fixup! Support serviceaccount pull secrets

tmshort · tmshort · commit 1b4189d9ba09 · 2025-06-06T13:56:20.000-04:00
Signed-off-by: Todd Short &lt;tshort@redhat.com&gt;
diff --git a/config/base/catalogd/rbac/role.yaml b/config/base/catalogd/rbac/role.yaml
@@ -4,14 +4,6 @@ kind: ClusterRole
 metadata:
   name: manager-role
 rules:
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
-  - list
-  - watch
 - apiGroups:
   - olm.operatorframework.io
   resources:
@@ -48,6 +40,7 @@ rules:
 - apiGroups:
   - ""
   resources:
+  - secrets
   - serviceaccounts
   verbs:
   - get
diff --git a/go.mod b/go.mod
@@ -14,6 +14,7 @@ require (
 	github.com/golang-jwt/jwt/v5 v5.2.2
 	github.com/google/go-cmp v0.7.0
 	github.com/google/go-containerregistry v0.20.3
+	github.com/google/renameio/v2 v2.0.0
 	github.com/gorilla/handlers v1.5.2
 	github.com/klauspost/compress v1.18.0
 	github.com/opencontainers/go-digest v1.0.0
diff --git a/go.sum b/go.sum
@@ -255,6 +255,8 @@ github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
 github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/pprof v0.0.0-20250423184734-337e5dd93bb4 h1:gD0vax+4I+mAj+jEChEf25Ia07Jq7kYOFO5PPhAxFl4=
 github.com/google/pprof v0.0.0-20250423184734-337e5dd93bb4/go.mod h1:5hDyRhoBCxViHszMt12TnOpEI4VVi+U8Gm9iphldiMA=
+github.com/google/renameio/v2 v2.0.0 h1:UifI23ZTGY8Tt29JbYFiuyIU3eX+RNFtUwefq9qAhxg=
+github.com/google/renameio/v2 v2.0.0/go.mod h1:BtmJXm5YlszgC+TD4HOEEUFgkJP3nLxehU6hfe7jRt4=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
diff --git a/internal/catalogd/controllers/core/clustercatalog_controller.go b/internal/catalogd/controllers/core/clustercatalog_controller.go
@@ -79,7 +79,7 @@ type storedCatalogData struct {
 //+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clustercatalogs,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clustercatalogs/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clustercatalogs/finalizers,verbs=update
-//+kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch
+//+kubebuilder:rbac:namespace=system,groups=core,resources=secrets,verbs=get;list;watch
 //+kubebuilder:rbac:namespace=system,groups=core,resources=serviceaccounts,verbs=get;list;watch
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
diff --git a/internal/shared/controllers/pull_secret_controller.go b/internal/shared/controllers/pull_secret_controller.go
@@ -23,6 +23,7 @@ import (
 	"os"
 
 	"github.com/go-logr/logr"
+	"github.com/google/renameio/v2"
 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/types"
@@ -45,23 +46,18 @@ type PullSecretReconciler struct {
 func (r *PullSecretReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	logger := log.FromContext(ctx).WithName("pull-secret-reconciler")
 
-	logger.Info("processing event", "name", req.NamespacedName)
-	defer logger.Info("processed event", "name", req.NamespacedName)
+	logger.Info("processing event", logName(req.NamespacedName)...)
+	defer logger.Info("processed event", logName(req.NamespacedName)...)
 
 	secrets := []*corev1.Secret{}
-	secret := &corev1.Secret{}
 
 	if r.SecretKey != nil { //nolint:nestif
+		secret, err := r.getSecret(ctx, logger, *r.SecretKey)
+		if err != nil {
+			return ctrl.Result{}, err
+		}
 		// Add the configured pull secret to the list of secrets
-		if err := r.Get(ctx, *r.SecretKey, secret); err != nil {
-			if apierrors.IsNotFound(err) {
-				logger.Info("secret not found", "name", r.SecretKey)
-			} else {
-				logger.Error(err, "failed to get Secret", "name", r.SecretKey)
-				return ctrl.Result{}, err
-			}
-		} else {
-			logger.Info("global pull secret", "name", *r.SecretKey)
+		if secret != nil {
 			secrets = append(secrets, secret)
 		}
 	}
@@ -71,9 +67,9 @@ func (r *PullSecretReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 	logger.Info("serviceaccount", "name", r.ServiceAccountKey)
 	if err := r.Get(ctx, r.ServiceAccountKey, sa); err != nil { //nolint:nestif
 		if apierrors.IsNotFound(err) {
-			logger.Info("serviceaccount not found", "serviceaccount", r.ServiceAccountKey)
+			logger.Info("serviceaccount not found", logName(r.ServiceAccountKey)...)
 		} else {
-			logger.Error(err, "failed to get serviceaccount", "serviceaccount", r.ServiceAccountKey)
+			logger.Error(err, "failed to get serviceaccount", logName(r.ServiceAccountKey)...)
 			return ctrl.Result{}, err
 		}
 	} else {
@@ -84,16 +80,12 @@ func (r *PullSecretReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 			// This is to update the list of secrets that we are filtering on
 			// Add all secrets regardless if they exist or not
 			pullSecrets = append(pullSecrets, nn)
-			secret := &corev1.Secret{}
-			err = r.Get(ctx, nn, secret)
+
+			secret, err := r.getSecret(ctx, logger, nn)
 			if err != nil {
-				if apierrors.IsNotFound(err) {
-					logger.Info("serviceaccount pull secret not found", "secret", nn)
-				} else {
-					logger.Error(err, "failed to get serviceaccount pull secret", "secret", nn)
-					return ctrl.Result{}, err
-				}
-			} else {
+				return ctrl.Result{}, err
+			}
+			if secret != nil {
 				secrets = append(secrets, secret)
 			}
 		}
@@ -108,6 +100,25 @@ func (r *PullSecretReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 	return ctrl.Result{}, r.writeSecretToFile(logger, secrets)
 }
 
+func (r *PullSecretReconciler) getSecret(ctx context.Context, logger logr.Logger, nn types.NamespacedName) (*corev1.Secret, error) {
+	secret := &corev1.Secret{}
+	if err := r.Get(ctx, *r.SecretKey, secret); err != nil {
+		if apierrors.IsNotFound(err) {
+			logger.Info("secret not found", logName(nn)...)
+			return nil, nil
+		}
+		logger.Error(err, "failed to get secret", logName(nn)...)
+		return nil, err
+	}
+	logger.Info("found secret", logName(nn)...)
+	return secret, nil
+}
+
+// Helper function to log NamespacedNames
+func logName(nn types.NamespacedName) []any {
+	return []any{"name", nn.Name, "namespace", nn.Namespace}
+}
+
 // SetupWithManager sets up the controller with the Manager.
 func (r *PullSecretReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	_, err := ctrl.NewControllerManagedBy(mgr).
@@ -205,7 +216,7 @@ func (r *PullSecretReconciler) writeSecretToFile(logger logr.Logger, secrets []*
 	if err != nil {
 		return fmt.Errorf("failed to marshal secret data: %w", err)
 	}
-	err = os.WriteFile(r.AuthFilePath, data, 0600)
+	err = renameio.WriteFile(r.AuthFilePath, data, 0600)
 	if err != nil {
 		return fmt.Errorf("failed to write secret data to file: %w", err)
 	}
