[Refactor] Remove imagepulldockerconfigfile parameter (#1427)

stackrox · Nov 2, 2023 · 3418a46 · 3418a46
1 parent 0d37c23
commit 3418a46
Show file tree

Hide file tree

Showing 19 changed files with 22 additions and 917 deletions.
diff --git a/.secrets.baseline b/.secrets.baseline
@@ -533,7 +533,7 @@
         "filename": "templates/service-template.yml",
         "hashed_secret": "9d51dabe59aa776bef2909d3689374ebb93ab2be",
         "is_verified": false,
-        "line_number": 742
+        "line_number": 741
       }
     ],
     "test/support/certs.json": [
@@ -564,5 +564,5 @@
       }
     ]
   },
-  "generated_at": "2023-10-26T17:49:33Z"
+  "generated_at": "2023-11-01T12:16:42Z"
 }
diff --git a/Makefile b/Makefile
@@ -604,7 +604,6 @@ secrets/touch:
           secrets/central-tls.crt \
           secrets/central-tls.key \
           secrets/central.idp-client-secret \
-          secrets/image-pull.dockerconfigjson \
           secrets/observability-config-access.token \
           secrets/ocm-service.clientId \
           secrets/ocm-service.clientSecret \
@@ -717,7 +716,6 @@ deploy/secrets:
 		-p CENTRAL_TLS_CERT="$(shell ([ -s './secrets/central-tls.crt' ] && [ -z '${CENTRAL_TLS_CERT}' ]) && cat ./secrets/central-tls.crt || echo '${CENTRAL_TLS_CERT}')" \
 		-p CENTRAL_TLS_KEY="$(shell ([ -s './secrets/central-tls.key' ] && [ -z '${CENTRAL_TLS_KEY}' ]) && cat ./secrets/central-tls.key || echo '${CENTRAL_TLS_KEY}')" \
 		-p OBSERVABILITY_CONFIG_ACCESS_TOKEN="$(shell ([ -s './secrets/observability-config-access.token' ] && [ -z '${OBSERVABILITY_CONFIG_ACCESS_TOKEN}' ]) && cat ./secrets/observability-config-access.token || echo '${OBSERVABILITY_CONFIG_ACCESS_TOKEN}')" \
-		-p IMAGE_PULL_DOCKER_CONFIG="$(shell ([ -s './secrets/image-pull.dockerconfigjson' ] && [ -z '${IMAGE_PULL_DOCKER_CONFIG}' ]) && cat ./secrets/image-pull.dockerconfigjson || echo '${IMAGE_PULL_DOCKER_CONFIG}')" \
 		-p KUBE_CONFIG="${KUBE_CONFIG}" \
 		-p OBSERVABILITY_RHSSO_LOGS_CLIENT_ID="$(shell ([ -s './secrets/rhsso-logs.clientId' ] && [ -z '${OBSERVABILITY_RHSSO_LOGS_CLIENT_ID}' ]) && cat ./secrets/rhsso-logs.clientId || echo '${OBSERVABILITY_RHSSO_LOGS_CLIENT_ID}')" \
 		-p OBSERVABILITY_RHSSO_LOGS_SECRET="$(shell ([ -s './secrets/rhsso-logs.clientSecret' ] && [ -z '${OBSERVABILITY_RHSSO_LOGS_SECRET}' ]) && cat ./secrets/rhsso-logs.clientSecret || echo '${OBSERVABILITY_RHSSO_LOGS_SECRET}')" \

diff --git a/dev/env/defaults/00-defaults.env b/dev/env/defaults/00-defaults.env
@@ -45,7 +45,6 @@ export OSD_IDP_SSO_CLIENT_SECRET_DEFAULT=""
 export ROUTE53_ACCESS_KEY_DEFAULT=""
 export ROUTE53_SECRET_ACCESS_KEY_DEFAULT=""
 export OBSERVABILITY_CONFIG_ACCESS_TOKEN_DEFAULT=""
-export IMAGE_PULL_DOCKER_CONFIG_DEFAULT=""
 export SPAWN_LOGGER_DEFAULT="false"
 export DUMP_LOGS_DEFAULT="false"
 export OPERATOR_SOURCE_DEFAULT=""

diff --git a/dev/env/manifests/fleet-manager/01-fleet-manager-secrets.yaml b/dev/env/manifests/fleet-manager/01-fleet-manager-secrets.yaml
@@ -24,7 +24,6 @@ stringData:
   aws.route53accesskey: "${ROUTE53_ACCESS_KEY}"
   aws.route53secretaccesskey: "${ROUTE53_SECRET_ACCESS_KEY}"
   observability-config-access.token: "${OBSERVABILITY_CONFIG_ACCESS_TOKEN}"
-  image-pull.dockerconfigjson: "${IMAGE_PULL_DOCKER_CONFIG}"
   rhsso-logs.clientId: ""
   rhsso-logs.clientSecret: ""
   rhsso-metrics.clientId: ""

diff --git a/dev/env/scripts/lib.sh b/dev/env/scripts/lib.sh
@@ -127,7 +127,6 @@ init() {
     export ROUTE53_ACCESS_KEY=${ROUTE53_ACCESS_KEY:-$ROUTE53_ACCESS_KEY_DEFAULT}
     export ROUTE53_SECRET_ACCESS_KEY=${ROUTE53_SECRET_ACCESS_KEY:-$ROUTE53_SECRET_ACCESS_KEY_DEFAULT}
     export OBSERVABILITY_CONFIG_ACCESS_TOKEN=${OBSERVABILITY_CONFIG_ACCESS_TOKEN:-$OBSERVABILITY_CONFIG_ACCESS_TOKEN_DEFAULT}
-    export IMAGE_PULL_DOCKER_CONFIG=${IMAGE_PULL_DOCKER_CONFIG:-$IMAGE_PULL_DOCKER_CONFIG_DEFAULT}
     export INHERIT_IMAGEPULLSECRETS=${INHERIT_IMAGEPULLSECRETS:-$INHERIT_IMAGEPULLSECRETS_DEFAULT}
     export SPAWN_LOGGER=${SPAWN_LOGGER:-$SPAWN_LOGGER_DEFAULT}
     export DUMP_LOGS=${DUMP_LOGS:-$DUMP_LOGS_DEFAULT}
@@ -213,7 +212,6 @@ OSD_IDP_SSO_CLIENT_SECRET: ********
 ROUTE53_ACCESS_KEY: ********
 ROUTE53_SECRET_ACCESS_KEY: ********
 OBSERVABILITY_CONFIG_ACCESS_TOKEN: ********
-IMAGE_PULL_DOCKER_CONFIG: ${IMAGE_PULL_DOCKER_CONFIG}
 INHERIT_IMAGEPULLSECRETS: ${INHERIT_IMAGEPULLSECRETS}
 SPAWN_LOGGER: ${SPAWN_LOGGER}
 DUMP_LOGS: ${DUMP_LOGS}

diff --git a/docs/development/populating-configuration.md b/docs/development/populating-configuration.md
@@ -115,22 +115,6 @@ In the Data Plane cluster, the Central Operator and the FleetShard Deployments
 might reference container images that are located in authenticated container
 image registries.
 
-Fleet Manager can be configured to send this authenticated
-container image registry information as a K8s Secret in [`kubernetes.io/.dockerconfigjson` format](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#registry-secret-existing-credentials).
-
-In order for the Fleet Manager to be able to start, create the following file:
-```
-touch secrets/image-pull.dockerconfigjson
-```
-
-If you don't need to make use of this functionality you can skip this section.
-Otherwise, keep reading below.
-
-To configure the Fleet Manager with this authenticated registry information so
-the previously mentioned Data Plane elements can pull container images from it:
-* Base-64 encode your [Docker configuration file](https://docs.docker.com/engine/reference/commandline/cli/#docker-cli-configuration-file-configjson-properties).
-* Copy the contents generated from the previous point into the `secrets/image-pull.dockerconfigjson` file
-
 ## Setup the Observability stack secrets
 See [Obsevability](./observability/README.md) to learn more about Observatorium and the observability stack.
 The following command is used to setup the various secrets needed by the Observability stack.

diff --git a/internal/dinosaur/pkg/clusters/ocm_provider.go b/internal/dinosaur/pkg/clusters/ocm_provider.go
@@ -3,7 +3,6 @@ package clusters
 import (
 	"fmt"
 	"net/http"
-	"reflect"
 	"strings"
 
 	"github.com/stackrox/acs-fleet-manager/internal/dinosaur/pkg/clusters/types"
@@ -13,8 +12,6 @@ import (
 	clustersmgmtv1 "github.com/openshift-online/ocm-sdk-go/clustersmgmt/v1"
 	"github.com/pkg/errors"
 	"github.com/stackrox/acs-fleet-manager/pkg/api"
-	svcErrors "github.com/stackrox/acs-fleet-manager/pkg/errors"
-	"k8s.io/apimachinery/pkg/runtime"
 )
 
 const (
@@ -118,35 +115,6 @@ func (o *OCMProvider) AddIdentityProvider(clusterSpec *types.ClusterSpec, identi
 	return nil, nil
 }
 
-// ApplyResources ...
-func (o *OCMProvider) ApplyResources(clusterSpec *types.ClusterSpec, resources types.ResourceSet) (*types.ResourceSet, error) {
-	existingSyncset, err := o.ocmClient.GetSyncSet(clusterSpec.InternalID, resources.Name)
-	syncSetFound := true
-	if err != nil {
-		svcErr := svcErrors.ToServiceError(err)
-		if !svcErr.Is404() {
-			return nil, fmt.Errorf("retrieving SyncSet %s for cluster %s: %w", resources.Name, clusterSpec.InternalID, svcErr)
-		}
-		syncSetFound = false
-	}
-
-	if !syncSetFound {
-		glog.V(10).Infof("SyncSet for cluster %s not found. Creating it...", clusterSpec.InternalID)
-		_, syncsetErr := o.createSyncSet(clusterSpec.InternalID, resources)
-		if syncsetErr != nil {
-			return nil, errors.Wrapf(syncsetErr, "failed to create syncset for cluster %s", clusterSpec.InternalID)
-		}
-	} else {
-		glog.V(10).Infof("SyncSet for cluster %s already created", clusterSpec.InternalID)
-		_, syncsetErr := o.updateSyncSet(clusterSpec.InternalID, resources, existingSyncset)
-		if syncsetErr != nil {
-			return nil, errors.Wrapf(syncsetErr, "failed to update syncset for cluster %s", clusterSpec.InternalID)
-		}
-	}
-
-	return &resources, nil
-}
-
 // ScaleUp ...
 func (o *OCMProvider) ScaleUp(clusterSpec *types.ClusterSpec, increment int) (*types.ClusterSpec, error) {
 	_, err := o.ocmClient.ScaleUpComputeNodes(clusterSpec.InternalID, increment)
@@ -353,62 +321,6 @@ func (o *OCMProvider) addOpenIDIdentityProvider(clusterSpec *types.ClusterSpec,
 	return createdIdentityProvider.ID(), nil
 }
 
-func (o *OCMProvider) createSyncSet(clusterID string, resourceSet types.ResourceSet) (*clustersmgmtv1.Syncset, error) {
-	syncset, sysnsetBuilderErr := clustersmgmtv1.NewSyncset().ID(resourceSet.Name).Resources(resourceSet.Resources...).Build()
-
-	if sysnsetBuilderErr != nil {
-		return nil, errors.WithStack(sysnsetBuilderErr)
-	}
-
-	syncset, err := o.ocmClient.CreateSyncSet(clusterID, syncset)
-	if err != nil {
-		return syncset, fmt.Errorf("creating SyncSet for cluster %q: %w", clusterID, err)
-	}
-	return syncset, nil
-}
-
-func (o *OCMProvider) updateSyncSet(clusterID string, resourceSet types.ResourceSet, existingSyncset *clustersmgmtv1.Syncset) (*clustersmgmtv1.Syncset, error) {
-	syncset, sysnsetBuilderErr := clustersmgmtv1.NewSyncset().Resources(resourceSet.Resources...).Build()
-	if sysnsetBuilderErr != nil {
-		return nil, errors.WithStack(sysnsetBuilderErr)
-	}
-	if syncsetResourcesChanged(existingSyncset, syncset) {
-		glog.V(5).Infof("SyncSet for cluster %s is changed, will update", clusterID)
-		updatedSyncSet, err := o.ocmClient.UpdateSyncSet(clusterID, resourceSet.Name, syncset)
-		if err != nil {
-			return updatedSyncSet, fmt.Errorf("updating SyncSet %q for cluster %q: %w", resourceSet.Name, clusterID, err)
-		}
-		return updatedSyncSet, nil
-	}
-	glog.V(10).Infof("SyncSet for cluster %s is not changed, no update needed", clusterID)
-	return syncset, nil
-}
-
-func syncsetResourcesChanged(existing *clustersmgmtv1.Syncset, new *clustersmgmtv1.Syncset) bool {
-	if len(existing.Resources()) != len(new.Resources()) {
-		return true
-	}
-	// Here we will convert values in the Resources slice to the same type, and then compare the values.
-	// This is needed because when you use ocm.GetSyncset(), the Resources in the returned object only contains a slice of map[string]interface{} objects, because it can't convert them to concrete typed objects.
-	// So the compare if there changes, we need to make sure they are the same type first.
-	// If the type conversion doesn't work, or the converted values doesn't match, then they are not equal.
-	// This assumes that the order of objects in the Resources slice are the same in the exiting and new Syncset (which is the case as the OCM API returns the syncset resources in the same order as they posted)
-	for i, r := range new.Resources() {
-		obj := reflect.New(reflect.TypeOf(r).Elem()).Interface()
-		// Here we convert the unstructured type to the concrete type, as there is a bug in OperatorGroup type to convert it to the unstructured type
-		err := runtime.DefaultUnstructuredConverter.FromUnstructured(existing.Resources()[i].(map[string]interface{}), obj)
-		// if we can't do the type conversion, it likely means the resource has changed
-		if err != nil {
-			return true
-		}
-		if !reflect.DeepEqual(obj, r) {
-			return true
-		}
-	}
-
-	return false
-}
-
 func buildIdentityProvider(idpInfo types.OpenIDIdentityProviderInfo) (*clustersmgmtv1.IdentityProvider, error) {
 	openIdentityBuilder := clustersmgmtv1.NewOpenIDIdentityProvider().
 		ClientID(idpInfo.ClientID).