Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fetch package pull secrets from Crossplane SA and propagate to Provider Deployments #3332

Merged
merged 5 commits into from
Sep 21, 2022
Merged

Fetch package pull secrets from Crossplane SA and propagate to Provider Deployments #3332

merged 5 commits into from
Sep 21, 2022

Conversation

hasheddan
Copy link
Member

@hasheddan hasheddan commented Sep 20, 2022
edited

Description of your changes

This changeset updates to consume package pull secrets from the Crossplane ServiceAccount, rather than the previous behavior of falling back to the default ServiceAccount. It also propagates secrets from the ServiceAccount to the ServiceAccount of any Provider Deployment. This enables installing chains of private dependencies by attaching all required package pull secrets to the Crossplane ServiceAccount.

Lastly, any package pull secrets on a ProviderRevision are propagated to their Deployment as well, but they are not propagated to dependencies. We may opt to do this in the future, but there is some subtleties around shared dependents that make it more complex to do so. Because propagating the package pull secrets from the ServiceAccount makes it possible to install chains of private dependencies, we defer propagating revision secrets to dependencies until a future date.

Fixes #3294

I have:

  • Read and followed Crossplane's contribution process.
  • Run make reviewable to ensure this PR is ready for review.
  • Added backport release-x.y labels to auto-backport this PR if necessary.

How has this code been tested

make build && make e2e.run skipcleanup=true

Then created pull secret:

up ctp pull-secret create package-pull-secret -n crossplane-system -f creds.json

Patched Crossplane SA:

kubectl patch serviceaccount crossplane -n crossplane-system -p '{"imagePullSecrets": [{"name": "package-pull-secret"}]}'

Installed provider without pull secrets:

kxp install provider xpkg.upbound.io/upbound/provider-aws:v0.13.0

Verified installed and healthy:

馃 (crossplane) k describe provider.pkg.crossplane.io/upbound-provider-aws
Name:         upbound-provider-aws
Namespace:    
Labels:       <none>
Annotations:  <none>
API Version:  pkg.crossplane.io/v1
Kind:         Provider
Spec:
  Ignore Crossplane Constraints:  false
  Package:                        xpkg.upbound.io/upbound/provider-aws:v0.13.0
  Package Pull Policy:            IfNotPresent
  Revision Activation Policy:     Automatic
  Revision History Limit:         0
  Skip Dependency Resolution:     false
Status:
  Conditions:
    Last Transition Time:  2022-09-21T13:53:22Z
    Reason:                HealthyPackageRevision
    Status:                True
    Type:                  Healthy
    Last Transition Time:  2022-09-21T13:52:17Z
    Reason:                ActivePackageRevision
    Status:                True
    Type:                  Installed
  Current Identifier:      xpkg.upbound.io/upbound/provider-aws:v0.13.0
  Current Revision:        upbound-provider-aws-fc98ece40acb
Events:
  Type     Reason                  Age                From                                 Message
  ----     ------                  ----               ----                                 -------
  Warning  InstallPackageRevision  48s (x3 over 89s)  packages/provider.pkg.crossplane.io  current package revision health is unknown
  Normal   InstallPackageRevision  24s (x2 over 24s)  packages/provider.pkg.crossplane.io  Successfully installed package revision

@hasheddan hasheddan requested review from a team as code owners September 20, 2022 02:08
hasheddan
hasheddan commented Sep 20, 2022
View reviewed changes
cluster/charts/crossplane/templates/deployment.yaml
- name: POD_SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note: propagating the Crossplane SA name to the xpkg fetcher could be viewed as a breaking change (if someone was attaching package pull secrets to the default SA then it would now break). However, given that this would have to take place outside of the Crossplane install process (we only allow passing package pull secrets to Crossplane SA), it is quite unituitive behavior, and is not documented as supported, I feel comfortable including this in the upcoming minor release.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed that this was an unintended behavior anyway - using secret names from an SA that's not referenced during installation of Crossplane. Worth calling out in the release notes though.

muvaf
muvaf approved these changes Sep 21, 2022
View reviewed changes
Copy link
Member

@muvaf muvaf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM after addressing my single comment. Thanks @hasheddan !

internal/xpkg/fetch.go
// NewK8sFetcher creates a new K8sFetcher.
func NewK8sFetcher(client kubernetes.Interface, namespace string, opts ...FetcherOpt) (*K8sFetcher, error) {
func NewK8sFetcher(client kubernetes.Interface, opts ...FetcherOpt) (*K8sFetcher, error) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we remove the namespace from arguments? Can it function without a namespace?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We are just moving to passing Namespace via option to simplify signature here. It is a similar situation as SA and will just fall back to default if not provided. (ref: https://github.com/google/go-containerregistry/blob/9a5c14ada6ffae772793231c186a50d911668e72/pkg/authn/kubernetes/keychain.go#L37)

@hasheddan hasheddan force-pushed the use-the-sa branch 2 times, most recently from 559072a to da4c2ae Compare September 21, 2022 14:12
@hasheddan
Pass Crossplane ServiceAccount name to env var via downward API
ed0f58a 
Updates the core Crossplane chart to pass its ServiceAccount name as an
environment variable via the downward API.

Signed-off-by: hasheddan <georgedanielmangum@gmail.com>
@hasheddan
Add flag and pkg controller options support for ServiceAccount
c2a6242 
Adds a flag and uses it to set the ServiceAccount name in the pkg
controllers options.

Signed-off-by: hasheddan <georgedanielmangum@gmail.com>
@hasheddan
Update fetcher to store ServiceAccount and use options
3552aaa 
Updates the fetcher to store the ServiceAccount used for package pull
secrets and moves to passing Namespace and ServiceAccount via options.

Signed-off-by: hasheddan <georgedanielmangum@gmail.com>
@hasheddan
Pass namespace and service account to all fetchers
b700c72 
Updates all package reconciler fetchters to take a namespace and service
account.

Signed-off-by: hasheddan <georgedanielmangum@gmail.com>
@hasheddan
Pass revision and service account pull secrets to deployment
ab7ebe9 
Passes all revision and service account pull secrets to Provider
deployments. This means that every Provider deployment gets the core
Crossplane secrets and the secrets of its parent revision.

Signed-off-by: hasheddan <georgedanielmangum@gmail.com>
nullable-eth
nullable-eth approved these changes Sep 21, 2022
View reviewed changes
Copy link
Contributor

@nullable-eth nullable-eth left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, thanks!

@hasheddan hasheddan merged commit ffa5f55 into crossplane:master Sep 21, 2022
This was referenced Sep 21, 2022
Closed
Merged
Merged
Merged
@hasheddan hasheddan mentioned this pull request Jan 15, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nullable-eth nullable-eth nullable-eth approved these changes

@muvaf muvaf muvaf approved these changes

@bobh66 bobh66 Awaiting requested review from bobh66 bobh66 was automatically assigned from crossplane/crossplane-reviewers

@nlinx nlinx Awaiting requested review from nlinx nlinx was automatically assigned from crossplane/crossplane-reviewers

@turkenh turkenh Awaiting requested review from turkenh turkenh is a code owner automatically assigned from crossplane/crossplane-maintainers

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Honor imagePullSecrets on the Crossplane ServiceAccount and propagate to dependencies and Provider Deployments
3 participants
@hasheddan @nullable-eth @muvaf