feat: Support for imagePullSecrets (#112)

Add support for pulling images from sources requiring authentication. The feature adheres to imagePullSecrets in Pods and ServiceAccounts. Loosely based on some of @DolevAlgam's work in #92 fixes #19
estahn · Sep 28, 2021 · 2d8cf77 · 2d8cf77
1 parent ef72c66
commit 2d8cf77
Show file tree

Hide file tree

Showing 15 changed files with 1,178 additions and 151 deletions.
diff --git a/cmd/root.go b/cmd/root.go
@@ -33,6 +33,7 @@ import (
 
 	"github.com/estahn/k8s-image-swapper/pkg/config"
 	"github.com/estahn/k8s-image-swapper/pkg/registry"
+	"github.com/estahn/k8s-image-swapper/pkg/secrets"
 	"github.com/estahn/k8s-image-swapper/pkg/types"
 	"github.com/estahn/k8s-image-swapper/pkg/webhook"
 	homedir "github.com/mitchellh/go-homedir"
@@ -42,6 +43,8 @@ import (
 	kwhhttp "github.com/slok/kubewebhook/v2/pkg/http"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
 )
 
 var cfgFile string
@@ -77,7 +80,15 @@ A mutating webhook for Kubernetes, pointing the images to a new location.`,
 			log.Err(err)
 		}
 
-		wh, err := webhook.NewImageSwapperWebhook(rClient, cfg.Source.Filters, imageSwapPolicy, imageCopyPolicy)
+		imagePullSecretProvider := setupImagePullSecretsProvider()
+
+		wh, err := webhook.NewImageSwapperWebhookWithOpts(
+			rClient,
+			webhook.Filters(cfg.Source.Filters),
+			webhook.ImagePullSecretsProvider(imagePullSecretProvider),
+			webhook.ImageSwapPolicy(imageSwapPolicy),
+			webhook.ImageCopyPolicy(imageCopyPolicy),
+		)
 		if err != nil {
 			log.Err(err).Msg("error creating webhook")
 			os.Exit(1)
@@ -243,3 +254,20 @@ func initLogger() {
 		log.Logger = log.With().Caller().Logger()
 	}
 }
+
+// setupImagePullSecretsProvider configures the provider handling secrets
+func setupImagePullSecretsProvider() secrets.ImagePullSecretsProvider {
+	config, err := rest.InClusterConfig()
+	if err != nil {
+		log.Warn().Err(err).Msg("failed to configure Kubernetes client, will continue without reading secrets")
+		return secrets.NewDummyImagePullSecretsProvider()
+	}
+
+	clientset, err := kubernetes.NewForConfig(config)
+	if err != nil {
+		log.Warn().Err(err).Msg("failed to configure Kubernetes client, will continue without reading secrets")
+		return secrets.NewDummyImagePullSecretsProvider()
+	}
+
+	return secrets.NewKubernetesImagePullSecretsProvider(clientset)
+}
diff --git a/go.mod b/go.mod
@@ -4,34 +4,46 @@ go 1.16
 
 require (
 	github.com/alitto/pond v1.5.1
-	github.com/aws/aws-sdk-go v1.40.43
-	github.com/containerd/containerd v1.5.2 // indirect
+	github.com/aws/aws-sdk-go v1.40.48
+	github.com/bits-and-blooms/bitset v1.2.1 // indirect
+	github.com/cespare/xxhash/v2 v2.1.2 // indirect
+	github.com/containerd/containerd v1.5.5 // indirect
 	github.com/containers/image/v5 v5.16.0
 	github.com/containers/libtrust v0.0.0-20200511145503-9c3a6c22cd9a // indirect
+	github.com/containers/storage v1.36.0 // indirect
 	github.com/dgraph-io/ristretto v0.1.0
+	github.com/evanphx/json-patch v4.11.0+incompatible
 	github.com/go-co-op/gocron v1.9.0
-	github.com/golang/glog v0.0.0-20210429001901-424d2337a529 // indirect
-	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
-	github.com/google/go-cmp v0.5.6 // indirect
+	github.com/go-logr/logr v1.1.0 // indirect
+	github.com/golang/glog v1.0.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
+	github.com/google/uuid v1.3.0 // indirect
 	github.com/gorilla/mux v1.8.0 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/jmespath/go-jmespath v0.4.0
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/klauspost/compress v1.13.6 // indirect
 	github.com/mitchellh/go-homedir v1.1.0
-	github.com/ostreedev/ostree-go v0.0.0-20210511152353-2ca91aaf921c // indirect
+	github.com/ostreedev/ostree-go v0.0.0-20210805093236-719684c64e4f // indirect
 	github.com/prometheus/client_golang v1.11.0
-	github.com/prometheus/common v0.29.0 // indirect
+	github.com/prometheus/common v0.30.0 // indirect
+	github.com/prometheus/procfs v0.7.3 // indirect
 	github.com/rs/zerolog v1.25.0
 	github.com/slok/kubewebhook/v2 v2.1.0
 	github.com/spf13/cobra v1.2.1
-	github.com/spf13/viper v1.8.1
+	github.com/spf13/viper v1.9.0
 	github.com/stretchr/objx v0.3.0 // indirect
 	github.com/stretchr/testify v1.7.0
-	golang.org/x/net v0.0.0-20210614182718-04defd469f4e // indirect
-	google.golang.org/genproto v0.0.0-20210617175327-b9e0b3197ced // indirect
+	golang.org/x/net v0.0.0-20210924054057-cf34111cab4d // indirect
+	golang.org/x/sys v0.0.0-20210923061019-b8560ed6a9b7 // indirect
+	golang.org/x/term v0.0.0-20210916214954-140adaaadfaf // indirect
+	golang.org/x/text v0.3.7 // indirect
+	google.golang.org/genproto v0.0.0-20210924002016-3dee208752a0 // indirect
 	gopkg.in/yaml.v2 v2.4.0
-	k8s.io/api v0.22.1
+	k8s.io/api v0.22.2
 	k8s.io/apimachinery v0.22.2
-	k8s.io/client-go v0.21.2 // indirect
-	k8s.io/klog/v2 v2.9.0 // indirect
+	k8s.io/client-go v0.22.2
+	k8s.io/klog/v2 v2.20.0 // indirect
+	k8s.io/utils v0.0.0-20210820185131-d34e5cb4466e // indirect
+	sigs.k8s.io/yaml v1.3.0 // indirect
 )