From d853cbc7ffa43660eb9a559516ad8770b61ff8d2 Mon Sep 17 00:00:00 2001
From: Andrew Keesler <akeesler@vmware.com>
Date: Thu, 24 Sep 2020 15:52:05 -0400
Subject: [PATCH] Plumb through ImagePullSecrets to agent pod

Right now in the YTT templates we assume that the agent pods are gonna use
the same image as the main Pinniped deployment, so we can use the same logic
for the image pull secrets.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
---
 deploy/deployment.yaml                           |  4 ++++
 .../controller/kubecertagent/creater_test.go     |  7 ++++---
 .../controller/kubecertagent/kubecertagent.go    | 16 ++++++++++++++++
 .../kubecertagent/kubecertagent_test.go          |  5 +++++
 .../controllermanager/prepare_controllers.go     |  7 ++++---
 pkg/config/api/types.go                          |  4 ++++
 pkg/config/config_test.go                        |  6 ++++--
 7 files changed, 41 insertions(+), 8 deletions(-)

diff --git a/deploy/deployment.yaml b/deploy/deployment.yaml
index a83c571c3..2a1d5e9e3 100644
--- a/deploy/deployment.yaml
+++ b/deploy/deployment.yaml
@@ -45,6 +45,10 @@ data:
       (@ else: @)
       image: (@= data.values.image_repo + ":" + data.values.image_tag @)
       (@ end @)
+      (@ if data.values.image_pull_dockerconfigjson: @)
+      imagePullSecrets:
+        - image-pull-secret
+      (@ end @)
 ---
 #@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "":
 apiVersion: v1
diff --git a/internal/controller/kubecertagent/creater_test.go b/internal/controller/kubecertagent/creater_test.go
index d3d809ead..430ac83a5 100644
--- a/internal/controller/kubecertagent/creater_test.go
+++ b/internal/controller/kubecertagent/creater_test.go
@@ -83,9 +83,10 @@ func TestCreaterControllerSync(t *testing.T) {
 			// Set this at the last second to allow for injection of server override.
 			subject = NewCreaterController(
 				&AgentPodConfig{
-					Namespace:      agentPodNamespace,
-					ContainerImage: "some-agent-image",
-					PodNamePrefix:  "some-agent-name-",
+					Namespace:                 agentPodNamespace,
+					ContainerImage:            "some-agent-image",
+					PodNamePrefix:             "some-agent-name-",
+					ContainerImagePullSecrets: []string{"some-image-pull-secret"},
 				},
 				&CredentialIssuerConfigLocationConfig{
 					Namespace: credentialIssuerConfigNamespaceName,
diff --git a/internal/controller/kubecertagent/kubecertagent.go b/internal/controller/kubecertagent/kubecertagent.go
index bd9c4bcda..00e5e00e6 100644
--- a/internal/controller/kubecertagent/kubecertagent.go
+++ b/internal/controller/kubecertagent/kubecertagent.go
@@ -63,6 +63,10 @@ type AgentPodConfig struct {
 
 	//  The name prefix for each of the agent pods.
 	PodNamePrefix string
+
+	// ContainerImagePullSecrets is a list of names of Kubernetes Secret objects that will be used as
+	// ImagePullSecrets on the kube-cert-agent pods.
+	ContainerImagePullSecrets []string
 }
 
 type CredentialIssuerConfigLocationConfig struct {
@@ -81,6 +85,17 @@ func (c *AgentPodConfig) Labels() map[string]string {
 
 func (c *AgentPodConfig) PodTemplate() *corev1.Pod {
 	terminateImmediately := int64(0)
+
+	imagePullSecrets := []corev1.LocalObjectReference{}
+	for _, imagePullSecret := range c.ContainerImagePullSecrets {
+		imagePullSecrets = append(
+			imagePullSecrets,
+			corev1.LocalObjectReference{
+				Name: imagePullSecret,
+			},
+		)
+	}
+
 	pod := &corev1.Pod{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      c.PodNamePrefix,
@@ -89,6 +104,7 @@ func (c *AgentPodConfig) PodTemplate() *corev1.Pod {
 		},
 		Spec: corev1.PodSpec{
 			TerminationGracePeriodSeconds: &terminateImmediately,
+			ImagePullSecrets:              imagePullSecrets,
 			Containers: []corev1.Container{
 				{
 					Name:            "sleeper",
diff --git a/internal/controller/kubecertagent/kubecertagent_test.go b/internal/controller/kubecertagent/kubecertagent_test.go
index e265fdc7e..6c8da06a8 100644
--- a/internal/controller/kubecertagent/kubecertagent_test.go
+++ b/internal/controller/kubecertagent/kubecertagent_test.go
@@ -87,6 +87,11 @@ func exampleControllerManagerAndAgentPods(
 		},
 		Spec: corev1.PodSpec{
 			TerminationGracePeriodSeconds: &zero,
+			ImagePullSecrets: []corev1.LocalObjectReference{
+				{
+					Name: "some-image-pull-secret",
+				},
+			},
 			Containers: []corev1.Container{
 				{
 					Name:            "sleeper",
diff --git a/internal/controllermanager/prepare_controllers.go b/internal/controllermanager/prepare_controllers.go
index 18a64d7b3..41f22ce70 100644
--- a/internal/controllermanager/prepare_controllers.go
+++ b/internal/controllermanager/prepare_controllers.go
@@ -92,9 +92,10 @@ func PrepareControllers(c *Config) (func(ctx context.Context), error) {
 
 	// Configuration for the kubecertagent controllers created below.
 	agentPodConfig := &kubecertagent.AgentPodConfig{
-		Namespace:      c.ServerInstallationNamespace,
-		ContainerImage: *c.KubeCertAgentConfig.Image,
-		PodNamePrefix:  *c.KubeCertAgentConfig.NamePrefix,
+		Namespace:                 c.ServerInstallationNamespace,
+		ContainerImage:            *c.KubeCertAgentConfig.Image,
+		PodNamePrefix:             *c.KubeCertAgentConfig.NamePrefix,
+		ContainerImagePullSecrets: c.KubeCertAgentConfig.ImagePullSecrets,
 	}
 	credentialIssuerConfigLocationConfig := &kubecertagent.CredentialIssuerConfigLocationConfig{
 		Namespace: c.ServerInstallationNamespace,
diff --git a/pkg/config/api/types.go b/pkg/config/api/types.go
index 9e8857aa4..a50522220 100644
--- a/pkg/config/api/types.go
+++ b/pkg/config/api/types.go
@@ -61,4 +61,8 @@ type KubeCertAgentSpec struct {
 	// should contain at least 2 binaries: /bin/sleep and cat (somewhere on the $PATH). The default
 	// for this value is "debian:latest".
 	Image *string `json:"image"`
+
+	// ImagePullSecrets is a list of names of Kubernetes Secret objects that will be used as
+	// ImagePullSecrets on the kube-cert-agent pods.
+	ImagePullSecrets []string
 }
diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go
index aec478b2d..c641c515a 100644
--- a/pkg/config/config_test.go
+++ b/pkg/config/config_test.go
@@ -39,6 +39,7 @@ func TestFromPath(t *testing.T) {
 				KubeCertAgent:
 				  namePrefix: kube-cert-agent-name-prefix-
 				  image: kube-cert-agent-image
+				  imagePullSecrets: [kube-cert-agent-image-pull-secret]
 			`),
 			wantConfig: &api.Config{
 				DiscoveryInfo: api.DiscoveryInfoSpec{
@@ -56,8 +57,9 @@ func TestFromPath(t *testing.T) {
 					APIService:               "pinniped-api",
 				},
 				KubeCertAgentConfig: api.KubeCertAgentSpec{
-					NamePrefix: stringPtr("kube-cert-agent-name-prefix-"),
-					Image:      stringPtr("kube-cert-agent-image"),
+					NamePrefix:       stringPtr("kube-cert-agent-name-prefix-"),
+					Image:            stringPtr("kube-cert-agent-image"),
+					ImagePullSecrets: []string{"kube-cert-agent-image-pull-secret"},
 				},
 			},
 		},