Bug 1909992: Allow private bundle images within private indexes

anik120 · anik120 · commit 82cebe1995b8 · 2021-01-06T13:04:02.000-05:00
In #1878, the secrets passed in `spec.secrets` field of a catalogsource were attached to the catsrc's corresponding SA that was used by the registry pod, thereby having access to the secrets. This allowed for pulling of private index images. However, the job that unpacks the bundle images did not have access to the secrets, and as a result private bundle image included in the catsrc were not installable using the secrets. This PR attaches the secrets from the catsrc to the job that unpacks the bundles, thereby allowing the inclusion of private bundle images within index from private indexes.
diff --git a/pkg/controller/bundle/bundle_unpacker.go b/pkg/controller/bundle/bundle_unpacker.go
@@ -65,7 +65,7 @@ func newBundleUnpackResult(lookup *operatorsv1alpha1.BundleLookup) *BundleUnpack
 	}
 }
 
-func (c *ConfigMapUnpacker) job(cmRef *corev1.ObjectReference, bundlePath string) *batchv1.Job {
+func (c *ConfigMapUnpacker) job(cmRef *corev1.ObjectReference, bundlePath string, secrets []corev1.LocalObjectReference) *batchv1.Job {
 	job := &batchv1.Job{
 		Spec: batchv1.JobSpec{
 			//ttlSecondsAfterFinished: 0 // can use in the future to not have to clean up job
@@ -74,7 +74,8 @@ func (c *ConfigMapUnpacker) job(cmRef *corev1.ObjectReference, bundlePath string
 					Name: cmRef.Name,
 				},
 				Spec: corev1.PodSpec{
-					RestartPolicy: corev1.RestartPolicyOnFailure,
+					RestartPolicy:    corev1.RestartPolicyOnFailure,
+					ImagePullSecrets: secrets,
 					Containers: []corev1.Container{
 						{
 							Name:    "extract",
@@ -331,8 +332,12 @@ func (c *ConfigMapUnpacker) UnpackBundle(lookup *operatorsv1alpha1.BundleLookup)
 		return
 	}
 
+	secrets := make([]corev1.LocalObjectReference, 0)
+	for _, secretName := range cs.Spec.Secrets {
+		secrets = append(secrets, corev1.LocalObjectReference{Name: secretName})
+	}
 	var job *batchv1.Job
-	job, err = c.ensureJob(cmRef, result.Path)
+	job, err = c.ensureJob(cmRef, result.Path, secrets)
 	if err != nil {
 		return
 	}
@@ -384,8 +389,8 @@ func (c *ConfigMapUnpacker) ensureConfigmap(csRef *corev1.ObjectReference, name
 	return
 }
 
-func (c *ConfigMapUnpacker) ensureJob(cmRef *corev1.ObjectReference, bundlePath string) (job *batchv1.Job, err error) {
-	fresh := c.job(cmRef, bundlePath)
+func (c *ConfigMapUnpacker) ensureJob(cmRef *corev1.ObjectReference, bundlePath string, secrets []corev1.LocalObjectReference) (job *batchv1.Job, err error) {
+	fresh := c.job(cmRef, bundlePath, secrets)
 	job, err = c.jobLister.Jobs(fresh.GetNamespace()).Get(fresh.GetName())
 	if err != nil {
 		if apierrors.IsNotFound(err) {
diff --git a/pkg/controller/bundle/bundle_unpacker_test.go b/pkg/controller/bundle/bundle_unpacker_test.go
@@ -113,6 +113,9 @@ func TestConfigMapUnpacker(t *testing.T) {
 							Namespace: "ns-a",
 							Name:      "src-a",
 						},
+						Spec: operatorsv1alpha1.CatalogSourceSpec{
+							Secrets: []string{"my-secret"},
+						},
 					},
 				},
 			},
@@ -193,7 +196,8 @@ func TestConfigMapUnpacker(t *testing.T) {
 									Name: pathHash,
 								},
 								Spec: corev1.PodSpec{
-									RestartPolicy: corev1.RestartPolicyOnFailure,
+									RestartPolicy:    corev1.RestartPolicyOnFailure,
+									ImagePullSecrets: []corev1.LocalObjectReference{{Name: "my-secret"}},
 									Containers: []corev1.Container{
 										{
 											Name:    "extract",
