Skip to content
This repository has been archived by the owner on Feb 14, 2025. It is now read-only.

feat: adding service account as possible creds #21

Merged
merged 9 commits into from
Apr 13, 2023
Merged

feat: adding service account as possible creds #21

merged 9 commits into from
Apr 13, 2023

Conversation

Skarlso
Copy link
Contributor

@Skarlso Skarlso commented Apr 12, 2023

No description provided.

@Skarlso Skarlso requested a review from phoban01 April 12, 2023 13:17
@Skarlso Skarlso force-pushed the service-account branch 2 times, most recently from fb7f1f5 to 58c8057 Compare April 12, 2023 15:13
phoban01 added 2 commits April 12, 2023 17:59
@phoban01
update ServiceAccount implementation
74d6dc1 
Signed-off-by: Piaras Hoban <phoban01@gmail.com>
@phoban01
add generation changed predicate to avoid unnecessary reconcile after…
3403564 
… successfully reconciliation

Signed-off-by: Piaras Hoban <phoban01@gmail.com>
Skarlso
Skarlso commented Apr 12, 2023
View reviewed changes
pkg/ocm/ocm.go Outdated
if err != nil {
return false, fmt.Errorf("failed to get repository for spec: %w", err)
panic(err)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TODO: remove

@phoban01 phoban01 changed the title feat: adding service account as possible credsg feat: adding service account as possible creds Apr 13, 2023
@Skarlso Skarlso force-pushed the service-account branch 2 times, most recently from be639f5 to c4ff2e8 Compare April 13, 2023 09:48
Skarlso
Skarlso commented Apr 13, 2023
View reviewed changes
pkg/ocm/ocm.go Outdated Show resolved Hide resolved
@Skarlso
Copy link
Contributor Author

Skarlso commented Apr 13, 2023
edited
Loading

I also need to add authentication tests... That won't be easy. :D

We'll test that with the end-to-end flow. It's covered now partially through unit tests.

@Skarlso
Copy link
Contributor Author

Skarlso commented Apr 13, 2023

It's workiiiing! :)

"namespace": "ocm-system", "name": "componentsubscription-sample", "reconcileID": "18eb09e4-0c5d-41cd-b795-22c7a5144a96", "component-name": "github.com/skarlso/ocm-replication"}
time="2023-04-13T10:53:33Z" level=info msg="transferring version" history= logger=ocm version="\"github.com/skarlso/ocm-replication:0.0.1\""
time="2023-04-13T10:53:36Z" level=info msg="  transferring resources" history= logger=ocm version="\"github.com/skarlso/ocm-replication:0.0.1\""
time="2023-04-13T10:53:37Z" level=info msg="adding resource blob" logger=ocm resource=ocm-replication
time="2023-04-13T10:53:41Z" level=info msg="  transferring sources" history= logger=ocm version="\"github.com/skarlso/ocm-replication:0.0.1\""
time="2023-04-13T10:53:41Z" level=info msg="  transferring references" history= logger=ocm version="\"github.com/skarlso/ocm-replication:0.0.1\""
time="2023-04-13T10:53:41Z" level=info msg="  adding component version" history= logger=ocm version="\"github.com/skarlso/ocm-replication:0.0.1\""
2023-04-13T10:53:51Z	INFO	starting reconcile loop	{"controller": "componentsubscription", "controllerGroup": "delivery.ocm.software", "controllerKind": "ComponentSubscription", "ComponentSubscription": {"name":"componentsubscription-sample","namespace":"ocm-system"}, "namespace": "ocm-system", "name": "componentsubscription-sample", "reconcileID": "c716a2c3-0a9a-4bf3-b884-757a3920b78e", "subscription": {"name":"componentsubscription-sample","namespace":"ocm-system"}}
2023-04-13T10:53:51Z	LEVEL(-4)	configuring service account credentials	{"controller": "componentsubscription", "controllerGroup": "delivery.ocm.software", "controllerKind": "ComponentSubscription", "ComponentSubscription": {"name":"componentsubscription-sample","namespace":"ocm-system"}, "namespace": "ocm-system", "name": "componentsubscription-sample", "reconcileID": "c716a2c3-0a9a-4bf3-b884-757a3920b78e"}
2023-04-13T10:53:51Z	LEVEL(-4)	got service account	{"controller": "componentsubscription", "controllerGroup": "delivery.ocm.software", "controllerKind": "ComponentSubscription", "ComponentSubscription": {"name":"componentsubscription-sample","namespace":"ocm-system"}, "namespace": "ocm-system", "name": "componentsubscription-sample", "reconcileID": "c716a2c3-0a9a-4bf3-b884-757a3920b78e", "name": "oci-creds"}
2023-04-13T10:53:51Z	LEVEL(-4)	got newest version from component	{"controller": "componentsubscription", "controllerGroup": "delivery.ocm.software", "controllerKind": "ComponentSubscription", "ComponentSubscription": {"name":"componentsubscription-sample","namespace":"ocm-system"}, "namespace": "ocm-system", "name": "componentsubscription-sample", "reconcileID": "c716a2c3-0a9a-4bf3-b884-757a3920b78e", "version": "0.0.1"}
2023-04-13T10:53:51Z	INFO	latest version and replicated version are a match and not empty	{"controller": "componentsubscription", "controllerGroup": "delivery.ocm.software", "controllerKind": "ComponentSubscription", "ComponentSubscription": {"name":"componentsubscription-sample","namespace":"ocm-system"}, "namespace": "ocm-system", "name": "componentsubscription-sample", "reconcileID": "c716a2c3-0a9a-4bf3-b884-757a3920b78e"}
2023-04-13T10:53:58Z	INFO	component deleted	{"controller": "componentsubscription", "controllerGroup": "delivery.ocm.software", "controllerKind": "ComponentSubscription", "ComponentSubscription": {"name":"componentsubscription-sample","namespace":"ocm-system"}, "namespace": "ocm-system", "name": "componentsubscription-sample", "reconcileID": "4117c644-450d-4f92-9fc3-81ce4690d0f5"}
2023-04-13T10:54:02Z	INFO	component deleted	{"controller": "componentsubscription", "controllerGroup": "delivery.ocm.software", "controllerKind": "ComponentSubscription", "ComponentSubscription": {"name":"componentsubscription-sample","namespace":"ocm-system"}, "namespace": "ocm-system", "name": "componentsubscription-sample", "reconcileID": "44452815-c1c6-4778-8aa3-56c33051c6c8"}
2023-04-13T10:54:16Z	INFO	starting reconcile loop	{"controller": "componentsubscription", "controllerGroup": "delivery.ocm.software", "controllerKind": "ComponentSubscription", "ComponentSubscription": {"name":"componentsubscription-sample","namespace":"ocm-system"}, "namespace": "ocm-system", "name": "componentsubscription-sample", "reconcileID": "769c61e2-8d72-436f-ba10-a4b2999824a1", "subscription": {"name":"componentsubscription-sample","namespace":"ocm-system"}}
2023-04-13T10:54:16Z	LEVEL(-4)	configuring service account credentials	{"controller": "componentsubscription", "controllerGroup": "delivery.ocm.software", "controllerKind": "ComponentSubscription", "ComponentSubscription": {"name":"componentsubscription-sample","namespace":"ocm-system"}, "namespace": "ocm-system", "name": "componentsubscription-sample", "reconcileID": "769c61e2-8d72-436f-ba10-a4b2999824a1"}
2023-04-13T10:54:16Z	ERROR	Reconciler error	{"controller": "componentsubscription", "controllerGroup": "delivery.ocm.software", "controllerKind": "ComponentSubscription", "ComponentSubscription": {"name":"componentsubscription-sample","namespace":"ocm-system"}, "namespace": "ocm-system", "name": "componentsubscription-sample", "reconcileID": "769c61e2-8d72-436f-ba10-a4b2999824a1", "error": "failed to get latest component version: failed to get component versions: failed to list versions for component: failed to authorize: failed to fetch anonymous token: unexpected status: 401 Unauthorized"}
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler
	/Users/skarlso/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.14.4/pkg/internal/controller/controller.go:329
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
	/Users/skarlso/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.14.4/pkg/internal/controller/controller.go:274
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2
	/Users/skarlso/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.14.4/pkg/internal/controller/controller.go:235
2023-04-13T10:54:16Z	INFO	starting reconcile loop	{"controller": "componentsubscription", "controllerGroup": "delivery.ocm.software", "controllerKind": "ComponentSubscription", "ComponentSubscription": {"name":"componentsubscription-sample","namespace":"ocm-system"}, "namespace": "ocm-system", "name": "componentsubscription-sample", "reconcileID": "32042d39-8c71-4f1b-b248-f0438665afb0", "subscription": {"name":"componentsubscription-sample","namespace":"ocm-system"}}

Previously, when we deleted the usage of the service account it was still authenticated because the context remained configured. Now it's no longer doing that.

@Skarlso Skarlso mentioned this pull request Apr 13, 2023
Closed
phoban01
phoban01 approved these changes Apr 13, 2023
View reviewed changes
Copy link
Contributor

@phoban01 phoban01 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few small nits; tests are really great.

pkg/ocm/ocm.go Outdated
}
}

if err := c.maybeConfigureAccessCredentials(ctx, octx, obj.Spec.Source, obj.Namespace); err != nil {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is kind of a weird name 😄 configureCredentials would make sense to me.

pkg/ocm/ocm.go Outdated Show resolved Hide resolved
config/samples/delivery_v1alpha1_componentsubscription.yaml Outdated
Comment on lines 8 to 14
secretRef:
name: creds
credentials:
secretRef:
name: creds
url: ghcr.io/phoban01/ocm-podify
destination:
secretRef:
name: creds
credentials:
serviceAccountName: service-account-for-destination
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this needs to be updated I think

pkg/ocm/ocm.go Outdated
Comment on lines 322 to 325
if obj.Spec.ServiceAccountName == "" {
return nil
}

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could this check be outside the method? then you only need to pass in the service account name and the contexts.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm also using obj.Namespace,. But I can pass that in instead. Would minimize the memory burden.

pkg/ocm/ocm_test.go
},
},
{
name: "component access with secret ref",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice

@Skarlso Skarlso merged commit 0b50ed9 into main Apr 13, 2023
@Skarlso Skarlso deleted the service-account branch April 13, 2023 13:39
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@phoban01 phoban01 phoban01 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Skarlso @phoban01