Skip to content
This repository has been archived by the owner on Apr 10, 2024. It is now read-only.

Commit

Permalink
Add option to patch all service accounts
Browse files Browse the repository at this point in the history
  • Loading branch information
Jiang Huan committed Feb 4, 2020
1 parent 204bb6f commit da0e8e2
Show file tree
Hide file tree
Showing 5 changed files with 107 additions and 49 deletions.
11 changes: 4 additions & 7 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,10 +5,12 @@
![GitHub tag (latest SemVer)](https://img.shields.io/github/v/tag/titansoft-pte-ltd/imagepullsecret-patcher)
![GitHub issues](https://img.shields.io/github/issues/titansoft-pte-ltd/imagepullsecret-patcher)

A simple Kubernetes [client-go](https://github.com/kubernetes/client-go) application that creates and patches imagePullSecrets to default service accounts in all Kubernetes namespaces to allow cluster-wide authenticated access to private container registry.
A simple Kubernetes [client-go](https://github.com/kubernetes/client-go) application that creates and patches imagePullSecrets to service accounts in all Kubernetes namespaces to allow cluster-wide authenticated access to private container registry.

![screenshot](doc/screenshot.png)

A blog post: https://medium.com/titansoft-engineering/kubernetes-cluster-wide-access-to-private-container-registry-with-imagepullsecret-patcher-b8b8fb79f7e5

## Installation and configuration

To install imagepullsecret-patcher, can refer to [deploy-example](deploy-example) as a quick-start.
Expand All @@ -19,6 +21,7 @@ Below is a table of available configurations:
|-|-|-|-|-|
| force | CONFIG_FORCE | -force | true | overwrite secrets when not match |
| debug | CONFIG_DEBUG | -debug | false | show DEBUG logs |
| all service account | CONFIG_ALLSERVICEACCOUNT | -allserviceaccount | false | if false, patch just default service account; if true, list and patch all service accounts |
| dockerconfigjson | CONFIG_DOCKERCONFIGJSON | -dockerconfigjson | "" | json credential for authenicating container registry |
| secret name | CONFIG_SECRETNAME | -secretname | "image-pull-secret" | name of managed secrets |

Expand Down Expand Up @@ -47,12 +50,6 @@ kubectl patch serviceaccount default \

And it could be automated with a simple program like imagepullsecret-patcher.

## How

The imagepullsecret-patcher does two things: create a secret called `image-pull-secret` in all namespaces, and patch the `default` service accounts to use those secrets as imagePullSecrets.

![flowchart](doc/IMAGEPULLSECRET-PATCHER-v0.x.png)

## Contribute

Development Environment
Expand Down
4 changes: 3 additions & 1 deletion deploy-example/kubernetes-manifest/2_deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -27,12 +27,14 @@ spec:
serviceAccountName: imagepullsecret-patcher
containers:
- name: imagepullsecret-patcher
image: "quay.io/titansoft/imagepullsecret-patcher:v0.8"
image: "quay.io/titansoft/imagepullsecret-patcher:v0.9"
env:
- name: CONFIG_FORCE
value: "true"
- name: CONFIG_DEBUG
value: "false"
- name: CONFIG_ALLSERVICEACCOUNT
value: "true"
- name: CONFIG_DOCKERCONFIGJSON
valueFrom:
secretKeyRef:
Expand Down
15 changes: 15 additions & 0 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkg
github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
github.com/evanphx/json-patch v4.2.0+incompatible h1:fUDGZCv/7iAN7u0puUVhvKCcsR6vRfwrJatElLBEf0I=
github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
github.com/fsnotify/fsnotify v1.4.7 h1:IXs+QLmnXW2CcXuY+8Mzv/fWEsPGWxqefPtCP5CnV9I=
github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
Expand All @@ -43,6 +44,7 @@ github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5y
github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
github.com/google/go-cmp v0.3.0 h1:crn/baboCvb5fXaQ0IJ1SGTsTVrWpDsCWC8EGETZijY=
github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
github.com/google/gofuzz v0.0.0-20161122191042-44d81051d367/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI=
github.com/google/gofuzz v1.0.0 h1:A8PeW59pxE9IoFRqBp37U+mSNaQoZ46F1f0f863XSXw=
Expand All @@ -57,6 +59,7 @@ github.com/gophercloud/gophercloud v0.1.0/go.mod h1:vxM41WHh5uqHVBMZHzuwNOHh8XEo
github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI=
github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
github.com/json-iterator/go v0.0.0-20180612202835-f2b4162afba3/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
Expand All @@ -65,9 +68,12 @@ github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/u
github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
github.com/konsorten/go-windows-terminal-sequences v1.0.1 h1:mweAR1A6xJ3oS2pRaGiHgQ4OO8tzTaLawm8vnODuwDk=
github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
Expand All @@ -81,22 +87,27 @@ github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8m
github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
github.com/onsi/ginkgo v1.10.1 h1:q/mM8GF/n0shIN8SaAZ0V+jnLPzen6WIVZdiwrRlMlo=
github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
github.com/onsi/gomega v1.7.0 h1:XPnZz8VVBHjVsy1vzJmRwIcSwiUO+JFfrv/xGiigmME=
github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4=
github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/testify v0.0.0-20151208002404-e3a8ff8ce365/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk=
github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
Expand Down Expand Up @@ -151,16 +162,20 @@ golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3
google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
google.golang.org/appengine v1.5.0 h1:KxkO13IPW4Lslp2bz+KHP2E3gtFlrIGNThxkZQ3g+4c=
google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/fsnotify.v1 v1.4.7 h1:xOHLXZwVvI9hhs+cLKq5+I5onOuwQLhQwiu63xxlHs4=
gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
Expand Down
44 changes: 26 additions & 18 deletions main.go
Original file line number Diff line number Diff line change
Expand Up @@ -14,10 +14,11 @@ import (
)

var (
configForce bool = true
configDebug bool = false
configDockerconfigjson string = ""
configSecretName string = "image-pull-secret" // default to image-pull-secret
configForce bool = true
configDebug bool = false
configAllServiceAccount bool = false
configDockerconfigjson string = ""
configSecretName string = "image-pull-secret" // default to image-pull-secret
)

type k8sClient struct {
Expand All @@ -28,6 +29,7 @@ func main() {
// parse flags
flag.BoolVar(&configForce, "force", LookUpEnvOrBool("CONFIG_FORCE", configForce), "force to overwrite secrets when not match")
flag.BoolVar(&configDebug, "debug", LookUpEnvOrBool("CONFIG_DEBUG", configDebug), "show DEBUG logs")
flag.BoolVar(&configAllServiceAccount, "allserviceaccount", LookUpEnvOrBool("CONFIG_ALLSERVICEACCOUNT", configAllServiceAccount), "if false, patch just default service account; if true, list and patch all service accounts")
flag.StringVar(&configDockerconfigjson, "dockerconfigjson", LookupEnvOrString("CONFIG_DOCKERCONFIGJSON", configDockerconfigjson), "json credential for authenicating container registry")
flag.StringVar(&configSecretName, "secretname", LookupEnvOrString("CONFIG_SECRETNAME", configSecretName), "set name of managed secrets")
flag.Parse()
Expand Down Expand Up @@ -120,22 +122,28 @@ func processSecret(k8s *k8sClient, namespace string) error {
}

func processServiceAccount(k8s *k8sClient, namespace string) error {
sa, err := k8s.clientset.CoreV1().ServiceAccounts(namespace).Get(defaultServiceAccountName, metav1.GetOptions{})
sas, err := k8s.clientset.CoreV1().ServiceAccounts(namespace).List(metav1.ListOptions{})
if err != nil {
return fmt.Errorf("[%s] Failed to get service account [%s]: %v", namespace, defaultServiceAccountName, err)
return fmt.Errorf("[%s] Failed to list service accounts: %v", namespace, err)
}
if includeImagePullSecret(sa, configSecretName) {
log.Debugf("[%s] ImagePullSecrets found", namespace)
return nil
}
patch, err := getPatchString(sa, configSecretName)
if err != nil {
return fmt.Errorf("[%s] Failed to get patch string: %v", namespace, err)
}
_, err = k8s.clientset.CoreV1().ServiceAccounts(namespace).Patch(defaultServiceAccountName, types.StrategicMergePatchType, patch)
if err != nil {
return fmt.Errorf("[%s] Failed to patch imagePullSecrets to service account [%s]: %v", namespace, defaultServiceAccountName, err)
for _, sa := range sas.Items {
if !configAllServiceAccount && sa.Name != defaultServiceAccountName {
log.Debugf("[%s] Skip non-default service account [%s]", namespace, sa.Name)
continue
}
if includeImagePullSecret(&sa, configSecretName) {
log.Debugf("[%s] ImagePullSecrets found", namespace)
continue
}
patch, err := getPatchString(&sa, configSecretName)
if err != nil {
return fmt.Errorf("[%s] Failed to get patch string: %v", namespace, err)
}
_, err = k8s.clientset.CoreV1().ServiceAccounts(namespace).Patch(sa.Name, types.StrategicMergePatchType, patch)
if err != nil {
return fmt.Errorf("[%s] Failed to patch imagePullSecrets to service account [%s]: %v", namespace, sa.Name, err)
}
log.Infof("[%s] Patched imagePullSecrets to service account [%s]", namespace, sa.Name)
}
log.Infof("[%s] Patched imagePullSecrets to service account [%s]", namespace, defaultServiceAccountName)
return nil
}
82 changes: 59 additions & 23 deletions main_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -65,36 +65,60 @@ var testCasesProcessServiceAccount = []testCase{
{
name: "no image pull secret",
prepSteps: []step{
helperCreateServiceAccountWithoutImagePullSecret,
assertHasError(assertHasImagePullSecret(configSecretName)),
helperCreateServiceAccountWithoutImagePullSecret(defaultServiceAccountName),
assertHasError(assertHasImagePullSecret(configSecretName, defaultServiceAccountName)),
},
testSteps: []step{
processServiceAccountDefault,
assertHasImagePullSecret(configSecretName),
assertHasImagePullSecret(configSecretName, defaultServiceAccountName),
},
},
{
name: "has same image pull secret",
prepSteps: []step{
helperCreateServiceAccountWithImagePullSecret(configSecretName),
assertHasImagePullSecret(configSecretName),
helperCreateServiceAccountWithImagePullSecret(configSecretName, defaultServiceAccountName),
assertHasImagePullSecret(configSecretName, defaultServiceAccountName),
},
testSteps: []step{
processServiceAccountDefault,
assertHasImagePullSecret(configSecretName),
assertHasImagePullSecret(configSecretName, defaultServiceAccountName),
},
},
{
name: "has different image pull secret",
prepSteps: []step{
helperCreateServiceAccountWithImagePullSecret("other-secret"),
assertHasImagePullSecret("other-secret"),
assertHasError(assertHasImagePullSecret(configSecretName)),
helperCreateServiceAccountWithImagePullSecret("other-secret", defaultServiceAccountName),
assertHasImagePullSecret("other-secret", defaultServiceAccountName),
assertHasError(assertHasImagePullSecret(configSecretName, defaultServiceAccountName)),
},
testSteps: []step{
processServiceAccountDefault,
assertHasImagePullSecret("other-secret"),
assertHasImagePullSecret(configSecretName),
assertHasImagePullSecret("other-secret", defaultServiceAccountName),
assertHasImagePullSecret(configSecretName, defaultServiceAccountName),
},
},
{
name: "non-default service account - skip when allServiceAccount off",
prepSteps: []step{
helperAllServiceAccountOff,
helperCreateServiceAccountWithoutImagePullSecret("other-service-account"),
assertHasError(assertHasImagePullSecret(configSecretName, "other-service-account")),
},
testSteps: []step{
processServiceAccountDefault,
assertHasError(assertHasImagePullSecret(configSecretName, "other-service-account")),
},
},
{
name: "non-default service account - patch when allServiceAccount on",
prepSteps: []step{
helperAllServiceAccountOn,
helperCreateServiceAccountWithoutImagePullSecret("other-service-account"),
assertHasError(assertHasImagePullSecret(configSecretName, "other-service-account")),
},
testSteps: []step{
processServiceAccountDefault,
assertHasImagePullSecret(configSecretName, "other-service-account"),
},
},
}
Expand Down Expand Up @@ -170,21 +194,23 @@ func helperCreateOpaqueSecret(k8s *k8sClient) error {
return err
}

func helperCreateServiceAccountWithoutImagePullSecret(k8s *k8sClient) error {
_, err := k8s.clientset.CoreV1().ServiceAccounts(v1.NamespaceDefault).Create(&v1.ServiceAccount{
ObjectMeta: metav1.ObjectMeta{
Name: defaultServiceAccountName,
Namespace: v1.NamespaceDefault,
},
})
return err
func helperCreateServiceAccountWithoutImagePullSecret(serviceAccountName string) step {
return func(k8s *k8sClient) error {
_, err := k8s.clientset.CoreV1().ServiceAccounts(v1.NamespaceDefault).Create(&v1.ServiceAccount{
ObjectMeta: metav1.ObjectMeta{
Name: serviceAccountName,
Namespace: v1.NamespaceDefault,
},
})
return err
}
}

func helperCreateServiceAccountWithImagePullSecret(secretName string) step {
func helperCreateServiceAccountWithImagePullSecret(secretName, serviceAccountName string) step {
return func(k8s *k8sClient) error {
_, err := k8s.clientset.CoreV1().ServiceAccounts(v1.NamespaceDefault).Create(&v1.ServiceAccount{
ObjectMeta: metav1.ObjectMeta{
Name: defaultServiceAccountName,
Name: serviceAccountName,
Namespace: v1.NamespaceDefault,
},
ImagePullSecrets: []v1.LocalObjectReference{
Expand All @@ -207,6 +233,16 @@ func helperForceOff(_ *k8sClient) error {
return nil
}

func helperAllServiceAccountOn(_ *k8sClient) error {
configAllServiceAccount = true
return nil
}

func helperAllServiceAccountOff(_ *k8sClient) error {
configAllServiceAccount = false
return nil
}

// a set of assertion functions
func assertNoSecret(k8s *k8sClient) error {
_, err := k8s.clientset.CoreV1().Secrets(v1.NamespaceDefault).Get(configSecretName, metav1.GetOptions{})
Expand Down Expand Up @@ -250,9 +286,9 @@ func assertHasError(fn step) step {
}
}

func assertHasImagePullSecret(secretName string) step {
func assertHasImagePullSecret(secretName, serviceAccountName string) step {
return func(k8s *k8sClient) error {
sa, err := k8s.clientset.CoreV1().ServiceAccounts(v1.NamespaceDefault).Get(defaultServiceAccountName, metav1.GetOptions{})
sa, err := k8s.clientset.CoreV1().ServiceAccounts(v1.NamespaceDefault).Get(serviceAccountName, metav1.GetOptions{})
if err != nil {
return err
}
Expand Down

0 comments on commit da0e8e2

Please sign in to comment.