fixup! Support serviceaccount pull secrets

Author: tmshort

cmd/catalogd/main.go

@@ -30,9 +30,6 @@ import (
 
 	"github.com/containers/image/v5/types"
 	"github.com/spf13/cobra"
-	corev1 "k8s.io/api/core/v1"
-	"k8s.io/apimachinery/pkg/fields"
-	k8slabels "k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
 	k8stypes "k8s.io/apimachinery/pkg/types"
 	apimachineryrand "k8s.io/apimachinery/pkg/util/rand"
@@ -64,6 +61,7 @@ import (
 	sharedcontrollers "github.com/operator-framework/operator-controller/internal/shared/controllers"
 	fsutil "github.com/operator-framework/operator-controller/internal/shared/util/fs"
 	imageutil "github.com/operator-framework/operator-controller/internal/shared/util/image"
+	"github.com/operator-framework/operator-controller/internal/shared/util/pullsecretcache"
 	sautil "github.com/operator-framework/operator-controller/internal/shared/util/sa"
 	"github.com/operator-framework/operator-controller/internal/shared/version"
 )
@@ -251,37 +249,17 @@ func run(ctx context.Context) error {
 
 	saKey, err := sautil.GetServiceAccount()
 	if err != nil {
-		setupLog.Error(err, "Unable to get pod namesapce and serviceaccount")
+		setupLog.Error(err, "Failed to extract serviceaccount from JWT")
 		return err
 	}
+	setupLog.Info("Successfully extracted serviceaccount from JWT", "serviceaccount",
+		fmt.Sprintf("%s/%s", saKey.Namespace, saKey.Name))
 
-	setupLog.Info("Read token", "serviceaccount", saKey)
-	cacheOptions.ByObject[&corev1.ServiceAccount{}] = crcache.ByObject{
-		Namespaces: map[string]crcache.Config{
-			saKey.Namespace: {
-				LabelSelector: k8slabels.Everything(),
-				FieldSelector: fields.SelectorFromSet(map[string]string{
-					"metadata.name": saKey.Name,
-				}),
-			},
-		},
-	}
-
-	secretCache := crcache.ByObject{}
-	secretCache.Namespaces = make(map[string]crcache.Config, 2)
-	secretCache.Namespaces[saKey.Namespace] = crcache.Config{
-		LabelSelector: k8slabels.Everything(),
-		FieldSelector: fields.Everything(),
-	}
-	if cfg.globalPullSecretKey != nil {
-		secretCache.Namespaces[cfg.globalPullSecretKey.Namespace] = crcache.Config{
-			LabelSelector: k8slabels.Everything(),
-			FieldSelector: fields.SelectorFromSet(map[string]string{
-				"metadata.name": cfg.globalPullSecretKey.Name,
-			}),
-		}
+	err = pullsecretcache.SetupPullSecretCache(&cacheOptions, cfg.globalPullSecretKey, saKey)
+	if err != nil {
+		setupLog.Error(err, "Unable to setup pull-secret cache")
+		return err
 	}
-	cacheOptions.ByObject[&corev1.Secret{}] = secretCache
 
 	// Create manager
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{

cmd/operator-controller/main.go

@@ -30,10 +30,8 @@ import (
 
 	"github.com/containers/image/v5/types"
 	"github.com/spf13/cobra"
-	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	apiextensionsv1client "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/typed/apiextensions/v1"
-	"k8s.io/apimachinery/pkg/fields"
 	k8slabels "k8s.io/apimachinery/pkg/labels"
 	k8stypes "k8s.io/apimachinery/pkg/types"
 	apimachineryrand "k8s.io/apimachinery/pkg/util/rand"
@@ -75,6 +73,7 @@ import (
 	fsutil "github.com/operator-framework/operator-controller/internal/shared/util/fs"
 	httputil "github.com/operator-framework/operator-controller/internal/shared/util/http"
 	imageutil "github.com/operator-framework/operator-controller/internal/shared/util/image"
+	"github.com/operator-framework/operator-controller/internal/shared/util/pullsecretcache"
 	sautil "github.com/operator-framework/operator-controller/internal/shared/util/sa"
 	"github.com/operator-framework/operator-controller/internal/shared/version"
 )
@@ -222,37 +221,17 @@ func run() error {
 
 	saKey, err := sautil.GetServiceAccount()
 	if err != nil {
-		setupLog.Error(err, "Unable to get pod namesapce and serviceaccount")
+		setupLog.Error(err, "Failed to extract serviceaccount from JWT")
 		return err
 	}
+	setupLog.Info("Successfully extracted serviceaccount from JWT", "serviceaccount",
+		fmt.Sprintf("%s/%s", saKey.Namespace, saKey.Name))
 
-	setupLog.Info("Read token", "serviceaccount", saKey)
-	cacheOptions.ByObject[&corev1.ServiceAccount{}] = crcache.ByObject{
-		Namespaces: map[string]crcache.Config{
-			saKey.Namespace: {
-				LabelSelector: k8slabels.Everything(),
-				FieldSelector: fields.SelectorFromSet(map[string]string{
-					"metadata.name": saKey.Name,
-				}),
-			},
-		},
-	}
-
-	secretCache := crcache.ByObject{}
-	secretCache.Namespaces = make(map[string]crcache.Config, 2)
-	secretCache.Namespaces[saKey.Namespace] = crcache.Config{
-		LabelSelector: k8slabels.Everything(),
-		FieldSelector: fields.Everything(),
-	}
-	if globalPullSecretKey != nil {
-		secretCache.Namespaces[globalPullSecretKey.Namespace] = crcache.Config{
-			LabelSelector: k8slabels.Everything(),
-			FieldSelector: fields.SelectorFromSet(map[string]string{
-				"metadata.name": globalPullSecretKey.Name,
-			}),
-		}
+	err = pullsecretcache.SetupPullSecretCache(&cacheOptions, globalPullSecretKey, saKey)
+	if err != nil {
+		setupLog.Error(err, "Unable to setup pull-secret cache")
+		return err
 	}
-	cacheOptions.ByObject[&corev1.Secret{}] = secretCache
 
 	metricsServerOptions := server.Options{}
 	if len(cfg.certFile) > 0 && len(cfg.keyFile) > 0 {

internal/shared/controllers/pull_secret_controller.go

@@ -51,7 +51,7 @@ func (r *PullSecretReconciler) Reconcile(ctx context.Context, _ ctrl.Request) (c
 
 	secrets := []*corev1.Secret{}
 
-	if r.SecretKey != nil { //nolint:nestif
+	if r.SecretKey != nil {
 		secret, err := r.getSecret(ctx, logger, *r.SecretKey)
 		if err != nil {
 			return ctrl.Result{}, err

internal/shared/util/pullsecretcache/pullsecretcache.go

@@ -0,0 +1,40 @@
+package pullsecretcache
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/fields"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/cache"
+)
+
+func SetupPullSecretCache(cacheOptions *cache.Options, globalPullSecretKey *types.NamespacedName, saKey types.NamespacedName) error {
+	cacheOptions.ByObject[&corev1.ServiceAccount{}] = cache.ByObject{
+		Namespaces: map[string]cache.Config{
+			saKey.Namespace: {
+				LabelSelector: labels.Everything(),
+				FieldSelector: fields.SelectorFromSet(map[string]string{
+					"metadata.name": saKey.Name,
+				}),
+			},
+		},
+	}
+
+	secretCache := cache.ByObject{}
+	secretCache.Namespaces = make(map[string]cache.Config, 2)
+	secretCache.Namespaces[saKey.Namespace] = cache.Config{
+		LabelSelector: labels.Everything(),
+		FieldSelector: fields.Everything(),
+	}
+	if globalPullSecretKey != nil {
+		secretCache.Namespaces[globalPullSecretKey.Namespace] = cache.Config{
+			LabelSelector: labels.Everything(),
+			FieldSelector: fields.SelectorFromSet(map[string]string{
+				"metadata.name": globalPullSecretKey.Name,
+			}),
+		}
+	}
+	cacheOptions.ByObject[&corev1.Secret{}] = secretCache
+
+	return nil
+}

internal/shared/util/sa/serviceaccount.go

@@ -44,7 +44,7 @@ func getServiceAccountInternal(data []byte, err error) (k8stypes.NamespacedName,
 		return k8stypes.NamespacedName{}, err
 	}
 	subjects := strings.Split(subject, ":")
-	if len(subjects) != 4 {
+	if len(subjects) != 4 || subjects[2] == "" || subjects[3] == "" {
 		return k8stypes.NamespacedName{}, fmt.Errorf("badly formatted subject: %s", subject)
 	}
 	return k8stypes.NamespacedName{Namespace: subjects[2], Name: subjects[3]}, nil