Skip to content

Commit

Permalink
k8schain: Log and proceed if secret or SA are not found (#1472)
Browse files Browse the repository at this point in the history
  • Loading branch information
imjasonh authored Oct 23, 2022
1 parent 02f47e1 commit a0cca8a
Show file tree
Hide file tree
Showing 2 changed files with 57 additions and 9 deletions.
31 changes: 22 additions & 9 deletions pkg/authn/kubernetes/keychain.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,9 @@ import (
"strings"

"github.com/google/go-containerregistry/pkg/authn"
"github.com/google/go-containerregistry/pkg/logs"
corev1 "k8s.io/api/core/v1"
k8serrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/rest"
Expand Down Expand Up @@ -65,23 +67,33 @@ func New(ctx context.Context, client kubernetes.Interface, opt Options) (authn.K
var pullSecrets []corev1.Secret
for _, name := range opt.ImagePullSecrets {
ps, err := client.CoreV1().Secrets(opt.Namespace).Get(ctx, name, metav1.GetOptions{})
if err != nil {
if k8serrors.IsNotFound(err) {
logs.Warn.Printf("secret %s/%s not found; ignoring", opt.Namespace, name)
continue
} else if err != nil {
return nil, err
}
pullSecrets = append(pullSecrets, *ps)
}

// Second, fetch all of the pull secrets attached to our service account.
sa, err := client.CoreV1().ServiceAccounts(opt.Namespace).Get(ctx, opt.ServiceAccountName, metav1.GetOptions{})
if err != nil {
if k8serrors.IsNotFound(err) {
logs.Warn.Printf("serviceaccount %s/%s not found; ignoring", opt.Namespace, opt.ServiceAccountName)
} else if err != nil {
return nil, err
}
for _, localObj := range sa.ImagePullSecrets {
ps, err := client.CoreV1().Secrets(opt.Namespace).Get(ctx, localObj.Name, metav1.GetOptions{})
if err != nil {
return nil, err
if sa != nil {
for _, localObj := range sa.ImagePullSecrets {
ps, err := client.CoreV1().Secrets(opt.Namespace).Get(ctx, localObj.Name, metav1.GetOptions{})
if k8serrors.IsNotFound(err) {
logs.Warn.Printf("secret %s/%s not found; ignoring", opt.Namespace, localObj.Name)
continue
} else if err != nil {
return nil, err
}
pullSecrets = append(pullSecrets, *ps)
}
pullSecrets = append(pullSecrets, *ps)
}

return NewFromPullSecrets(ctx, pullSecrets)
Expand Down Expand Up @@ -236,8 +248,9 @@ func splitURL(url *url.URL) (parts []string, port string) {
// glob wild cards in the host name.
//
// Examples:
// globURL=*.docker.io, targetURL=blah.docker.io => match
// globURL=*.docker.io, targetURL=not.right.io => no match
//
// globURL=*.docker.io, targetURL=blah.docker.io => match
// globURL=*.docker.io, targetURL=not.right.io => no match
//
// Note that we don't support wildcards in ports and paths yet.
func urlsMatch(globURL *url.URL, targetURL *url.URL) (bool, error) {
Expand Down
35 changes: 35 additions & 0 deletions pkg/authn/kubernetes/keychain_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,41 @@ func TestAnonymousFallback(t *testing.T) {
testResolve(t, kc, registry(t, "fake.registry.io"), authn.Anonymous)
}

func TestSecretNotFound(t *testing.T) {
client := fakeclient.NewSimpleClientset(&corev1.ServiceAccount{
ObjectMeta: metav1.ObjectMeta{
Name: "default",
Namespace: "default",
},
})

kc, err := New(context.Background(), client, Options{
ImagePullSecrets: []string{"not-found"},
})
if err != nil {
t.Errorf("New() = %v", err)
}

testResolve(t, kc, registry(t, "fake.registry.io"), authn.Anonymous)
}

func TestServiceAccountNotFound(t *testing.T) {
client := fakeclient.NewSimpleClientset(&corev1.ServiceAccount{
ObjectMeta: metav1.ObjectMeta{
Name: "default",
Namespace: "default",
},
})
kc, err := New(context.Background(), client, Options{
ServiceAccountName: "not-found",
})
if err != nil {
t.Errorf("New() = %v", err)
}

testResolve(t, kc, registry(t, "fake.registry.io"), authn.Anonymous)
}

func TestAttachedServiceAccount(t *testing.T) {
username, password := "foo", "bar"
client := fakeclient.NewSimpleClientset(&corev1.ServiceAccount{
Expand Down

0 comments on commit a0cca8a

Please sign in to comment.