Plumb through ImagePullSecrets to agent pod

Right now in the YTT templates we assume that the agent pods are gonna use the same image as the main Pinniped deployment, so we can use the same logic for the image pull secrets. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-24 15:52:05 -04:00 · 2020-09-24 15:52:05 -04:00 · d853cbc7ff
parent 9ed52e6b4a
commit d853cbc7ff
7 changed files with 41 additions and 8 deletions
--- a/deploy/deployment.yaml
+++ b/deploy/deployment.yaml
@ -45,6 +45,10 @@ data:
      (@ else: @)
      image: (@= data.values.image_repo + ":" + data.values.image_tag @)
      (@ end @)
+      (@ if data.values.image_pull_dockerconfigjson: @)
+      imagePullSecrets:
+        - image-pull-secret
+      (@ end @)
 ---
 #@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "":
 apiVersion: v1
--- a/internal/controller/kubecertagent/creater_test.go
+++ b/internal/controller/kubecertagent/creater_test.go
@ -86,6 +86,7 @@ func TestCreaterControllerSync(t *testing.T) {
 					Namespace:                 agentPodNamespace,
 					ContainerImage:            "some-agent-image",
 					PodNamePrefix:             "some-agent-name-",
+					ContainerImagePullSecrets: []string{"some-image-pull-secret"},
 				},
 				&CredentialIssuerConfigLocationConfig{
 					Namespace: credentialIssuerConfigNamespaceName,
--- a/internal/controller/kubecertagent/kubecertagent.go
+++ b/internal/controller/kubecertagent/kubecertagent.go
@ -63,6 +63,10 @@ type AgentPodConfig struct {

 	//  The name prefix for each of the agent pods.
 	PodNamePrefix string
+
+	// ContainerImagePullSecrets is a list of names of Kubernetes Secret objects that will be used as
+	// ImagePullSecrets on the kube-cert-agent pods.
+	ContainerImagePullSecrets []string
 }

 type CredentialIssuerConfigLocationConfig struct {
@ -81,6 +85,17 @@ func (c *AgentPodConfig) Labels() map[string]string {

 func (c *AgentPodConfig) PodTemplate() *corev1.Pod {
 	terminateImmediately := int64(0)
+
+	imagePullSecrets := []corev1.LocalObjectReference{}
+	for _, imagePullSecret := range c.ContainerImagePullSecrets {
+		imagePullSecrets = append(
+			imagePullSecrets,
+			corev1.LocalObjectReference{
+				Name: imagePullSecret,
+			},
+		)
+	}
+
 	pod := &corev1.Pod{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      c.PodNamePrefix,
@ -89,6 +104,7 @@ func (c *AgentPodConfig) PodTemplate() *corev1.Pod {
 		},
 		Spec: corev1.PodSpec{
 			TerminationGracePeriodSeconds: &terminateImmediately,
+			ImagePullSecrets:              imagePullSecrets,
 			Containers: []corev1.Container{
 				{
 					Name:            "sleeper",
--- a/internal/controller/kubecertagent/kubecertagent_test.go
+++ b/internal/controller/kubecertagent/kubecertagent_test.go
@ -87,6 +87,11 @@ func exampleControllerManagerAndAgentPods(
 		},
 		Spec: corev1.PodSpec{
 			TerminationGracePeriodSeconds: &zero,
+			ImagePullSecrets: []corev1.LocalObjectReference{
+				{
+					Name: "some-image-pull-secret",
+				},
+			},
 			Containers: []corev1.Container{
 				{
 					Name:            "sleeper",
--- a/internal/controllermanager/prepare_controllers.go
+++ b/internal/controllermanager/prepare_controllers.go
@ -95,6 +95,7 @@ func PrepareControllers(c *Config) (func(ctx context.Context), error) {
 		Namespace:                 c.ServerInstallationNamespace,
 		ContainerImage:            *c.KubeCertAgentConfig.Image,
 		PodNamePrefix:             *c.KubeCertAgentConfig.NamePrefix,
+		ContainerImagePullSecrets: c.KubeCertAgentConfig.ImagePullSecrets,
 	}
 	credentialIssuerConfigLocationConfig := &kubecertagent.CredentialIssuerConfigLocationConfig{
 		Namespace: c.ServerInstallationNamespace,
--- a/pkg/config/api/types.go
+++ b/pkg/config/api/types.go
@ -61,4 +61,8 @@ type KubeCertAgentSpec struct {
 	// should contain at least 2 binaries: /bin/sleep and cat (somewhere on the $PATH). The default
 	// for this value is "debian:latest".
 	Image *string `json:"image"`
+
+	// ImagePullSecrets is a list of names of Kubernetes Secret objects that will be used as
+	// ImagePullSecrets on the kube-cert-agent pods.
+	ImagePullSecrets []string
 }
--- a/pkg/config/config_test.go
+++ b/pkg/config/config_test.go
@ -39,6 +39,7 @@ func TestFromPath(t *testing.T) {
 				KubeCertAgent:
 				  namePrefix: kube-cert-agent-name-prefix-
 				  image: kube-cert-agent-image
+				  imagePullSecrets: [kube-cert-agent-image-pull-secret]
 			`),
 			wantConfig: &api.Config{
 				DiscoveryInfo: api.DiscoveryInfoSpec{
@ -58,6 +59,7 @@ func TestFromPath(t *testing.T) {
 				KubeCertAgentConfig: api.KubeCertAgentSpec{
 					NamePrefix:       stringPtr("kube-cert-agent-name-prefix-"),
 					Image:            stringPtr("kube-cert-agent-image"),
+					ImagePullSecrets: []string{"kube-cert-agent-image-pull-secret"},
 				},
 			},
 		},