add .spec.serviceAccountName to helm repository for type oci

Signed-off-by: Somtochi Onyekwere <[email protected]>

Author: somtochiama

api/v1beta2/helmrepository_types.go

@@ -104,6 +104,12 @@ type HelmRepositorySpec struct {
 	// +optional
 	Type string `json:"type,omitempty"`
 
+	// ServiceAccountName is the name of the Kubernetes ServiceAccount used to authenticate
+	// the OCI image pull if the service account has attached pull secrets. For more information:
+	// https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account
+	// +optional
+	ServiceAccountName string `json:"serviceAccountName,omitempty"`
+
 	// Provider used for authentication, can be 'aws', 'azure', 'gcp' or 'generic'.
 	// This field is optional, and only taken into account if the .spec.type field is set to 'oci'.
 	// When not specified, defaults to 'generic'.

config/crd/bases/source.toolkit.fluxcd.io_helmrepositories.yaml

@@ -345,6 +345,11 @@ spec:
                 required:
                 - name
                 type: object
+              serviceAccountName:
+                description: 'ServiceAccountName is the name of the Kubernetes ServiceAccount
+                  used to authenticate the OCI image pull if the service account has
+                  attached pull secrets. For more information: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account'
+                type: string
               suspend:
                 description: Suspend tells the controller to suspend the reconciliation
                   of this HelmRepository.

internal/helm/getter/client_opts.go

@@ -26,6 +26,7 @@ import (
 
 	"github.com/fluxcd/pkg/oci"
 	"github.com/google/go-containerregistry/pkg/authn"
+	"github.com/google/go-containerregistry/pkg/authn/k8schain"
 	helmgetter "helm.sh/helm/v3/pkg/getter"
 	helmreg "helm.sh/helm/v3/pkg/registry"
 	corev1 "k8s.io/api/core/v1"
@@ -80,6 +81,39 @@ func GetClientOpts(ctx context.Context, c client.Client, obj *helmv1.HelmReposit
 
 	var authSecret *corev1.Secret
 	var deprecatedTLSConfig bool
+
+	if ociRepo {
+		if obj.Spec.ServiceAccountName != "" {
+			serviceAccount := corev1.ServiceAccount{}
+			// Lookup service account
+			if err := c.Get(ctx, types.NamespacedName{
+				Namespace: obj.GetNamespace(),
+				Name:      obj.Spec.ServiceAccountName,
+			}, &serviceAccount); err != nil {
+				return nil, fmt.Errorf("failed to get serviceaccout: %s", err)
+			}
+
+			if len(serviceAccount.ImagePullSecrets) > 0 {
+				imagePullSecrets := make([]corev1.Secret, len(serviceAccount.ImagePullSecrets))
+				for i, ips := range serviceAccount.ImagePullSecrets {
+					var saAuthSecret corev1.Secret
+					if err := c.Get(ctx, types.NamespacedName{
+						Namespace: obj.GetNamespace(),
+						Name:      ips.Name,
+					}, &saAuthSecret); err != nil {
+						return nil, fmt.Errorf("failed to get image pull secret '%s' for serviceaccount '%s': %w",
+							ips.Name, obj.Spec.ServiceAccountName, err)
+					}
+					imagePullSecrets[i] = saAuthSecret
+				}
+				hrOpts.Keychain, err = k8schain.NewFromPullSecrets(ctx, imagePullSecrets)
+				if err != nil {
+					return nil, fmt.Errorf("error constructing keychain from image pull secrets: %w", err)
+				}
+			}
+		}
+	}
+
 	if obj.Spec.SecretRef != nil {
 		authSecret, err = fetchSecret(ctx, c, obj.Spec.SecretRef.Name, obj.GetNamespace())
 		if err != nil {
@@ -107,10 +141,16 @@ func GetClientOpts(ctx context.Context, c client.Client, obj *helmv1.HelmReposit
 		}
 
 		if ociRepo {
-			hrOpts.Keychain, err = registry.LoginOptionFromSecret(url, *authSecret)
+			keychain, err := registry.LoginOptionFromSecret(url, *authSecret)
 			if err != nil {
 				return nil, fmt.Errorf("failed to configure login options: %w", err)
 			}
+
+			if hrOpts.Keychain != nil {
+				hrOpts.Keychain = authn.NewMultiKeychain(keychain, hrOpts.Keychain)
+			} else {
+				hrOpts.Keychain = keychain
+			}
 		}
 	} else if obj.Spec.Provider != helmv1.GenericOCIProvider && obj.Spec.Type == helmv1.HelmRepositoryTypeOCI && ociRepo {
 		authenticator, authErr := soci.OIDCAuth(ctx, obj.Spec.URL, obj.Spec.Provider)

internal/helm/getter/client_opts_test.go

@@ -44,12 +44,13 @@ func TestGetClientOpts(t *testing.T) {
 	}
 
 	tests := []struct {
-		name       string
-		certSecret *corev1.Secret
-		authSecret *corev1.Secret
-		afterFunc  func(t *WithT, hcOpts *ClientOpts)
-		oci        bool
-		err        error
+		name           string
+		certSecret     *corev1.Secret
+		authSecret     *corev1.Secret
+		serviceAccount *corev1.ServiceAccount
+		afterFunc      func(t *WithT, hcOpts *ClientOpts)
+		oci            bool
+		err            error
 	}{
 		{
 			name: "HelmRepository with certSecretRef discards TLS config in secretRef",
@@ -117,6 +118,39 @@ func TestGetClientOpts(t *testing.T) {
 			},
 			oci: true,
 		},
+		{
+			name: "OCI HelmRepository with serviceaccount name",
+			serviceAccount: &corev1.ServiceAccount{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test-sa",
+				},
+				ImagePullSecrets: []corev1.LocalObjectReference{
+					{
+						Name: "pull-secret",
+					},
+				},
+			},
+			authSecret: &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "pull-secret",
+				},
+				Type: corev1.SecretTypeDockerConfigJson,
+				Data: map[string][]byte{
+					corev1.DockerConfigJsonKey: []byte(`{"auths":{"ghcr.io":{"username":"user","password":"pass","auth":"dXNlcjpwYXNz"}}}`),
+				},
+			},
+			afterFunc: func(t *WithT, hcOpts *ClientOpts) {
+				repo, err := name.NewRepository("ghcr.io/dummy")
+				t.Expect(err).ToNot(HaveOccurred())
+				authenticator, err := hcOpts.Keychain.Resolve(repo)
+				t.Expect(err).ToNot(HaveOccurred())
+				config, err := authenticator.Authorization()
+				t.Expect(err).ToNot(HaveOccurred())
+				t.Expect(config.Username).To(Equal("user"))
+				t.Expect(config.Password).To(Equal("pass"))
+			},
+			oci: true,
+		},
 	}
 
 	for _, tt := range tests {
@@ -147,6 +181,10 @@ func TestGetClientOpts(t *testing.T) {
 					Name: tt.certSecret.Name,
 				}
 			}
+			if tt.serviceAccount != nil {
+				clientBuilder.WithObjects(tt.serviceAccount.DeepCopy())
+				helmRepo.Spec.ServiceAccountName = tt.serviceAccount.Name
+			}
 			c := clientBuilder.Build()
 
 			clientOpts, err := GetClientOpts(context.TODO(), c, helmRepo, "https://ghcr.io/dummy")