Plumb through ImagePullSecrets to agent pod

Right now in the YTT templates we assume that the agent pods are gonna use
the same image as the main Pinniped deployment, so we can use the same logic
for the image pull secrets.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
This commit is contained in:
Andrew Keesler 2020-09-24 15:52:05 -04:00
parent 9ed52e6b4a
commit d853cbc7ff
No known key found for this signature in database
GPG Key ID: 27CE0444346F9413
7 changed files with 41 additions and 8 deletions

View File

@ -45,6 +45,10 @@ data:
(@ else: @) (@ else: @)
image: (@= data.values.image_repo + ":" + data.values.image_tag @) image: (@= data.values.image_repo + ":" + data.values.image_tag @)
(@ end @) (@ end @)
(@ if data.values.image_pull_dockerconfigjson: @)
imagePullSecrets:
- image-pull-secret
(@ end @)
--- ---
#@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "": #@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "":
apiVersion: v1 apiVersion: v1

View File

@ -83,9 +83,10 @@ func TestCreaterControllerSync(t *testing.T) {
// Set this at the last second to allow for injection of server override. // Set this at the last second to allow for injection of server override.
subject = NewCreaterController( subject = NewCreaterController(
&AgentPodConfig{ &AgentPodConfig{
Namespace: agentPodNamespace, Namespace: agentPodNamespace,
ContainerImage: "some-agent-image", ContainerImage: "some-agent-image",
PodNamePrefix: "some-agent-name-", PodNamePrefix: "some-agent-name-",
ContainerImagePullSecrets: []string{"some-image-pull-secret"},
}, },
&CredentialIssuerConfigLocationConfig{ &CredentialIssuerConfigLocationConfig{
Namespace: credentialIssuerConfigNamespaceName, Namespace: credentialIssuerConfigNamespaceName,

View File

@ -63,6 +63,10 @@ type AgentPodConfig struct {
// The name prefix for each of the agent pods. // The name prefix for each of the agent pods.
PodNamePrefix string PodNamePrefix string
// ContainerImagePullSecrets is a list of names of Kubernetes Secret objects that will be used as
// ImagePullSecrets on the kube-cert-agent pods.
ContainerImagePullSecrets []string
} }
type CredentialIssuerConfigLocationConfig struct { type CredentialIssuerConfigLocationConfig struct {
@ -81,6 +85,17 @@ func (c *AgentPodConfig) Labels() map[string]string {
func (c *AgentPodConfig) PodTemplate() *corev1.Pod { func (c *AgentPodConfig) PodTemplate() *corev1.Pod {
terminateImmediately := int64(0) terminateImmediately := int64(0)
imagePullSecrets := []corev1.LocalObjectReference{}
for _, imagePullSecret := range c.ContainerImagePullSecrets {
imagePullSecrets = append(
imagePullSecrets,
corev1.LocalObjectReference{
Name: imagePullSecret,
},
)
}
pod := &corev1.Pod{ pod := &corev1.Pod{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: c.PodNamePrefix, Name: c.PodNamePrefix,
@ -89,6 +104,7 @@ func (c *AgentPodConfig) PodTemplate() *corev1.Pod {
}, },
Spec: corev1.PodSpec{ Spec: corev1.PodSpec{
TerminationGracePeriodSeconds: &terminateImmediately, TerminationGracePeriodSeconds: &terminateImmediately,
ImagePullSecrets: imagePullSecrets,
Containers: []corev1.Container{ Containers: []corev1.Container{
{ {
Name: "sleeper", Name: "sleeper",

View File

@ -87,6 +87,11 @@ func exampleControllerManagerAndAgentPods(
}, },
Spec: corev1.PodSpec{ Spec: corev1.PodSpec{
TerminationGracePeriodSeconds: &zero, TerminationGracePeriodSeconds: &zero,
ImagePullSecrets: []corev1.LocalObjectReference{
{
Name: "some-image-pull-secret",
},
},
Containers: []corev1.Container{ Containers: []corev1.Container{
{ {
Name: "sleeper", Name: "sleeper",

View File

@ -92,9 +92,10 @@ func PrepareControllers(c *Config) (func(ctx context.Context), error) {
// Configuration for the kubecertagent controllers created below. // Configuration for the kubecertagent controllers created below.
agentPodConfig := &kubecertagent.AgentPodConfig{ agentPodConfig := &kubecertagent.AgentPodConfig{
Namespace: c.ServerInstallationNamespace, Namespace: c.ServerInstallationNamespace,
ContainerImage: *c.KubeCertAgentConfig.Image, ContainerImage: *c.KubeCertAgentConfig.Image,
PodNamePrefix: *c.KubeCertAgentConfig.NamePrefix, PodNamePrefix: *c.KubeCertAgentConfig.NamePrefix,
ContainerImagePullSecrets: c.KubeCertAgentConfig.ImagePullSecrets,
} }
credentialIssuerConfigLocationConfig := &kubecertagent.CredentialIssuerConfigLocationConfig{ credentialIssuerConfigLocationConfig := &kubecertagent.CredentialIssuerConfigLocationConfig{
Namespace: c.ServerInstallationNamespace, Namespace: c.ServerInstallationNamespace,

View File

@ -61,4 +61,8 @@ type KubeCertAgentSpec struct {
// should contain at least 2 binaries: /bin/sleep and cat (somewhere on the $PATH). The default // should contain at least 2 binaries: /bin/sleep and cat (somewhere on the $PATH). The default
// for this value is "debian:latest". // for this value is "debian:latest".
Image *string `json:"image"` Image *string `json:"image"`
// ImagePullSecrets is a list of names of Kubernetes Secret objects that will be used as
// ImagePullSecrets on the kube-cert-agent pods.
ImagePullSecrets []string
} }

View File

@ -39,6 +39,7 @@ func TestFromPath(t *testing.T) {
KubeCertAgent: KubeCertAgent:
namePrefix: kube-cert-agent-name-prefix- namePrefix: kube-cert-agent-name-prefix-
image: kube-cert-agent-image image: kube-cert-agent-image
imagePullSecrets: [kube-cert-agent-image-pull-secret]
`), `),
wantConfig: &api.Config{ wantConfig: &api.Config{
DiscoveryInfo: api.DiscoveryInfoSpec{ DiscoveryInfo: api.DiscoveryInfoSpec{
@ -56,8 +57,9 @@ func TestFromPath(t *testing.T) {
APIService: "pinniped-api", APIService: "pinniped-api",
}, },
KubeCertAgentConfig: api.KubeCertAgentSpec{ KubeCertAgentConfig: api.KubeCertAgentSpec{
NamePrefix: stringPtr("kube-cert-agent-name-prefix-"), NamePrefix: stringPtr("kube-cert-agent-name-prefix-"),
Image: stringPtr("kube-cert-agent-image"), Image: stringPtr("kube-cert-agent-image"),
ImagePullSecrets: []string{"kube-cert-agent-image-pull-secret"},
}, },
}, },
}, },