This repository has been archived by the owner on Nov 1, 2022. It is now read-only.
/
images.go
175 lines (152 loc) · 4.7 KB
/
images.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
package kubernetes
import (
"fmt"
"github.com/go-kit/kit/log"
"github.com/pkg/errors"
"github.com/ryanuber/go-glob"
apiv1 "k8s.io/api/core/v1"
apierrors "k8s.io/apimachinery/pkg/api/errors"
meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"github.com/weaveworks/flux"
"github.com/weaveworks/flux/image"
"github.com/weaveworks/flux/registry"
)
func mergeCredentials(log func(...interface{}) error,
includeImage func(imageName string) bool,
client ExtendedClient,
namespace string, podTemplate apiv1.PodTemplateSpec,
imageCreds registry.ImageCreds,
seenCreds map[string]registry.Credentials) {
var images []image.Name
for _, container := range podTemplate.Spec.InitContainers {
r, err := image.ParseRef(container.Image)
if err != nil {
log("err", err.Error())
continue
}
if includeImage(r.CanonicalName().Name.String()) {
images = append(images, r.Name)
}
}
for _, container := range podTemplate.Spec.Containers {
r, err := image.ParseRef(container.Image)
if err != nil {
log("err", err.Error())
continue
}
if includeImage(r.CanonicalName().Name.String()) {
images = append(images, r.Name)
}
}
if len(images) < 1 {
return
}
creds := registry.NoCredentials()
var imagePullSecrets []string
saName := podTemplate.Spec.ServiceAccountName
if saName == "" {
saName = "default"
}
sa, err := client.CoreV1().ServiceAccounts(namespace).Get(saName, meta_v1.GetOptions{})
if err == nil {
for _, ips := range sa.ImagePullSecrets {
imagePullSecrets = append(imagePullSecrets, ips.Name)
}
}
for _, imagePullSecret := range podTemplate.Spec.ImagePullSecrets {
imagePullSecrets = append(imagePullSecrets, imagePullSecret.Name)
}
for _, name := range imagePullSecrets {
if seen, ok := seenCreds[name]; ok {
creds.Merge(seen)
continue
}
secret, err := client.CoreV1().Secrets(namespace).Get(name, meta_v1.GetOptions{})
if err != nil {
log("err", errors.Wrapf(err, "getting secret %q from namespace %q", name, namespace))
seenCreds[name] = registry.NoCredentials()
continue
}
var decoded []byte
var ok bool
// These differ in format; but, ParseCredentials will
// handle either.
switch apiv1.SecretType(secret.Type) {
case apiv1.SecretTypeDockercfg:
decoded, ok = secret.Data[apiv1.DockerConfigKey]
case apiv1.SecretTypeDockerConfigJson:
decoded, ok = secret.Data[apiv1.DockerConfigJsonKey]
default:
log("skip", "unknown type", "secret", namespace+"/"+secret.Name, "type", secret.Type)
seenCreds[name] = registry.NoCredentials()
continue
}
if !ok {
log("err", errors.Wrapf(err, "retrieving pod secret %q", secret.Name))
seenCreds[name] = registry.NoCredentials()
continue
}
// Parse secret
crd, err := registry.ParseCredentials(fmt.Sprintf("%s:secret/%s", namespace, name), decoded)
if err != nil {
log("err", err.Error())
seenCreds[name] = registry.NoCredentials()
continue
}
seenCreds[name] = crd
// Merge into the credentials for this PodSpec
creds.Merge(crd)
}
// Now create the service and attach the credentials
for _, image := range images {
imageCreds[image] = creds
}
}
// ImagesToFetch is a k8s specific method to get a list of images to update along with their credentials
func (c *Cluster) ImagesToFetch() registry.ImageCreds {
allImageCreds := make(registry.ImageCreds)
namespaces, err := c.getAllowedAndExistingNamespaces()
if err != nil {
c.logger.Log("err", errors.Wrap(err, "getting namespaces"))
return allImageCreds
}
for _, ns := range namespaces {
seenCreds := make(map[string]registry.Credentials)
for kind, resourceKind := range resourceKinds {
workloads, err := resourceKind.getWorkloads(c, ns.Name)
if err != nil {
if apierrors.IsNotFound(err) || apierrors.IsForbidden(err) {
// Skip unsupported or forbidden resource kinds
continue
}
c.logger.Log("err", errors.Wrapf(err, "getting kind %s for namespace %s", kind, ns.Name))
}
imageCreds := make(registry.ImageCreds)
for _, workload := range workloads {
logger := log.With(c.logger, "resource", flux.MakeResourceID(ns.Name, kind, workload.name))
mergeCredentials(logger.Log, c.includeImage, c.client, ns.Name, workload.podTemplate, imageCreds, seenCreds)
}
// Merge creds
for imageID, creds := range imageCreds {
existingCreds, ok := allImageCreds[imageID]
if ok {
mergedCreds := registry.NoCredentials()
mergedCreds.Merge(existingCreds)
mergedCreds.Merge(creds)
allImageCreds[imageID] = mergedCreds
} else {
allImageCreds[imageID] = creds
}
}
}
}
return allImageCreds
}
func (c *Cluster) includeImage(imageName string) bool {
for _, exp := range c.imageExcludeList {
if glob.Glob(exp, imageName) {
return false
}
}
return true
}