woodpecker/pipeline/backend/kubernetes/secrets.go
Andrew Melnick b52b021acb
Implement registries for Kubernetes backend (#4092)
According to [the documentation](https://woodpecker-ci.org/docs/administration/backends/kubernetes#images-from-private-registries), per-organization and per-pipeline registries are currently unsupported for the Kubernetes backend.

This patch implements this missing functionality by creating and deleting a matching secret for each pod with a matched registry, using the same name, labels, and annotations as the pod, and appending it to its `imagePullSecrets` list.

This patch adds tests for the new functionality, and has been manually end-to-end-tested in KinD by using a private image hosted in the matching gitea instance.

This will require updating the matching helm charts to add the create/delete permissions to the agent role, which **is already done**.

close  #2987
2024-09-30 01:03:05 +01:00

294 lines
6.8 KiB
Go

// Copyright 2024 Woodpecker Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package kubernetes
import (
"context"
"encoding/json"
"fmt"
"strings"
"github.com/distribution/reference"
config_file "github.com/docker/cli/cli/config/configfile"
config_file_types "github.com/docker/cli/cli/config/types"
"github.com/rs/zerolog/log"
v1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/api/errors"
meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"go.woodpecker-ci.org/woodpecker/v2/pipeline/backend/types"
"go.woodpecker-ci.org/woodpecker/v2/pipeline/frontend/yaml/utils"
)
type nativeSecretsProcessor struct {
config *config
secrets []SecretRef
envFromSources []v1.EnvFromSource
envVars []v1.EnvVar
volumes []v1.Volume
mounts []v1.VolumeMount
}
func newNativeSecretsProcessor(config *config, secrets []SecretRef) nativeSecretsProcessor {
return nativeSecretsProcessor{
config: config,
secrets: secrets,
}
}
func (nsp *nativeSecretsProcessor) isEnabled() bool {
return nsp.config.NativeSecretsAllowFromStep
}
func (nsp *nativeSecretsProcessor) process() error {
if len(nsp.secrets) > 0 {
if !nsp.isEnabled() {
log.Debug().Msg("Secret names were defined in backend options, but secret access is disallowed by instance configuration.")
return nil
}
} else {
return nil
}
for _, secret := range nsp.secrets {
switch {
case secret.isSimple():
simpleSecret, err := secret.toEnvFromSource()
if err != nil {
return err
}
nsp.envFromSources = append(nsp.envFromSources, simpleSecret)
case secret.isAdvanced():
advancedSecret, err := secret.toEnvVar()
if err != nil {
return err
}
nsp.envVars = append(nsp.envVars, advancedSecret)
case secret.isFile():
volume, err := secret.toVolume()
if err != nil {
return err
}
nsp.volumes = append(nsp.volumes, volume)
mount, err := secret.toVolumeMount()
if err != nil {
return err
}
nsp.mounts = append(nsp.mounts, mount)
}
}
return nil
}
func (sr SecretRef) isSimple() bool {
return len(sr.Key) == 0 && len(sr.Target.Env) == 0 && !sr.isFile()
}
func (sr SecretRef) isAdvanced() bool {
return (len(sr.Key) > 0 || len(sr.Target.Env) > 0) && !sr.isFile()
}
func (sr SecretRef) isFile() bool {
return len(sr.Target.File) > 0
}
func (sr SecretRef) toEnvFromSource() (v1.EnvFromSource, error) {
env := v1.EnvFromSource{}
if !sr.isSimple() {
return env, fmt.Errorf("secret '%s' is not simple reference", sr.Name)
}
env = v1.EnvFromSource{
SecretRef: &v1.SecretEnvSource{
LocalObjectReference: secretReference(sr.Name),
},
}
return env, nil
}
func (sr SecretRef) toEnvVar() (v1.EnvVar, error) {
envVar := v1.EnvVar{}
if !sr.isAdvanced() {
return envVar, fmt.Errorf("secret '%s' is not advanced reference", sr.Name)
}
envVar.ValueFrom = &v1.EnvVarSource{
SecretKeyRef: &v1.SecretKeySelector{
LocalObjectReference: secretReference(sr.Name),
Key: sr.Key,
},
}
if len(sr.Target.Env) > 0 {
envVar.Name = sr.Target.Env
} else {
envVar.Name = strings.ToUpper(sr.Key)
}
return envVar, nil
}
func (sr SecretRef) toVolume() (v1.Volume, error) {
var err error
volume := v1.Volume{}
if !sr.isFile() {
return volume, fmt.Errorf("secret '%s' is not file reference", sr.Name)
}
volume.Name, err = volumeName(sr.Name)
if err != nil {
return volume, err
}
volume.Secret = &v1.SecretVolumeSource{
SecretName: sr.Name,
}
return volume, nil
}
func (sr SecretRef) toVolumeMount() (v1.VolumeMount, error) {
var err error
mount := v1.VolumeMount{
ReadOnly: true,
}
if !sr.isFile() {
return mount, fmt.Errorf("secret '%s' is not file reference", sr.Name)
}
mount.Name, err = volumeName(sr.Name)
if err != nil {
return mount, err
}
mount.MountPath = sr.Target.File
mount.SubPath = sr.Key
return mount, nil
}
func secretsReferences(names []string) []v1.LocalObjectReference {
secretReferences := make([]v1.LocalObjectReference, len(names))
for i, imagePullSecretName := range names {
secretReferences[i] = secretReference(imagePullSecretName)
}
return secretReferences
}
func secretReference(name string) v1.LocalObjectReference {
return v1.LocalObjectReference{
Name: name,
}
}
func needsRegistrySecret(step *types.Step) bool {
return step.AuthConfig.Username != "" && step.AuthConfig.Password != ""
}
func mkRegistrySecret(step *types.Step, config *config) (*v1.Secret, error) {
name, err := registrySecretName(step)
if err != nil {
return nil, err
}
labels, err := registrySecretLabels(step)
if err != nil {
return nil, err
}
named, err := utils.ParseNamed(step.Image)
if err != nil {
return nil, err
}
authConfig := config_file.ConfigFile{
AuthConfigs: map[string]config_file_types.AuthConfig{
reference.Domain(named): {
Username: step.AuthConfig.Username,
Password: step.AuthConfig.Password,
},
},
}
configFileJSON, err := json.Marshal(authConfig)
if err != nil {
return nil, err
}
return &v1.Secret{
ObjectMeta: meta_v1.ObjectMeta{
Namespace: config.Namespace,
Name: name,
Labels: labels,
},
Type: v1.SecretTypeDockerConfigJson,
Data: map[string][]byte{
v1.DockerConfigJsonKey: configFileJSON,
},
}, nil
}
func registrySecretName(step *types.Step) (string, error) {
return podName(step)
}
func registrySecretLabels(step *types.Step) (map[string]string, error) {
var err error
labels := make(map[string]string)
if step.Type == types.StepTypeService {
labels[ServiceLabel], _ = serviceName(step)
}
labels[StepLabel], err = stepLabel(step)
if err != nil {
return labels, err
}
return labels, nil
}
func startRegistrySecret(ctx context.Context, engine *kube, step *types.Step) error {
secret, err := mkRegistrySecret(step, engine.config)
if err != nil {
return err
}
log.Trace().Msgf("creating secret: %s", secret.Name)
_, err = engine.client.CoreV1().Secrets(engine.config.Namespace).Create(ctx, secret, meta_v1.CreateOptions{})
if err != nil {
return err
}
return nil
}
func stopRegistrySecret(ctx context.Context, engine *kube, step *types.Step, deleteOpts meta_v1.DeleteOptions) error {
name, err := registrySecretName(step)
if err != nil {
return err
}
log.Trace().Str("name", name).Msg("deleting secret")
err = engine.client.CoreV1().Secrets(engine.config.Namespace).Delete(ctx, name, deleteOpts)
if errors.IsNotFound(err) {
return nil
}
return err
}