Skip to content

Commit

Permalink
feat(deploy): kube-run won't require list permissions for pods and se…
Browse files Browse the repository at this point in the history
…crets

Signed-off-by: Ilya Lesikov <ilya@lesikov.com>
  • Loading branch information
ilya-lesikov committed Jan 9, 2025
1 parent 4e1dad8 commit 22b20af
Showing 1 changed file with 10 additions and 34 deletions.
44 changes: 10 additions & 34 deletions cmd/werf/kube_run/kube_run.go
Original file line number Diff line number Diff line change
Expand Up @@ -767,21 +767,21 @@ func cleanupResources(ctx context.Context, pod, secret, namespace string) {
return
}

if isPodExist, err := isPodExist(ctx, pod, namespace); err != nil {
logboek.Context(ctx).Warn().LogF("WARNING: unable to check for pod existence: %s\n", err)
} else if isPodExist {
logboek.Context(ctx).LogF("Cleaning up pod %q ...\n", pod)
if err := kube.Client.CoreV1().Pods(namespace).Delete(ctx, pod, v1.DeleteOptions{}); err != nil {
logboek.Context(ctx).LogF("Cleaning up pod %q ...\n", pod)
if err := kube.Client.CoreV1().Pods(namespace).Delete(ctx, pod, v1.DeleteOptions{}); err != nil {
if errors.IsNotFound(err) {
logboek.Context(ctx).LogF("Pod %q not found\n", pod)
} else {
logboek.Context(ctx).Warn().LogF("WARNING: pod cleaning up failed: %s\n", err)
}
}

if cmdData.AutoPullSecret && cmdData.registryCredsFound {
if isSecretExist, err := isSecretExist(ctx, secret, namespace); err != nil {
logboek.Context(ctx).Warn().LogF("WARNING: unable to check for secret existence: %s\n", err)
} else if isSecretExist {
logboek.Context(ctx).LogF("Cleaning up secret %q ...\n", secret)
if err := kube.Client.CoreV1().Secrets(namespace).Delete(ctx, secret, v1.DeleteOptions{}); err != nil {
logboek.Context(ctx).LogF("Cleaning up secret %q ...\n", secret)
if err := kube.Client.CoreV1().Secrets(namespace).Delete(ctx, secret, v1.DeleteOptions{}); err != nil {
if errors.IsNotFound(err) {
logboek.Context(ctx).LogF("Secret %q not found\n", secret)
} else {
logboek.Context(ctx).Warn().LogF("WARNING: secret cleaning up failed: %s\n", err)
}
}
Expand Down Expand Up @@ -869,30 +869,6 @@ func createDockerRegistrySecret(ctx context.Context, name, namespace string, ref
return nil
}

func isPodExist(ctx context.Context, pod, namespace string) (bool, error) {
if matchedPods, err := kube.Client.CoreV1().Pods(namespace).List(ctx, v1.ListOptions{
FieldSelector: fields.OneTermEqualSelector("metadata.name", pod).String(),
}); err != nil {
return false, fmt.Errorf("unable to list pods: %w", err)
} else if len(matchedPods.Items) > 0 {
return true, nil
}

return false, nil
}

func isSecretExist(ctx context.Context, secret, namespace string) (bool, error) {
if matchedSecrets, err := kube.Client.CoreV1().Secrets(namespace).List(ctx, v1.ListOptions{
FieldSelector: fields.OneTermEqualSelector("metadata.name", secret).String(),
}); err != nil {
return false, fmt.Errorf("unable to list secrets: %w", err)
} else if len(matchedSecrets.Items) > 0 {
return true, nil
}

return false, nil
}

// Might return empty DockerAuthConfig.
func getDockerConfigCredentials(ref string) (reference.Named, imgtypes.DockerAuthConfig, error) {
namedRef, err := reference.ParseNormalizedNamed(ref)
Expand Down

0 comments on commit 22b20af

Please sign in to comment.