✨ Support serviceaccount pull secrets #2005

tmshort · 2025-06-03T19:39:49Z

Serviceaccounts reference pull secrets!

Determine our serviceaccount (via the new internal/shared/util/sa package).
Use a common pull_secret_controller
Update the pull_secret_controller to know about the service account
Update the pull_secret_controller to watch the namespace-local secrets
Update caching to include sa, and use filters for additional secrets
Add RBAC to access these secrets and sa
Update writing the auth.json file to handle dockercfg and dockerconfigjson
Update writing the auth.json file to include multiple secrets

Description

Reviewer Checklist

API Go Documentation
Tests: Unit Tests (and E2E Tests, if appropriate)
Comprehensive Commit Messages
Links to related GitHub Issue(s)

netlify · 2025-06-03T19:39:54Z

✅ Deploy Preview for olmv1 ready!

Name	Link
🔨 Latest commit	`2196977`
🔍 Latest deploy log	https://app.netlify.com/projects/olmv1/deploys/684352fc0c3dfb0008073d6a
😎 Deploy Preview	https://deploy-preview-2005--olmv1.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

codecov · 2025-06-03T20:19:20Z

Codecov Report

Attention: Patch coverage is 56.85484% with 107 lines in your changes missing coverage. Please review.

Project coverage is 69.54%. Comparing base (8f81c23) to head (2196977).
Report is 2 commits behind head on main.

Files with missing lines	Patch %	Lines
...ernal/shared/controllers/pull_secret_controller.go	66.66%	38 Missing and 11 partials ⚠️
cmd/catalogd/main.go	0.00%	41 Missing ⚠️
cmd/operator-controller/main.go	65.85%	10 Missing and 4 partials ⚠️
internal/shared/util/sa/serviceaccount.go	84.21%	2 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2005      +/-   ##
==========================================
+ Coverage   69.17%   69.54%   +0.36%     
==========================================
  Files          79       79              
  Lines        7037     7144     +107     
==========================================
+ Hits         4868     4968     +100     
- Misses       1887     1889       +2     
- Partials      282      287       +5

Flag	Coverage Δ
e2e	`43.50% <40.57%> (+0.49%)`	⬆️
unit	`59.65% <31.45%> (-0.40%)`	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

tmshort · 2025-06-04T02:34:06Z

/hold
Until I do some additional manual testing.

tmshort · 2025-06-04T02:34:23Z

/approve

openshift-ci · 2025-06-04T02:34:28Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: tmshort

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [tmshort]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Serviceaccounts reference pull secrets! * Determine our serviceaccount (via the new internal/shared/util/sa package). * Use a common pull_secret_controller * Update the pull_secret_controller to know about the service account * Update the pull_secret_controller to watch the namespace-local secrets * Update caching to include sa, and use filters for additional secrets * Add RBAC to access these secrets and sa * Update writing the auth.json file to handle dockercfg and dockerconfigjson * Update writing the auth.json file to include multiple secrets Signed-off-by: Todd Short <[email protected]>

tmshort · 2025-06-04T21:46:43Z

/unhold

config/base/catalogd/rbac/role.yaml

internal/shared/controllers/pull_secret_controller.go

joelanford · 2025-06-06T17:37:39Z

internal/shared/controllers/pull_secret_controller.go

+	AuthFilePath              string
+}
+
+func (r *PullSecretReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {


Is req used anywhere other than logging? If not, I think I'd suggest dropping it (e.g. rename to _). And changing the logging to just generically say something like "reconciling pull secrets".

The name/namespace of the request without the type info might be a little confusing to show up in the log. But maybe we could log the events that pass our predicate in our predicate where we do have type information. That way there's still detail about what is causing our reconciler to be triggered?

Interestingly... the logger has a lot of additional information added to it, so you can tell what type of resource triggered the event, I wrapped the log below to make it easier to read:

I0606 18:43:42.641045 1 pull_secret_controller.go:113] "found secret" logger="pull-secret-reconciler" controller="service-account-controller" controllerGroup="" controllerKind="ServiceAccount" ServiceAccount="olmv1-system/operator-controller-controller-manager" reconcileID="26404229-a2d3-495d-86ee-0da390a1e8f4" name="pull-dockercfg" namespace="olmv1-system"

And when a pull secret is modified:

I0606 18:58:10.831129 1 pull_secret_controller.go:113] "found secret" logger="pull-secret-reconciler" controller="pull-secret-controller" controllerGroup="" controllerKind="Secret" Secret="olmv1-system/pull-dockercfg" reconcileID="a783ca58-0213-4fe3-a19d-3ed7ca21f5ae" name="pull-dockercfg" namespace="olmv1-system"

joelanford · 2025-06-06T17:39:15Z

internal/shared/controllers/pull_secret_controller.go

+	_, err := ctrl.NewControllerManagedBy(mgr).
+		For(&corev1.Secret{}).
+		Named("pull-secret-controller").
+		WithEventFilter(newSecretPredicate(r)).
+		Build(r)
+	if err != nil {
+		return err
+	}
+
+	_, err = ctrl.NewControllerManagedBy(mgr).
+		For(&corev1.ServiceAccount{}).
+		Named("service-account-controller").
+		WithEventFilter(newNamespacedPredicate(r.ServiceAccountKey)).
+		Build(r)


I don't think I'd setup two separate controllers. IIRC, there's a way to have a single controller with multiple watches. You may need to drop down to the lower-level controller package though (can't remember if For is required).

TBH, having two controllers actually seems the cleanest, in that we get different invocations that recognize ServiceAccount vs. Secret, and it's clear what triggered the reconcile (i.e. the logger clearly indicates what resource is the trigger). With a single controller, we have to somehow map the ServiceAccount to a set of Secrets (which we may not yet know about yet), which feels kinda kludgy. Otherwise, the Secret controller is getting a ServiceAccount for the request, rather than a Secret.

Signed-off-by: Todd Short <[email protected]>

tmshort · 2025-06-06T18:26:17Z

lint doesn't like my logging trick...

Signed-off-by: Todd Short <[email protected]>

tmshort requested a review from a team as a code owner June 3, 2025 19:39

openshift-ci bot requested a review from oceanc80 June 3, 2025 19:39

openshift-ci bot requested a review from OchiengEd June 3, 2025 19:39

tmshort force-pushed the use-sa-pull-secret branch from d09d1b8 to 26246b6 Compare June 3, 2025 20:10

openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 4, 2025

openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 4, 2025

tmshort force-pushed the use-sa-pull-secret branch from 26246b6 to 11579bc Compare June 4, 2025 16:15

tmshort force-pushed the use-sa-pull-secret branch from 11579bc to 1c0e4dd Compare June 4, 2025 18:05

openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 4, 2025