Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for imagePullSecrets #2589

Merged
merged 2 commits into from
Mar 18, 2023
Merged

Add support for imagePullSecrets #2589

merged 2 commits into from
Mar 18, 2023

Conversation

garonsky
Copy link
Contributor

@garonsky garonsky commented Feb 14, 2023
edited by awels
Loading

Add support for imagePullSecrets in the CDI CR to support pulling images from repositories that require secrets.

The imagePullSecrets is propagated to the following components: cdi-apiserver, cdi-deployment, and cdi-uploadproxy. The definition of imagePullSecrets in cdi-operator must be done manually.

Does this PR introduce a user-facing change?

Added support for imagePullSecrets to the CDI custom resource and the cdi-operator resource.  Updates to the imagePullSecrets value in the custom resource are automatically propagated to cdi-apiserver, cdi-deployment, and cdi-uploadproxy.  The cdi-operator resource should be manually updated.

@kubevirt-bot kubevirt-bot added dco-signoff: yes Indicates the PR's author has DCO signed all their commits. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Feb 14, 2023
@kubevirt-bot
Copy link
Contributor

Hi @garonsky. Thanks for your PR.

I'm waiting for a kubevirt member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@mhenriks
Copy link
Member

thanks for the pr @garonsky!

/ok-to-test

@kubevirt-bot kubevirt-bot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Feb 15, 2023
@mhenriks
Copy link
Member

@garonsky have you seen the discussion in #2395 on support for secrets in "worker" pods? Mind sharing your thoughts there? Looks like you intend to support clone source pods in this pr? What are your thoughts on the other workers?

@alromeros
Copy link
Collaborator

/test pull-containerized-data-importer-e2e-ceph

@kubevirt-bot kubevirt-bot added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Feb 17, 2023
mhenriks
mhenriks reviewed Feb 17, 2023
View reviewed changes
Copy link
Member

@mhenriks mhenriks left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@garonsky thanks for the PR, great start! Looks like we mostly just have to flush out the support for worker pods and.

cmd/cdi-controller/controller.go Outdated
@@ -57,6 +58,7 @@ var (
uploadProxyServiceName string
configName string
pullPolicy string
imagePullSecrets []corev1.LocalObjectReference
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This variable is not assigned to. But I suggest a different approach for setting imagePullSecrets on worker pods.

There are a bunch of places in pkg/controller where pods are created. We should handle imagePullSecrets similar to how podResourceRequirements are handled by looking up the value in CDIConfig at pod creation time.

staging/src/kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1/types.go Outdated
ImagePullPolicy corev1.PullPolicy `json:"imagePullPolicy,omitempty" valid:"required"`
ImagePullPolicy corev1.PullPolicy `json:"imagePullPolicy,omitempty" valid:"required"`
// The imagePullSecrets to pull the container images
ImagePullSecrets []corev1.LocalObjectReference `json:"imagePullSecrets,omitempty"`
Copy link
Member

@mhenriks mhenriks Feb 17, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I assume that we want regular users to know the names of secrets we expect them to create? So I suggest moving ImagePullSecrets to CDIConfig. So CDI will look like this:

...
kind: CDI
spec:
  config:
    imagePullSecrets:
    - secret-name
...

And CDIConfig should have imagePullSecrets in the status like so:

...
kind: CDIConfig
metadata:
  name: config
spec:
  imagePullSecrets:  #set by config-controller
    - secret-name
status:
  imagePullSecrets:
    - secret-name
...

CDIConfig has a singleton (named config) that is created by the config-controller and readable by all users. The spec section is spec.config from the CDI resource.

I refer you again to how PodResourceRequirements are handled

@kubevirt-bot kubevirt-bot added dco-signoff: no Indicates the PR's author has not DCO signed all their commits. and removed dco-signoff: yes Indicates the PR's author has DCO signed all their commits. labels Feb 21, 2023
@kubevirt-bot kubevirt-bot added dco-signoff: yes Indicates the PR's author has DCO signed all their commits. dco-signoff: no Indicates the PR's author has not DCO signed all their commits. and removed dco-signoff: no Indicates the PR's author has not DCO signed all their commits. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. labels Feb 21, 2023
@garonsky
Copy link
Contributor Author

@mhenriks thank you for the great feedback! I tried to implement the suggestions, let me know if this is more of what you had in mind.

Add support for imagePullSecrets in the CDI CR, to support pulling
36bbe2b 
images from repositories that require secrets.

The imagePullSecrets is propagated to the following components: cdi-apiserver,
cdi-deployment, and cdi-uploadproxy. The definition of imagePullSecrets in
cdi-operator must be done manually.

Signed-off-by: Gleb Aronsky <gleb.aronsky@windriver.com>
@kubevirt-bot kubevirt-bot added dco-signoff: yes Indicates the PR's author has DCO signed all their commits. and removed dco-signoff: no Indicates the PR's author has not DCO signed all their commits. labels Feb 23, 2023
@mhenriks
Copy link
Member

mhenriks commented Mar 8, 2023

@garonsky I did a quick scan and I think this looks great! I will dig a little deeper tomorrow and keep you posted. Sorry for the delayed response. Been on PTO.

mhenriks
mhenriks reviewed Mar 8, 2023
View reviewed changes
Copy link
Member

@mhenriks mhenriks left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work! Couple places that need pull secrets:

https://github.com/garonsky/containerized-data-importer/blob/add_imagePullSecrets/pkg/controller/dataimportcron-controller.go#L877-L883

https://github.com/garonsky/containerized-data-importer/blob/add_imagePullSecrets/pkg/controller/datavolume/pvc-clone-controller.go#L1246-L1258

https://github.com/garonsky/containerized-data-importer/blob/add_imagePullSecrets/pkg/controller/import-controller.go#L1082-L1092

I think that's it!

pkg/controller/import-controller.go Outdated
@@ -867,6 +868,8 @@ func createImporterPod(log logr.Logger, client client.Client, args *importerPodA
return nil, err
}

args.imagePullSecrets = cdiv1.CDIConfig{}.Spec.ImagePullSecrets
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should be calling GetImagePullSecrets here, right?

@garonsky
Copy link
Contributor Author

@mhenriks Thank you so much for the guidance! I made some changes. Let me know if I captured your suggestions with the latest changes.

mhenriks
mhenriks reviewed Mar 14, 2023
View reviewed changes
Copy link
Member

@mhenriks mhenriks left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@garonsky seems to work well, just one bug I found

pkg/controller/config-controller.go Outdated
func (r *CDIConfigReconciler) reconcileImagePullSecrets(config *cdiv1.CDIConfig) error {
if config.Spec.ImagePullSecrets != nil {
config.Status.ImagePullSecrets = config.Spec.ImagePullSecrets
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

config.Status.ImagePullSecrets will not get unset if config.Spec.ImagePullSecrets deleted

Modifying code to incorporate review comments.
d3490cb 
Signed-off-by: Gleb Aronsky <gleb.aronsky@windriver.com>
@mhenriks
Copy link
Member

/lgtm
/approve

Thanks @garonsky!

@kubevirt-bot kubevirt-bot added the lgtm Indicates that a PR is ready to be merged. label Mar 17, 2023
@kubevirt-bot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mhenriks

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kubevirt-bot kubevirt-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 17, 2023
@kubevirt-bot kubevirt-bot merged commit 4e3ee4c into kubevirt:main Mar 18, 2023
@aglitke
Copy link
Member

aglitke commented Mar 27, 2023

Fixes #2395

@aglitke aglitke mentioned this pull request Mar 27, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mhenriks mhenriks mhenriks left review comments

@aglitke aglitke Awaiting requested review from aglitke

@maya-r maya-r Awaiting requested review from maya-r

Assignees

@mhenriks mhenriks

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. lgtm Indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@garonsky @kubevirt-bot @mhenriks @alromeros @aglitke