Skip to content

Commit 70e06f7

Browse files
plaffittplaffitt
committed
feat: use secrets configured in ReplicatedImageSet & ImageMirrorSets to check images availability
1 parent d2553f7 commit 70e06f7

File tree

1 file changed

+51
-10
lines changed

1 file changed

+51
-10
lines changed

internal/webhook/core/v1/pod_webhook.go

Lines changed: 51 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -46,7 +46,9 @@ type PodCustomDefaulter struct {
4646
}
4747

4848
type AlternativeImage struct {
49-
Reference string
49+
Reference string
50+
CredentialSecret *kuikv1alpha1.CredentialSecret
51+
ImagePullSecret *corev1.Secret
5052
}
5153

5254
type Container struct {
@@ -64,11 +66,20 @@ func (d *PodCustomDefaulter) Default(ctx context.Context, obj runtime.Object) er
6466
log := podlog.WithValues("requestID", request.UID, "namespace", request.Namespace, "name", request.Name)
6567

6668
pod, ok := obj.(*corev1.Pod)
67-
6869
if !ok {
69-
return fmt.Errorf("expected an Pod object but got %T", obj)
70+
return fmt.Errorf("expected a Pod object but got %T", obj)
7071
}
7172

73+
if err := d.defaultt(logf.IntoContext(ctx, log), pod); err != nil {
74+
log.Error(err, "defaulting webhook error")
75+
return err
76+
}
77+
78+
return nil
79+
}
80+
81+
func (d *PodCustomDefaulter) defaultt(ctx context.Context, pod *corev1.Pod) error {
82+
log := logf.FromContext(ctx)
7283
log.Info("defaulting for Pod")
7384

7485
containers := make([]Container, 0, len(pod.Spec.Containers)+len(pod.Spec.InitContainers))
@@ -114,6 +125,10 @@ func (d *PodCustomDefaulter) Default(ctx context.Context, obj runtime.Object) er
114125
if ism.Namespace != pod.Namespace {
115126
continue
116127
}
128+
for i := range ism.Spec.Mirrors {
129+
mirror := &ism.Spec.Mirrors[i]
130+
mirror.CredentialSecret.Namespace = pod.Namespace
131+
}
117132
imageSetMirrors = append(imageSetMirrors, ism)
118133
}
119134

@@ -161,15 +176,15 @@ func (d *PodCustomDefaulter) Default(ctx context.Context, obj runtime.Object) er
161176
}
162177

163178
container.Images = make([]AlternativeImage, 0, 1+len(ism.Spec.Mirrors))
164-
container.addAlternative(container.Image)
179+
container.addAlternative(container.Image, nil)
165180

166181
_, imgPath, err := internal.RegistryAndPathFromReference(container.Image)
167182
if err != nil {
168183
return err
169184
}
170185

171186
for _, mirror := range ism.Spec.Mirrors {
172-
container.addAlternative(path.Join(mirror.Registry, mirror.Path, imgPath))
187+
container.addAlternative(path.Join(mirror.Registry, mirror.Path, imgPath), mirror.CredentialSecret)
173188
}
174189
}
175190
}
@@ -191,11 +206,14 @@ func (d *PodCustomDefaulter) Default(ctx context.Context, obj runtime.Object) er
191206

192207
for _, upstream := range ris.Spec.Upstreams {
193208
reference := path.Join(upstream.Registry, upstream.Path, suffix)
194-
// TODO: handle using CredentialSecret from upstream configuration
195-
container.addAlternative(reference)
209+
container.addAlternative(reference, upstream.CredentialSecret)
196210
}
197211
}
198212

213+
if err := container.loadAlternativesSecrets(ctx, d.Client); err != nil {
214+
return err
215+
}
216+
199217
d.rerouteContainerImage(ctx, &container, podImagePullSecrets)
200218
}
201219

@@ -206,7 +224,12 @@ func (d *PodCustomDefaulter) rerouteContainerImage(ctx context.Context, containe
206224
log := logf.FromContext(ctx)
207225

208226
for _, image := range container.Images {
209-
if available, err := d.checkImageAvailability(ctx, image.Reference, pullSecrets); err != nil {
227+
imagePullSecrets := pullSecrets
228+
if image.ImagePullSecret != nil {
229+
imagePullSecrets = append(imagePullSecrets, *image.ImagePullSecret)
230+
}
231+
232+
if available, err := d.checkImageAvailability(ctx, image.Reference, imagePullSecrets); err != nil {
210233
log.Error(err, "could not check image availability", "image", image.Reference)
211234
continue
212235
} else if available {
@@ -243,11 +266,29 @@ func (d *PodCustomDefaulter) checkImageAvailability(ctx context.Context, referen
243266
return err == nil, nil
244267
}
245268

246-
func (c *Container) addAlternative(reference string) {
269+
func (c *Container) addAlternative(reference string, credentialSecret *kuikv1alpha1.CredentialSecret) {
247270
if _, ok := c.Alternatives[reference]; ok {
248271
return
249272
}
250273

251274
c.Alternatives[reference] = struct{}{}
252-
c.Images = append(c.Images, AlternativeImage{Reference: reference})
275+
c.Images = append(c.Images, AlternativeImage{
276+
Reference: reference,
277+
CredentialSecret: credentialSecret,
278+
})
279+
}
280+
281+
func (c *Container) loadAlternativesSecrets(ctx context.Context, cl client.Client) error {
282+
for i := range c.Images {
283+
image := &c.Images[i]
284+
if image.CredentialSecret == nil || image.ImagePullSecret != nil {
285+
continue
286+
}
287+
objectKey := client.ObjectKey{Namespace: image.CredentialSecret.Namespace, Name: image.CredentialSecret.Name}
288+
image.ImagePullSecret = &corev1.Secret{}
289+
if err := cl.Get(ctx, objectKey, image.ImagePullSecret); err != nil {
290+
return err
291+
}
292+
}
293+
return nil
253294
}

0 commit comments

Comments
 (0)