From d853cbc7ffa43660eb9a559516ad8770b61ff8d2 Mon Sep 17 00:00:00 2001
From: Andrew Keesler <akeesler@vmware.com>
Date: Thu, 24 Sep 2020 15:52:05 -0400
Subject: [PATCH] Plumb through ImagePullSecrets to agent pod

Right now in the YTT templates we assume that the agent pods are gonna use
the same image as the main Pinniped deployment, so we can use the same logic
for the image pull secrets.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
---
 deploy/deployment.yaml                           |  4 ++++
 .../controller/kubecertagent/creater_test.go     |  7 ++++---
 .../controller/kubecertagent/kubecertagent.go    | 16 ++++++++++++++++
 .../kubecertagent/kubecertagent_test.go          |  5 +++++
 .../controllermanager/prepare_controllers.go     |  7 ++++---
 pkg/config/api/types.go                          |  4 ++++
 pkg/config/config_test.go                        |  6 ++++--
 7 files changed, 41 insertions(+), 8 deletions(-)

diff --git a/deploy/deployment.yaml b/deploy/deployment.yaml
index a83c571c..2a1d5e9e 100644
--- a/deploy/deployment.yaml
+++ b/deploy/deployment.yaml
@@ -45,6 +45,10 @@ data:
       (@ else: @)
       image: (@= data.values.image_repo + ":" + data.values.image_tag @)
       (@ end @)
+      (@ if data.values.image_pull_dockerconfigjson: @)
+      imagePullSecrets:
+        - image-pull-secret
+      (@ end @)
 ---
 #@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "":
 apiVersion: v1
diff --git a/internal/controller/kubecertagent/creater_test.go b/internal/controller/kubecertagent/creater_test.go
index d3d809ea..430ac83a 100644
--- a/internal/controller/kubecertagent/creater_test.go
+++ b/internal/controller/kubecertagent/creater_test.go
@@ -83,9 +83,10 @@ func TestCreaterControllerSync(t *testing.T) {
 			// Set this at the last second to allow for injection of server override.
 			subject = NewCreaterController(
 				&AgentPodConfig{
-					Namespace:      agentPodNamespace,
-					ContainerImage: "some-agent-image",
-					PodNamePrefix:  "some-agent-name-",
+					Namespace:                 agentPodNamespace,
+					ContainerImage:            "some-agent-image",
+					PodNamePrefix:             "some-agent-name-",
+					ContainerImagePullSecrets: []string{"some-image-pull-secret"},
 				},
 				&CredentialIssuerConfigLocationConfig{
 					Namespace: credentialIssuerConfigNamespaceName,
diff --git a/internal/controller/kubecertagent/kubecertagent.go b/internal/controller/kubecertagent/kubecertagent.go
index bd9c4bcd..00e5e00e 100644
--- a/internal/controller/kubecertagent/kubecertagent.go
+++ b/internal/controller/kubecertagent/kubecertagent.go
@@ -63,6 +63,10 @@ type AgentPodConfig struct {
 
 	//  The name prefix for each of the agent pods.
 	PodNamePrefix string
+
+	// ContainerImagePullSecrets is a list of names of Kubernetes Secret objects that will be used as
+	// ImagePullSecrets on the kube-cert-agent pods.
+	ContainerImagePullSecrets []string
 }
 
 type CredentialIssuerConfigLocationConfig struct {
@@ -81,6 +85,17 @@ func (c *AgentPodConfig) Labels() map[string]string {
 
 func (c *AgentPodConfig) PodTemplate() *corev1.Pod {
 	terminateImmediately := int64(0)
+
+	imagePullSecrets := []corev1.LocalObjectReference{}
+	for _, imagePullSecret := range c.ContainerImagePullSecrets {
+		imagePullSecrets = append(
+			imagePullSecrets,
+			corev1.LocalObjectReference{
+				Name: imagePullSecret,
+			},
+		)
+	}
+
 	pod := &corev1.Pod{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      c.PodNamePrefix,
@@ -89,6 +104,7 @@ func (c *AgentPodConfig) PodTemplate() *corev1.Pod {
 		},
 		Spec: corev1.PodSpec{
 			TerminationGracePeriodSeconds: &terminateImmediately,
+			ImagePullSecrets:              imagePullSecrets,
 			Containers: []corev1.Container{
 				{
 					Name:            "sleeper",
diff --git a/internal/controller/kubecertagent/kubecertagent_test.go b/internal/controller/kubecertagent/kubecertagent_test.go
index e265fdc7..6c8da06a 100644
--- a/internal/controller/kubecertagent/kubecertagent_test.go
+++ b/internal/controller/kubecertagent/kubecertagent_test.go
@@ -87,6 +87,11 @@ func exampleControllerManagerAndAgentPods(
 		},
 		Spec: corev1.PodSpec{
 			TerminationGracePeriodSeconds: &zero,
+			ImagePullSecrets: []corev1.LocalObjectReference{
+				{
+					Name: "some-image-pull-secret",
+				},
+			},
 			Containers: []corev1.Container{
 				{
 					Name:            "sleeper",
diff --git a/internal/controllermanager/prepare_controllers.go b/internal/controllermanager/prepare_controllers.go
index 18a64d7b..41f22ce7 100644
--- a/internal/controllermanager/prepare_controllers.go
+++ b/internal/controllermanager/prepare_controllers.go
@@ -92,9 +92,10 @@ func PrepareControllers(c *Config) (func(ctx context.Context), error) {
 
 	// Configuration for the kubecertagent controllers created below.
 	agentPodConfig := &kubecertagent.AgentPodConfig{
-		Namespace:      c.ServerInstallationNamespace,
-		ContainerImage: *c.KubeCertAgentConfig.Image,
-		PodNamePrefix:  *c.KubeCertAgentConfig.NamePrefix,
+		Namespace:                 c.ServerInstallationNamespace,
+		ContainerImage:            *c.KubeCertAgentConfig.Image,
+		PodNamePrefix:             *c.KubeCertAgentConfig.NamePrefix,
+		ContainerImagePullSecrets: c.KubeCertAgentConfig.ImagePullSecrets,
 	}
 	credentialIssuerConfigLocationConfig := &kubecertagent.CredentialIssuerConfigLocationConfig{
 		Namespace: c.ServerInstallationNamespace,
diff --git a/pkg/config/api/types.go b/pkg/config/api/types.go
index 9e8857aa..a5052222 100644
--- a/pkg/config/api/types.go
+++ b/pkg/config/api/types.go
@@ -61,4 +61,8 @@ type KubeCertAgentSpec struct {
 	// should contain at least 2 binaries: /bin/sleep and cat (somewhere on the $PATH). The default
 	// for this value is "debian:latest".
 	Image *string `json:"image"`
+
+	// ImagePullSecrets is a list of names of Kubernetes Secret objects that will be used as
+	// ImagePullSecrets on the kube-cert-agent pods.
+	ImagePullSecrets []string
 }
diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go
index aec478b2..c641c515 100644
--- a/pkg/config/config_test.go
+++ b/pkg/config/config_test.go
@@ -39,6 +39,7 @@ func TestFromPath(t *testing.T) {
 				KubeCertAgent:
 				  namePrefix: kube-cert-agent-name-prefix-
 				  image: kube-cert-agent-image
+				  imagePullSecrets: [kube-cert-agent-image-pull-secret]
 			`),
 			wantConfig: &api.Config{
 				DiscoveryInfo: api.DiscoveryInfoSpec{
@@ -56,8 +57,9 @@ func TestFromPath(t *testing.T) {
 					APIService:               "pinniped-api",
 				},
 				KubeCertAgentConfig: api.KubeCertAgentSpec{
-					NamePrefix: stringPtr("kube-cert-agent-name-prefix-"),
-					Image:      stringPtr("kube-cert-agent-image"),
+					NamePrefix:       stringPtr("kube-cert-agent-name-prefix-"),
+					Image:            stringPtr("kube-cert-agent-image"),
+					ImagePullSecrets: []string{"kube-cert-agent-image-pull-secret"},
 				},
 			},
 		},