This repository has been archived by the owner on Mar 16, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 100
/
pullsecrets.go
122 lines (106 loc) · 3.21 KB
/
pullsecrets.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
package pullsecret
import (
"context"
"encoding/json"
"fmt"
apiv1 "github.com/acorn-io/runtime/pkg/apis/api.acorn.io/v1"
"github.com/acorn-io/runtime/pkg/dockerconfig"
"github.com/acorn-io/runtime/pkg/encryption/nacl"
"github.com/acorn-io/runtime/pkg/labels"
"github.com/acorn-io/runtime/pkg/system"
"github.com/google/go-containerregistry/pkg/authn"
"github.com/google/go-containerregistry/pkg/authn/kubernetes"
"github.com/google/go-containerregistry/pkg/name"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"sigs.k8s.io/controller-runtime/pkg/client"
)
func ForNamespace(ctx context.Context, c client.Reader, namespace string, requireLabel bool) ([]corev1.Secret, error) {
secrets := &corev1.SecretList{}
err := c.List(ctx, secrets, &client.ListOptions{
Namespace: namespace,
})
if err != nil {
return nil, err
}
var result []corev1.Secret
for _, secret := range secrets.Items {
if requireLabel && secret.Labels[labels.AcornCredential] != "true" {
continue
}
if secret.Type == corev1.SecretTypeDockercfg || secret.Type == corev1.SecretTypeDockerConfigJson {
result = append(result, secret)
continue
} else if secret.Type == apiv1.SecretTypeCredential {
data, err := nacl.DecryptNamespacedDataMap(ctx, c, secret.Data, secret.Namespace)
if err != nil {
return nil, fmt.Errorf("decrypting acorn credential %s/%s: %w", secret.Namespace, secret.Name, err)
}
secret, err := dockerconfig.FromCredentialData(data)
if err != nil {
return nil, err
}
result = append(result, *secret)
}
}
for i, secret := range result {
result[i].Data, err = nacl.DecryptNamespacedDataMap(ctx, c, secret.Data, secret.Namespace)
if err != nil {
return nil, fmt.Errorf("final decrypting %s/%s: %w", secret.Namespace, secret.Name, err)
}
}
return result, nil
}
func Keychain(ctx context.Context, c client.Reader, namespace string) (authn.Keychain, error) {
keychainSecrets, err := ForNamespace(ctx, c, system.ImagesNamespace, true)
if err != nil {
return nil, err
}
if namespace != "" {
secrets, err := ForNamespace(ctx, c, namespace, false)
if err != nil {
return nil, err
}
keychainSecrets = append(keychainSecrets, secrets...)
}
return kubernetes.NewFromPullSecrets(ctx, keychainSecrets)
}
func ForImages(secretName, secretNamespace string, keychain authn.Keychain, images ...string) (*corev1.Secret, error) {
dockerConfig := map[string]any{}
for _, image := range images {
ref, err := name.ParseReference(image)
if err != nil {
return nil, err
}
registry := ref.Context().RegistryStr()
auth, err := keychain.Resolve(ref.Context())
if err != nil {
return nil, err
}
config, err := auth.Authorization()
if err != nil {
return nil, err
}
dockerConfig[registry] = config
}
data, err := json.Marshal(map[string]any{
"auths": dockerConfig,
})
if err != nil {
return nil, err
}
return &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: secretName,
Namespace: secretNamespace,
Labels: map[string]string{
labels.AcornManaged: "true",
labels.AcornPullSecret: "true",
},
},
Data: map[string][]byte{
corev1.DockerConfigJsonKey: data,
},
Type: corev1.SecretTypeDockerConfigJson,
}, nil
}