-
Notifications
You must be signed in to change notification settings - Fork 905
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fetch package pull secrets from Crossplane SA and propagate to Provider Deployments #3332
Conversation
- name: POD_SERVICE_ACCOUNT | ||
valueFrom: | ||
fieldRef: | ||
fieldPath: spec.serviceAccountName |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note: propagating the Crossplane SA name to the xpkg fetcher could be viewed as a breaking change (if someone was attaching package pull secrets to the default
SA then it would now break). However, given that this would have to take place outside of the Crossplane install process (we only allow passing package pull secrets to Crossplane SA), it is quite unituitive behavior, and is not documented as supported, I feel comfortable including this in the upcoming minor release.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed that this was an unintended behavior anyway - using secret names from an SA that's not referenced during installation of Crossplane. Worth calling out in the release notes though.
c85a6c4
to
0d5b6ac
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM after addressing my single comment. Thanks @hasheddan !
// NewK8sFetcher creates a new K8sFetcher. | ||
func NewK8sFetcher(client kubernetes.Interface, namespace string, opts ...FetcherOpt) (*K8sFetcher, error) { | ||
func NewK8sFetcher(client kubernetes.Interface, opts ...FetcherOpt) (*K8sFetcher, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why do we remove the namespace from arguments? Can it function without a namespace?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We are just moving to passing Namespace via option to simplify signature here. It is a similar situation as SA and will just fall back to default
if not provided. (ref: https://github.com/google/go-containerregistry/blob/9a5c14ada6ffae772793231c186a50d911668e72/pkg/authn/kubernetes/keychain.go#L37)
559072a
to
da4c2ae
Compare
Updates the core Crossplane chart to pass its ServiceAccount name as an environment variable via the downward API. Signed-off-by: hasheddan <georgedanielmangum@gmail.com>
Adds a flag and uses it to set the ServiceAccount name in the pkg controllers options. Signed-off-by: hasheddan <georgedanielmangum@gmail.com>
Updates the fetcher to store the ServiceAccount used for package pull secrets and moves to passing Namespace and ServiceAccount via options. Signed-off-by: hasheddan <georgedanielmangum@gmail.com>
Updates all package reconciler fetchters to take a namespace and service account. Signed-off-by: hasheddan <georgedanielmangum@gmail.com>
Passes all revision and service account pull secrets to Provider deployments. This means that every Provider deployment gets the core Crossplane secrets and the secrets of its parent revision. Signed-off-by: hasheddan <georgedanielmangum@gmail.com>
da4c2ae
to
ab7ebe9
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, thanks!
Description of your changes
This changeset updates to consume package pull secrets from the Crossplane
ServiceAccount
, rather than the previous behavior of falling back to thedefault
ServiceAccount
. It also propagates secrets from theServiceAccount
to theServiceAccount
of any ProviderDeployment
. This enables installing chains of private dependencies by attaching all required package pull secrets to the CrossplaneServiceAccount
.Lastly, any package pull secrets on a
ProviderRevision
are propagated to theirDeployment
as well, but they are not propagated to dependencies. We may opt to do this in the future, but there is some subtleties around shared dependents that make it more complex to do so. Because propagating the package pull secrets from theServiceAccount
makes it possible to install chains of private dependencies, we defer propagating revision secrets to dependencies until a future date.Fixes #3294
I have:
make reviewable
to ensure this PR is ready for review.backport release-x.y
labels to auto-backport this PR if necessary.How has this code been tested
make build
&&make e2e.run skipcleanup=true
Then created pull secret:
Patched Crossplane SA:
Installed provider without pull secrets:
Verified installed and healthy: