adds ImagePullSecretReferences function to dynakube methods

Dynatrace · Jul 5, 2024 · 6642ff7 · 6642ff7
1 parent 0c7c148
commit 6642ff7
Show file tree

Hide file tree

Showing 5 changed files with 144 additions and 35 deletions.
diff --git a/pkg/api/v1beta2/dynakube/properties.go b/pkg/api/v1beta2/dynakube/properties.go
@@ -223,6 +223,17 @@ func (dk *DynaKube) PullSecretsNames() []string {
 	return names
 }
 
+func (dk *DynaKube) ImagePullSecretReferences() []corev1.LocalObjectReference {
+	imagePullSecrets := make([]corev1.LocalObjectReference, 0)
+	for _, pullSecretName := range dk.PullSecretsNames() {
+		imagePullSecrets = append(imagePullSecrets, corev1.LocalObjectReference{
+			Name: pullSecretName,
+		})
+	}
+
+	return imagePullSecrets
+}
+
 func (dk *DynaKube) NeedsReadOnlyOneAgents() bool {
 	return dk.HostMonitoringMode() || dk.CloudNativeFullstackMode()
 }

diff --git a/pkg/api/v1beta3/dynakube/properties.go b/pkg/api/v1beta3/dynakube/properties.go
@@ -211,14 +211,27 @@ func (dk *DynaKube) PullSecretName() string {
 	return dk.Name + PullSecretSuffix
 }
 
-// PullSecretWithoutData returns a secret which can be used to query the actual secrets data from the cluster.
-func (dk *DynaKube) PullSecretWithoutData() corev1.Secret {
-	return corev1.Secret{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      dk.PullSecretName(),
-			Namespace: dk.Namespace,
-		},
+// PullSecretsNames returns the names of the pull secrets to be used for immutable images.
+func (dk *DynaKube) PullSecretsNames() []string {
+	names := []string{
+		dk.Name + PullSecretSuffix,
 	}
+	if dk.Spec.CustomPullSecret != "" {
+		names = append(names, dk.Spec.CustomPullSecret)
+	}
+
+	return names
+}
+
+func (dk *DynaKube) ImagePullSecretReferences() []corev1.LocalObjectReference {
+	imagePullSecrets := make([]corev1.LocalObjectReference, 0)
+	for _, pullSecretName := range dk.PullSecretsNames() {
+		imagePullSecrets = append(imagePullSecrets, corev1.LocalObjectReference{
+			Name: pullSecretName,
+		})
+	}
+
+	return imagePullSecrets
 }
 
 func (dk *DynaKube) NeedsReadOnlyOneAgents() bool {

diff --git a/pkg/controllers/dynakube/activegate/internal/statefulset/statefulset.go b/pkg/controllers/dynakube/activegate/internal/statefulset/statefulset.go
@@ -3,7 +3,7 @@ package statefulset
 import (
 	"strconv"
 
-	dynatracev1beta2 "github.com/Dynatrace/dynatrace-operator/pkg/api/v1beta2/dynakube"
+	"github.com/Dynatrace/dynatrace-operator/pkg/api/v1beta2/dynakube"
 	"github.com/Dynatrace/dynatrace-operator/pkg/controllers/dynakube/activegate/capability"
 	"github.com/Dynatrace/dynatrace-operator/pkg/controllers/dynakube/activegate/consts"
 	"github.com/Dynatrace/dynatrace-operator/pkg/controllers/dynakube/activegate/internal/statefulset/builder"
@@ -31,14 +31,14 @@ type Builder struct {
 	envMap     *prioritymap.Map
 	kubeUID    types.UID
 	configHash string
-	dynakube   dynatracev1beta2.DynaKube
+	dynakube   dynakube.DynaKube
 }
 
-func NewStatefulSetBuilder(kubeUID types.UID, configHash string, dynakube dynatracev1beta2.DynaKube, capability capability.Capability) Builder {
+func NewStatefulSetBuilder(kubeUID types.UID, configHash string, dk dynakube.DynaKube, capability capability.Capability) Builder {
 	return Builder{
 		kubeUID:    kubeUID,
 		configHash: configHash,
-		dynakube:   dynakube,
+		dynakube:   dk,
 		capability: capability,
 		envMap:     prioritymap.New(prioritymap.WithPriority(defaultEnvPriority)),
 	}
@@ -118,13 +118,6 @@ func (statefulSetBuilder Builder) addUserAnnotations(sts *appsv1.StatefulSet) {
 }
 
 func (statefulSetBuilder Builder) addTemplateSpec(sts *appsv1.StatefulSet) {
-	imagePullSecrets := make([]corev1.LocalObjectReference, 0)
-	for _, pullSecretName := range statefulSetBuilder.dynakube.PullSecretsNames() {
-		imagePullSecrets = append(imagePullSecrets, corev1.LocalObjectReference{
-			Name: pullSecretName,
-		})
-	}
-
 	podSpec := corev1.PodSpec{
 		Containers:         statefulSetBuilder.buildBaseContainer(),
 		NodeSelector:       statefulSetBuilder.capability.Properties().NodeSelector,
@@ -136,7 +129,7 @@ func (statefulSetBuilder Builder) addTemplateSpec(sts *appsv1.StatefulSet) {
 				Type: corev1.SeccompProfileTypeRuntimeDefault,
 			},
 		},
-		ImagePullSecrets:  imagePullSecrets,
+		ImagePullSecrets:  statefulSetBuilder.dynakube.ImagePullSecretReferences(),
 		PriorityClassName: statefulSetBuilder.dynakube.Spec.ActiveGate.PriorityClassName,
 		DNSPolicy:         statefulSetBuilder.dynakube.Spec.ActiveGate.DNSPolicy,
 

diff --git a/pkg/controllers/dynakube/oneagent/daemonset/daemonset.go b/pkg/controllers/dynakube/oneagent/daemonset/daemonset.go
@@ -307,14 +307,7 @@ func (b *builder) imagePullSecrets() []corev1.LocalObjectReference {
 		return []corev1.LocalObjectReference{}
 	}
 
-	imagePullSecrets := make([]corev1.LocalObjectReference, 0)
-	for _, pullSecretName := range b.dk.PullSecretsNames() {
-		imagePullSecrets = append(imagePullSecrets, corev1.LocalObjectReference{
-			Name: pullSecretName,
-		})
-	}
-
-	return imagePullSecrets
+	return b.dk.ImagePullSecretReferences()
 }
 
 func (b *builder) securityContext() *corev1.SecurityContext {

diff --git a/pkg/oci/dockerkeychain/docker_keychain_test.go b/pkg/oci/dockerkeychain/docker_keychain_test.go
@@ -15,11 +15,25 @@ import (
 )
 
 const (
-	registryName = "docker.test.com"
-	testToken    = "test-token"
-	testPassword = "test-password"
-	testAuth     = "dGVzdC10b2tlbjp0ZXN0LXBhc3N3b3Jk" // echo -n "test-token:test-password" | base64
-	dockerConfig = "{\"auths\":{\"" + registryName + "\":{\"username\":\"" + testToken + "\",\"password\":\"" + testPassword + "\",\"auth\":\"" + testAuth + "\"}}}"
+	registryName         = "docker.test.com"
+	registryTestToken    = "test-token"
+	registryTestPassword = "test-password"
+	registryTestAuth     = "dGVzdC10b2tlbjp0ZXN0LXBhc3N3b3Jk" // echo -n "test-token:test-password" | base64
+	registryDockerConfig = "{\"auths\":{\"" + registryName + "\":{\"username\":\"" + registryTestToken + "\",\"password\":\"" + registryTestPassword + "\",\"auth\":\"" + registryTestAuth + "\"}}}"
+
+	registryCustomTestToken    = "custom-test-token"
+	registryCustomTestPassword = "custom-test-password"
+	registryCustomTestAuth     = "Y3VzdG9tLXRlc3QtdG9rZW46Y3VzdG9tLXRlc3QtcGFzc3dvcmQ=" // echo -n "custom-test-token:custom-test-password" | base64
+	registryCustomDockerConfig = "{\"auths\":{\"" + registryName + "\":{\"username\":\"" + registryCustomTestToken + "\",\"password\":\"" + registryCustomTestPassword + "\",\"auth\":\"" + registryCustomTestAuth + "\"}}}"
+
+	e2eRegistryName         = "e2e.test.com"
+	e2eRegistryTestToken    = "e2e-test-token"
+	e2eRegistryTestPassword = "e2e-test-password"
+	e2eRegistryTestAuth     = "ZTJlLXRlc3QtdG9rZW46ZTJlLXRlc3QtcGFzc3dvcmQ=" // echo -n "e2e-test-token:e2e-test-password" | base64
+	e2eRegistryDockerConfig = "{\"auths\":{\"" + e2eRegistryName + "\":{\"username\":\"" + e2eRegistryTestToken + "\",\"password\":\"" + e2eRegistryTestPassword + "\",\"auth\":\"" + e2eRegistryTestAuth + "\"}}}"
+
+	tenantPullSecretName = "dynakube-pull-secret"
+	customPullSecretName = "custom-pull-secret"
 )
 
 func TestNewDockerKeychain(t *testing.T) {
@@ -64,7 +78,7 @@ func TestNewDockerKeychain(t *testing.T) {
 				Namespace: "dynatrace",
 			},
 			Data: map[string][]byte{
-				corev1.DockerConfigJsonKey: []byte(dockerConfig),
+				corev1.DockerConfigJsonKey: []byte(registryDockerConfig),
 			},
 			Type: corev1.SecretTypeDockerConfigJson,
 		}
@@ -81,8 +95,8 @@ func TestNewDockerKeychain(t *testing.T) {
 		assert.NotNil(t, authenticator)
 		auth, err := authenticator.Authorization()
 		require.NoError(t, err)
-		assert.Equal(t, testToken, auth.Username)
-		assert.Equal(t, testPassword, auth.Password)
+		assert.Equal(t, registryTestToken, auth.Username)
+		assert.Equal(t, registryTestPassword, auth.Password)
 	})
 }
 
@@ -93,4 +107,89 @@ func TestNewDockerKeychains(t *testing.T) {
 		_, err := NewDockerKeychains(context.TODO(), client, "dynatrace", []string{"dynakube-pull-secret"})
 		require.NoError(t, err)
 	})
+
+	t.Run("the same registry", func(t *testing.T) {
+		tenantPullSecret := corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      tenantPullSecretName,
+				Namespace: "dynatrace",
+			},
+			Data: map[string][]byte{
+				corev1.DockerConfigJsonKey: []byte(registryDockerConfig),
+			},
+			Type: corev1.SecretTypeDockerConfigJson,
+		}
+		customPullSecret := corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      customPullSecretName,
+				Namespace: "dynatrace",
+			},
+			Data: map[string][]byte{
+				corev1.DockerConfigJsonKey: []byte(registryCustomDockerConfig),
+			},
+			Type: corev1.SecretTypeDockerConfigJson,
+		}
+		client := fake.NewClientWithIndex(&tenantPullSecret, &customPullSecret)
+
+		keychain, err := NewDockerKeychains(context.TODO(), client, "dynatrace", []string{tenantPullSecretName, customPullSecretName})
+		require.NoError(t, err)
+		registry, err := name.NewRegistry(registryName, name.StrictValidation)
+		require.NoError(t, err)
+
+		authenticator, err := keychain.Resolve(registry)
+
+		require.NoError(t, err)
+		assert.NotNil(t, authenticator)
+		auth, err := authenticator.Authorization()
+		require.NoError(t, err)
+		assert.Equal(t, registryCustomTestToken, auth.Username)
+		assert.Equal(t, registryCustomTestPassword, auth.Password)
+	})
+
+	t.Run("different registries", func(t *testing.T) {
+		tenantPullSecret := corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      tenantPullSecretName,
+				Namespace: "dynatrace",
+			},
+			Data: map[string][]byte{
+				corev1.DockerConfigJsonKey: []byte(registryDockerConfig),
+			},
+			Type: corev1.SecretTypeDockerConfigJson,
+		}
+		customPullSecret := corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      customPullSecretName,
+				Namespace: "dynatrace",
+			},
+			Data: map[string][]byte{
+				corev1.DockerConfigJsonKey: []byte(e2eRegistryDockerConfig),
+			},
+			Type: corev1.SecretTypeDockerConfigJson,
+		}
+		client := fake.NewClientWithIndex(&tenantPullSecret, &customPullSecret)
+
+		keychain, err := NewDockerKeychains(context.TODO(), client, "dynatrace", []string{tenantPullSecretName, customPullSecretName})
+		require.NoError(t, err)
+
+		registry, err := name.NewRegistry(registryName, name.StrictValidation)
+		require.NoError(t, err)
+		authenticator, err := keychain.Resolve(registry)
+		require.NoError(t, err)
+		assert.NotNil(t, authenticator)
+		auth, err := authenticator.Authorization()
+		require.NoError(t, err)
+		assert.Equal(t, registryTestToken, auth.Username)
+		assert.Equal(t, registryTestPassword, auth.Password)
+
+		registry, err = name.NewRegistry(e2eRegistryName, name.StrictValidation)
+		require.NoError(t, err)
+		authenticator, err = keychain.Resolve(registry)
+		require.NoError(t, err)
+		assert.NotNil(t, authenticator)
+		auth, err = authenticator.Authorization()
+		require.NoError(t, err)
+		assert.Equal(t, e2eRegistryTestToken, auth.Username)
+		assert.Equal(t, e2eRegistryTestPassword, auth.Password)
+	})
 }