Skip to content

Commit

Permalink
feat: add ImagePullSecrets to PodSpec (#2337)
Browse files Browse the repository at this point in the history 
Signed-off-by: Shahar Harari <shahar.harari@sap.com>
  • Loading branch information
@shahar-h
shahar-h committed Dec 23, 2023
1 parent c692458 commit a06377d
Show file tree
Hide file tree
Showing 8 changed files with 255 additions and 0 deletions.
8 changes: 8 additions & 0 deletions api/v1alpha1/shared_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -117,6 +117,14 @@ type KubernetesPodSpec struct {
// HostNetwork, If this is set to true, the pod will use host's network namespace.
// +optional
HostNetwork bool `json:"hostNetwork,omitempty"`

// ImagePullSecrets is an optional list of references to secrets
// in the same namespace to use for pulling any of the images used by this PodSpec.
// If specified, these secrets will be passed to individual puller implementations for them to use.
// More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod
//
// +optional
ImagePullSecrets []corev1.LocalObjectReference `json:"imagePullSecrets,omitempty"`
}

// KubernetesContainerSpec defines the desired state of the Kubernetes container resource.
Expand Down
5 changes: 5 additions & 0 deletions api/v1alpha1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

21 changes: 21 additions & 0 deletions charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3260,6 +3260,27 @@ spec:
description: HostNetwork, If this is set to true,
the pod will use host's network namespace.
type: boolean
imagePullSecrets:
description: 'ImagePullSecrets is an optional list
of references to secrets in the same namespace to
use for pulling any of the images used by this PodSpec.
If specified, these secrets will be passed to individual
puller implementations for them to use. More info:
https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod'
items:
description: LocalObjectReference contains enough
information to let you locate the referenced object
inside the same namespace.
properties:
name:
description: 'Name of the referent. More info:
https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion,
kind, uid?'
type: string
type: object
x-kubernetes-map-type: atomic
type: array
labels:
additionalProperties:
type: string
Expand Down
1 change: 1 addition & 0 deletions internal/infrastructure/kubernetes/proxy/resource_provider.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -239,6 +239,7 @@ func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) {
Affinity: deploymentConfig.Pod.Affinity,
Tolerations: deploymentConfig.Pod.Tolerations,
Volumes: expectedDeploymentVolumes(r.infra.Name, deploymentConfig),
ImagePullSecrets: deploymentConfig.Pod.ImagePullSecrets,
},
},
RevisionHistoryLimit: ptr.To[int32](10),
Expand Down
16 changes: 16 additions & 0 deletions internal/infrastructure/kubernetes/proxy/resource_provider_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -375,6 +375,22 @@ func TestDeployment(t *testing.T) {
},
},
},
{
caseName: "with-image-pull-secrets",
infra: newTestInfra(),
deploy: &egv1a1.KubernetesDeploymentSpec{
Pod: &egv1a1.KubernetesPodSpec{
ImagePullSecrets: []corev1.LocalObjectReference{
{
Name: "aaa",
},
{
Name: "bbb",
},
},
},
},
},
}
for _, tc := range cases {
t.Run(tc.caseName, func(t *testing.T) {
Expand Down
202 changes: 202 additions & 0 deletions internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,202 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/name: envoy
app.kubernetes.io/component: proxy
app.kubernetes.io/managed-by: envoy-gateway
gateway.envoyproxy.io/owning-gateway-name: default
gateway.envoyproxy.io/owning-gateway-namespace: default
name: envoy-default-37a8eec1
namespace: envoy-gateway-system
spec:
replicas: 1
strategy:
type: RollingUpdate
selector:
matchLabels:
app.kubernetes.io/name: envoy
app.kubernetes.io/component: proxy
app.kubernetes.io/managed-by: envoy-gateway
gateway.envoyproxy.io/owning-gateway-name: default
gateway.envoyproxy.io/owning-gateway-namespace: default
template:
metadata:
labels:
app.kubernetes.io/name: envoy
app.kubernetes.io/component: proxy
app.kubernetes.io/managed-by: envoy-gateway
gateway.envoyproxy.io/owning-gateway-name: default
gateway.envoyproxy.io/owning-gateway-namespace: default
spec:
automountServiceAccountToken: false
containers:
- args:
- --service-cluster default
- --service-node $(ENVOY_POD_NAME)
- |
--config-yaml admin:
access_log:
- name: envoy.access_loggers.file
typed_config:
"@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
path: /dev/null
address:
socket_address:
address: 127.0.0.1
port_value: 19000
dynamic_resources:
ads_config:
api_type: DELTA_GRPC
transport_api_version: V3
grpc_services:
- envoy_grpc:
cluster_name: xds_cluster
set_node_on_first_message_only: true
lds_config:
ads: {}
resource_api_version: V3
cds_config:
ads: {}
resource_api_version: V3
static_resources:
listeners:
- name: envoy-gateway-proxy-ready-0.0.0.0-19001
address:
socket_address:
address: 0.0.0.0
port_value: 19001
protocol: TCP
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: eg-ready-http
route_config:
name: local_route
http_filters:
- name: envoy.filters.http.health_check
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.health_check.v3.HealthCheck
pass_through_mode: false
headers:
- name: ":path"
string_match:
exact: /ready
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
clusters:
- connect_timeout: 10s
load_assignment:
cluster_name: xds_cluster
endpoints:
- load_balancing_weight: 1
lb_endpoints:
- load_balancing_weight: 1
endpoint:
address:
socket_address:
address: envoy-gateway
port_value: 18000
typed_extension_protocol_options:
envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
"@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
explicit_http_config:
http2_protocol_options:
connection_keepalive:
interval: 30s
timeout: 5s
name: xds_cluster
type: STRICT_DNS
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
common_tls_context:
tls_params:
tls_maximum_protocol_version: TLSv1_3
tls_certificate_sds_secret_configs:
- name: xds_certificate
sds_config:
path_config_source:
path: "/sds/xds-certificate.json"
resource_api_version: V3
validation_context_sds_secret_config:
name: xds_trusted_ca
sds_config:
path_config_source:
path: "/sds/xds-trusted-ca.json"
resource_api_version: V3
- --log-level warn
- --cpuset-threads
command:
- envoy
env:
- name: ENVOY_GATEWAY_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: ENVOY_POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
image: envoyproxy/envoy-dev:latest
imagePullPolicy: IfNotPresent
name: envoy
ports:
- containerPort: 8080
name: EnvoyH-d76a15e2
protocol: TCP
- containerPort: 8443
name: EnvoyH-6658f727
protocol: TCP
resources:
requests:
cpu: 100m
memory: 512Mi
readinessProbe:
httpGet:
path: /ready
port: 19001
scheme: HTTP
timeoutSeconds: 1
periodSeconds: 10
successThreshold: 1
failureThreshold: 3
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /certs
name: certs
readOnly: true
- mountPath: /sds
name: sds
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
serviceAccountName: envoy-default-37a8eec1
terminationGracePeriodSeconds: 300
imagePullSecrets:
- name: aaa
- name: bbb
volumes:
- name: certs
secret:
secretName: envoy
defaultMode: 420
- configMap:
defaultMode: 420
items:
- key: xds-trusted-ca.json
path: xds-trusted-ca.json
- key: xds-certificate.json
path: xds-certificate.json
name: envoy-default-37a8eec1
optional: false
name: sds
revisionHistoryLimit: 10
progressDeadlineSeconds: 600
1 change: 1 addition & 0 deletions internal/infrastructure/kubernetes/ratelimit/resource_provider.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -182,6 +182,7 @@ func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) {
Volumes: expectedDeploymentVolumes(r.rateLimit, r.rateLimitDeployment),
Affinity: r.rateLimitDeployment.Pod.Affinity,
Tolerations: r.rateLimitDeployment.Pod.Tolerations,
ImagePullSecrets: r.rateLimitDeployment.Pod.ImagePullSecrets,
},
},
RevisionHistoryLimit: ptr.To[int32](10),
Expand Down
1 change: 1 addition & 0 deletions site/content/en/latest/api/extension_types.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1089,6 +1089,7 @@ _Appears in:_
| `tolerations` _[Toleration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#toleration-v1-core) array_ | If specified, the pod's tolerations. |
| `volumes` _[Volume](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#volume-v1-core) array_ | Volumes that can be mounted by containers belonging to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes |
| `hostNetwork` _boolean_ | HostNetwork, If this is set to true, the pod will use host's network namespace. |
| `imagePullSecrets` _[LocalObjectReference](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#localobjectreference-v1-core) array_ | ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec. If specified, these secrets will be passed to individual puller implementations for them to use. More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod |


#### KubernetesServiceSpec
Expand Down

0 comments on commit a06377d

Please sign in to comment.