Skip to content

Commit

Permalink
draft accept wasm pull secret as env var
Browse files Browse the repository at this point in the history
add a unit test and doc update

Signed-off-by: craig <[email protected]>

rh-pre-commit.version: 2.2.0
rh-pre-commit.check-secrets: ENABLED
  • Loading branch information
maleck13 committed Dec 17, 2024
1 parent 6195492 commit 7dab328
Show file tree
Hide file tree
Showing 3 changed files with 104 additions and 2 deletions.
11 changes: 9 additions & 2 deletions controllers/istio_extension_reconciler.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ import (
"k8s.io/apimachinery/pkg/labels"
k8stypes "k8s.io/apimachinery/pkg/types"
"k8s.io/client-go/dynamic"
"k8s.io/utils/env"
"k8s.io/utils/ptr"

kuadrantv1 "github.com/kuadrant/kuadrant-operator/api/v1"
Expand All @@ -27,6 +28,9 @@ import (
"github.com/kuadrant/kuadrant-operator/pkg/wasm"
)

// wasmImagePullSecret this defines if to use a secret and what secret to use when constructing the WASMPlugin resource.
var wasmImagePullSecret = env.GetString("WASM_IMAGE_PULL_SECRET", "")

//+kubebuilder:rbac:groups=extensions.istio.io,resources=wasmplugins,verbs=get;list;watch;create;update;patch;delete

// IstioExtensionReconciler reconciles Istio WasmPlugin custom resources
Expand Down Expand Up @@ -78,7 +82,7 @@ func (r *IstioExtensionReconciler) Reconcile(ctx context.Context, _ []controller
for _, gateway := range gateways {
gatewayKey := k8stypes.NamespacedName{Name: gateway.GetName(), Namespace: gateway.GetNamespace()}

desiredWasmPlugin := buildIstioWasmPluginForGateway(gateway, wasmConfigs[gateway.GetLocator()])
desiredWasmPlugin := buildIstioWasmPluginForGateway(gateway, wasmConfigs[gateway.GetLocator()], wasmImagePullSecret)

Check warning on line 85 in controllers/istio_extension_reconciler.go

View check run for this annotation

Codecov / codecov/patch

controllers/istio_extension_reconciler.go#L85

Added line #L85 was not covered by tests

resource := r.client.Resource(kuadrantistio.WasmPluginsResource).Namespace(desiredWasmPlugin.GetNamespace())

Expand Down Expand Up @@ -228,7 +232,7 @@ func hasAuthAccess(actionSet []wasm.Action) bool {
}

// buildIstioWasmPluginForGateway builds a desired WasmPlugin custom resource for a given gateway and corresponding wasm config
func buildIstioWasmPluginForGateway(gateway *machinery.Gateway, wasmConfig wasm.Config) *istioclientgoextensionv1alpha1.WasmPlugin {
func buildIstioWasmPluginForGateway(gateway *machinery.Gateway, wasmConfig wasm.Config, imagePullSecret string) *istioclientgoextensionv1alpha1.WasmPlugin {
wasmPlugin := &istioclientgoextensionv1alpha1.WasmPlugin{
TypeMeta: metav1.TypeMeta{
Kind: kuadrantistio.WasmPluginGroupKind.Kind,
Expand Down Expand Up @@ -262,6 +266,9 @@ func buildIstioWasmPluginForGateway(gateway *machinery.Gateway, wasmConfig wasm.
Phase: istioextensionsv1alpha1.PluginPhase_STATS, // insert the plugin before Istio stats filters and after Istio authorization filters.
},
}
if imagePullSecret != "" {
wasmPlugin.Spec.ImagePullSecret = imagePullSecret
}

if len(wasmConfig.ActionSets) == 0 {
utils.TagObjectToDelete(wasmPlugin)
Expand Down
75 changes: 75 additions & 0 deletions controllers/istio_extenstion_reconciler_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
//go:build unit

package controllers

import (
"testing"

"github.com/kuadrant/kuadrant-operator/pkg/wasm"
"github.com/kuadrant/policy-machinery/machinery"
istioclientgoextensionv1alpha1 "istio.io/client-go/pkg/apis/extensions/v1alpha1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
v1 "sigs.k8s.io/gateway-api/apis/v1"
)

func Test_buildIstioWasmPluginForGateway(t *testing.T) {
var imagePullSecret = "testsecret"
var testGateway = &machinery.Gateway{
Gateway: &v1.Gateway{
ObjectMeta: metav1.ObjectMeta{
Name: "test",
Namespace: "test",
},
},
}
var testWasmConfig = wasm.Config{
ActionSets: []wasm.ActionSet{
{
Name: "test",
},
},
}
testCases := []struct {
Name string
Gateway *machinery.Gateway
WasmConfig wasm.Config
ImagePullSecret string
Assert func(t *testing.T, plugin *istioclientgoextensionv1alpha1.WasmPlugin)
}{
{
Name: "ensure image pull secret is set in wasmPlugin",
Gateway: testGateway,
WasmConfig: testWasmConfig,
ImagePullSecret: imagePullSecret,
Assert: func(t *testing.T, plugin *istioclientgoextensionv1alpha1.WasmPlugin) {
if plugin == nil {
t.Fatalf("Expected a wasmplugin")
}
if plugin.Spec.ImagePullSecret != imagePullSecret {
t.Fatalf("Expected wasm plugin to have imagePullSecret %s but got %s", imagePullSecret, plugin.Spec.ImagePullSecret)
}
},
},
{
Name: "ensure image pull secret is NOT set in wasmPlugin",
Gateway: testGateway,
WasmConfig: testWasmConfig,
Assert: func(t *testing.T, plugin *istioclientgoextensionv1alpha1.WasmPlugin) {
if plugin == nil {
t.Fatalf("Expected a wasmplugin")
}
if plugin.Spec.ImagePullSecret != "" {
t.Fatalf("Expected wasm plugin to have not imagePullSecret %s", plugin.Spec.ImagePullSecret)
}
},
},
}

for _, testCase := range testCases {
t.Run(testCase.Name, func(t *testing.T) {
plugin := buildIstioWasmPluginForGateway(testCase.Gateway, testCase.WasmConfig, testCase.ImagePullSecret)
testCase.Assert(t, plugin)
})
}

}
20 changes: 20 additions & 0 deletions doc/install/install-openshift.md
Original file line number Diff line number Diff line change
Expand Up @@ -288,6 +288,26 @@ spec:
upgradeStrategy: Default
EOF
```
**Authenicated Regstries**

!!! note

If you need to use a wasm image from a protected registry, you will need to set the image pull secret to use via an env var to the operator. This secret must exist in each namespace where there is a Gateway resource defined that you intend to target with `AuthPolicy` or `RatelimitPolicy`.

Example Secret:

```bash
kubectl create secret docker-registry myregistrysecret -n ${GATEWAY_NAMESPACE} \ --docker-server=my.registry.io \ --docker-username=your-registry-service-account-username \ --docker-password=your-registry-service-account-password
```

To set the env var so this secret gets used, add the following to the subscriptions `Spec`:

```yaml
config:
env:
- name: WASM_IMAGE_PULL_SECRET
value: myregistrysecret
```
Wait for the Kuadrant Operators to be installed as follows:
Expand Down

0 comments on commit 7dab328

Please sign in to comment.