment.
kept the debug message in LoadImageInfos function, because only at this point the variable is really needed
- refactor the ContainerImage struct. - refactor secrets iteration
|
I refactored the code a bit to not break the job-images and to make sure to meet your criteria (at least i hope so) 😉 |
There was a problem hiding this comment.
Hi @steelion,
sorry for the delay. I have another bunch of comments for you. The logic in general looks is good, but there are some circumstances which need further improvements.
internal/config.go
Outdated
| @@ -21,4 +21,5 @@ var ( | |||
| ConfigKeyJobImage = "job-image" | |||
| ConfigKeyJobImagePullSecret = "job-image-pull-secret" | |||
| ConfigKeyJobTimeout = "job-timeout" | |||
| ConfigKeyCustomGlobalPullSecret = "custom-global-pull-secret" | |||
There was a problem hiding this comment.
sure - missed that with the previous commit :(
internal/kubernetes/kubernetes.go
Outdated
| sbomOperatorNamespace, _, err = kubeConfig.Namespace() | ||
| if err != nil { | ||
| logrus.WithError(err).Fatal("namespace could not be read!") | ||
| } |
There was a problem hiding this comment.
The log-message is good, but please use Debug instead of Info.
internal/kubernetes/kubernetes.go
Outdated
| @@ -88,6 +100,7 @@ func (client *KubeClient) listPods(namespace, labelSelector string) ([]corev1.Po | |||
| func (client *KubeClient) LoadImageInfos(namespaces []corev1.Namespace, podLabelSelector string) (map[string]ContainerImage, []ContainerImage) { | |||
| images := map[string]ContainerImage{} | |||
| allImages := []ContainerImage{} | |||
| allImageCreds := []KubeCreds{} | |||
There was a problem hiding this comment.
Why this is declared outside the loop?
internal/kubernetes/kubernetes.go
Outdated
| sbomOperatorNamespace, _, err = kubeConfig.Namespace() | ||
| if err != nil { | ||
| logrus.WithError(err).Fatal("namespace could not be read!") | ||
| } |
There was a problem hiding this comment.
Just saw the Debug message below in the logic, please remove one of them and use Debug level for the other.
main.go
Outdated
| @@ -62,6 +62,7 @@ func init() { | |||
| rootCmd.PersistentFlags().String(internal.ConfigKeyKubernetesClusterId, "default", "Kubernetes Cluster ID") | |||
| rootCmd.PersistentFlags().String(internal.ConfigKeyJobImage, "", "Custom Job-Image") | |||
| rootCmd.PersistentFlags().String(internal.ConfigKeyJobImagePullSecret, "", "Custom Job-Image-Pull-Secret") | |||
| rootCmd.PersistentFlags().String(internal.ConfigKeyCustomGlobalPullSecret, "", "Custom Global-Pull-Secret") | |||
There was a problem hiding this comment.
Please rename the display-name.
There was a problem hiding this comment.
sure - missed that with the previous commit :(
internal/registry/registry.go
Outdated
| if len(image.Auth) > 0 { | ||
| cfg, err := ResolveAuthConfig(image) | ||
| empty := types.AuthConfig{} | ||
| for pullSecretIndex, pullSecret := range image.PullSecrets { |
There was a problem hiding this comment.
This logic is good in general, except the fact that it assumes, that there is always at least one pull-secret. That's wrong. The pull-secrets are always optional.
There was a problem hiding this comment.
yeah - you are right
made some changes to the pullSecret iteration handling
There was a problem hiding this comment.
one commit is still missing (returning error instead of nil when necessary)
There was a problem hiding this comment.
done
the pullsecret handling should work now and i added some tests
internal/registry/registry.go
Outdated
| return err | ||
| } | ||
| if len(pullSecret.SecretCredsData) > 0 { | ||
| cfg, err := ResolveAuthConfigWithPullSecretIndex(image, pullSecretIndex) |
There was a problem hiding this comment.
Please directly use the pullSecret here instead of accessing it with the index.
There was a problem hiding this comment.
made some changes to the pullSecret iteration handling
internal/registry/registry.go
Outdated
|
|
||
| func ResolveAuthConfig(image kubernetes.ContainerImage) (types.AuthConfig, error) { | ||
| // to not break JobImages this function needs to redirect to the actual resolve-function | ||
| return ResolveAuthConfigWithPullSecretIndex(image, 0) |
There was a problem hiding this comment.
You have to return an empty types.AuthConfig, if there are no pull-secrets the ResolveAuthConfigWithPullSecretIndex will panic.
| @@ -55,7 +55,8 @@ func marshalCyclonedx(t *testing.T, x interface{}) string { | |||
| func testJsonSbom(t *testing.T, name, imageID string) { | |||
| format := "json" | |||
| s := syft.New(format).WithVersion("v9.9.9") | |||
| sbom, err := s.ExecuteSyft(kubernetes.ContainerImage{ImageID: imageID, Auth: []byte{}}) | |||
| sbom, err := s.ExecuteSyft(kubernetes.ContainerImage{ImageID: imageID, PullSecrets: []kubernetes.KubeCreds{{SecretName: "syft-test-creds", SecretCredsData: []byte{}}}}) | |||
|
|
|||
There was a problem hiding this comment.
Please use an empty PullSecrets slice for at least one test-case.
always return allImageCreds removed unnecessary error message from log-message removed unnecessary info message
ckotzbauer
added
the
kind/feature
update testcases for registry and syft-analysis
adds the feature to use multiple pull-secrets from the k8s pods
additionally there is a possibility to specify a particular pull secret that is used in case all pull secrets from the pods are failing (the global custom pull secret must be in the same namespace as the sbom-operator itself)