From 7dab3289b40bc17073bfc563273f3c5cd9467292 Mon Sep 17 00:00:00 2001 From: craig Date: Tue, 17 Dec 2024 08:21:17 +0000 Subject: [PATCH] draft accept wasm pull secret as env var add a unit test and doc update Signed-off-by: craig rh-pre-commit.version: 2.2.0 rh-pre-commit.check-secrets: ENABLED --- controllers/istio_extension_reconciler.go | 11 ++- .../istio_extenstion_reconciler_test.go | 75 +++++++++++++++++++ doc/install/install-openshift.md | 20 +++++ 3 files changed, 104 insertions(+), 2 deletions(-) create mode 100644 controllers/istio_extenstion_reconciler_test.go diff --git a/controllers/istio_extension_reconciler.go b/controllers/istio_extension_reconciler.go index 491b506e7..0d5e6ec86 100644 --- a/controllers/istio_extension_reconciler.go +++ b/controllers/istio_extension_reconciler.go @@ -16,6 +16,7 @@ import ( "k8s.io/apimachinery/pkg/labels" k8stypes "k8s.io/apimachinery/pkg/types" "k8s.io/client-go/dynamic" + "k8s.io/utils/env" "k8s.io/utils/ptr" kuadrantv1 "github.com/kuadrant/kuadrant-operator/api/v1" @@ -27,6 +28,9 @@ import ( "github.com/kuadrant/kuadrant-operator/pkg/wasm" ) +// wasmImagePullSecret this defines if to use a secret and what secret to use when constructing the WASMPlugin resource. +var wasmImagePullSecret = env.GetString("WASM_IMAGE_PULL_SECRET", "") + //+kubebuilder:rbac:groups=extensions.istio.io,resources=wasmplugins,verbs=get;list;watch;create;update;patch;delete // IstioExtensionReconciler reconciles Istio WasmPlugin custom resources @@ -78,7 +82,7 @@ func (r *IstioExtensionReconciler) Reconcile(ctx context.Context, _ []controller for _, gateway := range gateways { gatewayKey := k8stypes.NamespacedName{Name: gateway.GetName(), Namespace: gateway.GetNamespace()} - desiredWasmPlugin := buildIstioWasmPluginForGateway(gateway, wasmConfigs[gateway.GetLocator()]) + desiredWasmPlugin := buildIstioWasmPluginForGateway(gateway, wasmConfigs[gateway.GetLocator()], wasmImagePullSecret) resource := r.client.Resource(kuadrantistio.WasmPluginsResource).Namespace(desiredWasmPlugin.GetNamespace()) @@ -228,7 +232,7 @@ func hasAuthAccess(actionSet []wasm.Action) bool { } // buildIstioWasmPluginForGateway builds a desired WasmPlugin custom resource for a given gateway and corresponding wasm config -func buildIstioWasmPluginForGateway(gateway *machinery.Gateway, wasmConfig wasm.Config) *istioclientgoextensionv1alpha1.WasmPlugin { +func buildIstioWasmPluginForGateway(gateway *machinery.Gateway, wasmConfig wasm.Config, imagePullSecret string) *istioclientgoextensionv1alpha1.WasmPlugin { wasmPlugin := &istioclientgoextensionv1alpha1.WasmPlugin{ TypeMeta: metav1.TypeMeta{ Kind: kuadrantistio.WasmPluginGroupKind.Kind, @@ -262,6 +266,9 @@ func buildIstioWasmPluginForGateway(gateway *machinery.Gateway, wasmConfig wasm. Phase: istioextensionsv1alpha1.PluginPhase_STATS, // insert the plugin before Istio stats filters and after Istio authorization filters. }, } + if imagePullSecret != "" { + wasmPlugin.Spec.ImagePullSecret = imagePullSecret + } if len(wasmConfig.ActionSets) == 0 { utils.TagObjectToDelete(wasmPlugin) diff --git a/controllers/istio_extenstion_reconciler_test.go b/controllers/istio_extenstion_reconciler_test.go new file mode 100644 index 000000000..b2f7b1692 --- /dev/null +++ b/controllers/istio_extenstion_reconciler_test.go @@ -0,0 +1,75 @@ +//go:build unit + +package controllers + +import ( + "testing" + + "github.com/kuadrant/kuadrant-operator/pkg/wasm" + "github.com/kuadrant/policy-machinery/machinery" + istioclientgoextensionv1alpha1 "istio.io/client-go/pkg/apis/extensions/v1alpha1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + v1 "sigs.k8s.io/gateway-api/apis/v1" +) + +func Test_buildIstioWasmPluginForGateway(t *testing.T) { + var imagePullSecret = "testsecret" + var testGateway = &machinery.Gateway{ + Gateway: &v1.Gateway{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test", + Namespace: "test", + }, + }, + } + var testWasmConfig = wasm.Config{ + ActionSets: []wasm.ActionSet{ + { + Name: "test", + }, + }, + } + testCases := []struct { + Name string + Gateway *machinery.Gateway + WasmConfig wasm.Config + ImagePullSecret string + Assert func(t *testing.T, plugin *istioclientgoextensionv1alpha1.WasmPlugin) + }{ + { + Name: "ensure image pull secret is set in wasmPlugin", + Gateway: testGateway, + WasmConfig: testWasmConfig, + ImagePullSecret: imagePullSecret, + Assert: func(t *testing.T, plugin *istioclientgoextensionv1alpha1.WasmPlugin) { + if plugin == nil { + t.Fatalf("Expected a wasmplugin") + } + if plugin.Spec.ImagePullSecret != imagePullSecret { + t.Fatalf("Expected wasm plugin to have imagePullSecret %s but got %s", imagePullSecret, plugin.Spec.ImagePullSecret) + } + }, + }, + { + Name: "ensure image pull secret is NOT set in wasmPlugin", + Gateway: testGateway, + WasmConfig: testWasmConfig, + Assert: func(t *testing.T, plugin *istioclientgoextensionv1alpha1.WasmPlugin) { + if plugin == nil { + t.Fatalf("Expected a wasmplugin") + } + if plugin.Spec.ImagePullSecret != "" { + t.Fatalf("Expected wasm plugin to have not imagePullSecret %s", plugin.Spec.ImagePullSecret) + } + }, + }, + } + + for _, testCase := range testCases { + t.Run(testCase.Name, func(t *testing.T) { + plugin := buildIstioWasmPluginForGateway(testCase.Gateway, testCase.WasmConfig, testCase.ImagePullSecret) + testCase.Assert(t, plugin) + }) + } + +} diff --git a/doc/install/install-openshift.md b/doc/install/install-openshift.md index f06e3a417..6e9dc7984 100644 --- a/doc/install/install-openshift.md +++ b/doc/install/install-openshift.md @@ -288,6 +288,26 @@ spec: upgradeStrategy: Default EOF ``` +**Authenicated Regstries** + +!!! note + + If you need to use a wasm image from a protected registry, you will need to set the image pull secret to use via an env var to the operator. This secret must exist in each namespace where there is a Gateway resource defined that you intend to target with `AuthPolicy` or `RatelimitPolicy`. + +Example Secret: + +```bash +kubectl create secret docker-registry myregistrysecret -n ${GATEWAY_NAMESPACE} \ --docker-server=my.registry.io \ --docker-username=your-registry-service-account-username \ --docker-password=your-registry-service-account-password +``` + +To set the env var so this secret gets used, add the following to the subscriptions `Spec`: + +```yaml + config: + env: + - name: WASM_IMAGE_PULL_SECRET + value: myregistrysecret +``` Wait for the Kuadrant Operators to be installed as follows: