remove image pull secret

2025-02-02 18:44:49 -05:00 · 2022-08-28 15:57:08 +02:00 · 2022-08-28 15:57:08 +02:00 · 6b8a2a0063
commit 6b8a2a0063
parent d972f053f9
11 changed files with 8 additions and 105 deletions
--- a/bootstrapper/internal/kubernetes/k8sapi/resources/access_manager.go
+++ b/bootstrapper/internal/kubernetes/k8sapi/resources/access_manager.go
@ -1,7 +1,6 @@
 package resources

 import (
-	"github.com/edgelesssys/constellation/internal/secrets"
 	"github.com/edgelesssys/constellation/internal/versions"
 	"google.golang.org/protobuf/proto"
 	apps "k8s.io/api/apps/v1"
@ -14,12 +13,11 @@ const accessManagerNamespace = "kube-system"

 // accessManagerDeployment holds the configuration for the SSH user creation pods. User/Key definitions are stored in the ConfigMap, and the manager is deployed on each node by the DaemonSet.
 type accessManagerDeployment struct {
-	ConfigMap       k8s.ConfigMap
-	ServiceAccount  k8s.ServiceAccount
-	Role            rbac.Role
-	RoleBinding     rbac.RoleBinding
-	DaemonSet       apps.DaemonSet
-	ImagePullSecret k8s.Secret
+	ConfigMap      k8s.ConfigMap
+	ServiceAccount k8s.ServiceAccount
+	Role           rbac.Role
+	RoleBinding    rbac.RoleBinding
+	DaemonSet      apps.DaemonSet
 }

 // NewAccessManagerDeployment creates a new *accessManagerDeployment which manages the SSH users for the cluster.
@ -92,11 +90,6 @@ func NewAccessManagerDeployment(sshUsers map[string]string) *accessManagerDeploy
 								Effect:   k8s.TaintEffectNoSchedule,
 							},
 						},
-						ImagePullSecrets: []k8s.LocalObjectReference{
-							{
-								Name: secrets.PullSecretName,
-							},
-						},
 						Containers: []k8s.Container{
 							{
 								Name:            "pause",
@ -194,7 +187,6 @@ func NewAccessManagerDeployment(sshUsers map[string]string) *accessManagerDeploy
 				},
 			},
 		},
-		ImagePullSecret: NewImagePullSecret(accessManagerNamespace),
 	}
 }

--- a/bootstrapper/internal/kubernetes/k8sapi/resources/gcp_guest_agent.go
+++ b/bootstrapper/internal/kubernetes/k8sapi/resources/gcp_guest_agent.go
@ -1,7 +1,6 @@
 package resources

 import (
-	"github.com/edgelesssys/constellation/internal/secrets"
 	"github.com/edgelesssys/constellation/internal/versions"
 	apps "k8s.io/api/apps/v1"
 	k8s "k8s.io/api/core/v1"
@ -56,11 +55,6 @@ func NewGCPGuestAgentDaemonset() *gcpGuestAgentDaemonset {
 								Effect:   k8s.TaintEffectNoSchedule,
 							},
 						},
-						ImagePullSecrets: []k8s.LocalObjectReference{
-							{
-								Name: secrets.PullSecretName,
-							},
-						},
 						Containers: []k8s.Container{
 							{
 								Name:  "gcp-guest-agent",
--- a/bootstrapper/internal/kubernetes/k8sapi/resources/image_pull_secret.go
+++ b/bootstrapper/internal/kubernetes/k8sapi/resources/image_pull_secret.go
@ -1,32 +0,0 @@
-package resources
-
-import (
-	"encoding/base64"
-	"fmt"
-
-	"github.com/edgelesssys/constellation/internal/secrets"
-	k8s "k8s.io/api/core/v1"
-	meta "k8s.io/apimachinery/pkg/apis/meta/v1"
-)
-
-// NewImagePullSecret creates a new k8s.Secret from the config for authenticating when pulling images.
-func NewImagePullSecret(namespace string) k8s.Secret {
-	base64EncodedSecret := base64.StdEncoding.EncodeToString(
-		[]byte(fmt.Sprintf("%s:%s", secrets.PullSecretUser, secrets.PullSecretToken)),
-	)
-
-	pullSecretDockerCfgJSON := fmt.Sprintf(`{"auths":{"ghcr.io":{"auth":"%s"}}}`, base64EncodedSecret)
-
-	return k8s.Secret{
-		TypeMeta: meta.TypeMeta{
-			APIVersion: "v1",
-			Kind:       "Secret",
-		},
-		ObjectMeta: meta.ObjectMeta{
-			Name:      secrets.PullSecretName,
-			Namespace: namespace,
-		},
-		StringData: map[string]string{".dockerconfigjson": pullSecretDockerCfgJSON},
-		Type:       "kubernetes.io/dockerconfigjson",
-	}
-}
--- a/bootstrapper/internal/kubernetes/k8sapi/resources/image_pull_secret_test.go
+++ b/bootstrapper/internal/kubernetes/k8sapi/resources/image_pull_secret_test.go
@ -1,14 +0,0 @@
-package resources
-
-import (
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-)
-
-func TestImagePullSecret(t *testing.T) {
-	imgPullSec := NewImagePullSecret("namespace")
-	_, err := imgPullSec.Marshal()
-	assert.NoError(t, err)
-	assert.Equal(t, "namespace", imgPullSec.Namespace)
-}
--- a/bootstrapper/internal/kubernetes/k8sapi/resources/joinservice.go
+++ b/bootstrapper/internal/kubernetes/k8sapi/resources/joinservice.go
@ -4,7 +4,6 @@ import (
 	"fmt"

 	"github.com/edgelesssys/constellation/internal/constants"
-	"github.com/edgelesssys/constellation/internal/secrets"
 	"github.com/edgelesssys/constellation/internal/versions"
 	apps "k8s.io/api/apps/v1"
 	k8s "k8s.io/api/core/v1"
@ -128,11 +127,6 @@ func NewJoinServiceDaemonset(csp, measurementsJSON, enforcedPCRsJSON string, mea
 						NodeSelector: map[string]string{
 							"node-role.kubernetes.io/control-plane": "",
 						},
-						ImagePullSecrets: []k8s.LocalObjectReference{
-							{
-								Name: secrets.PullSecretName,
-							},
-						},
 						Containers: []k8s.Container{
 							{
 								Name:  "join-service",
--- a/bootstrapper/internal/kubernetes/k8sapi/resources/kms.go
+++ b/bootstrapper/internal/kubernetes/k8sapi/resources/kms.go
@ -4,7 +4,6 @@ import (
 	"fmt"

 	"github.com/edgelesssys/constellation/internal/constants"
-	"github.com/edgelesssys/constellation/internal/secrets"
 	"github.com/edgelesssys/constellation/internal/versions"
 	apps "k8s.io/api/apps/v1"
 	k8s "k8s.io/api/core/v1"
@ -22,7 +21,6 @@ type kmsDeployment struct {
 	ClusterRoleBinding rbac.ClusterRoleBinding
 	Deployment         apps.Deployment
 	MasterSecret       k8s.Secret
-	ImagePullSecret    k8s.Secret
 }

 // KMSConfig is the configuration needed to set up Constellation's key management service.
@ -167,11 +165,6 @@ func NewKMSDeployment(csp string, config KMSConfig) *kmsDeployment {
 						NodeSelector: map[string]string{
 							"node-role.kubernetes.io/control-plane": "",
 						},
-						ImagePullSecrets: []k8s.LocalObjectReference{
-							{
-								Name: secrets.PullSecretName,
-							},
-						},
 						Volumes: []k8s.Volume{
 							{
 								Name: "config",
@ -249,7 +242,6 @@ func NewKMSDeployment(csp string, config KMSConfig) *kmsDeployment {
 			},
 			Type: "Opaque",
 		},
-		ImagePullSecret: NewImagePullSecret(kmsNamespace),
 	}
 }

--- a/bootstrapper/internal/kubernetes/k8sapi/resources/node_operator.go
+++ b/bootstrapper/internal/kubernetes/k8sapi/resources/node_operator.go
@ -4,7 +4,6 @@ import (
 	_ "embed"
 	"time"

-	"github.com/edgelesssys/constellation/internal/secrets"
 	"github.com/edgelesssys/constellation/internal/versions"
 	operatorsv1 "github.com/operator-framework/api/pkg/operators/v1"
 	operatorsv1alpha1 "github.com/operator-framework/api/pkg/operators/v1alpha1"
@ -26,11 +25,9 @@ var NodeOperatorCRDNames = []string{
 }

 type nodeOperatorDeployment struct {
-	CatalogSource     operatorsv1alpha1.CatalogSource
-	OperatorGroup     operatorsv1.OperatorGroup
-	Subscription      operatorsv1alpha1.Subscription
-	CatalogPullSecret corev1.Secret
-	ImagePullSecret   corev1.Secret
+	CatalogSource operatorsv1alpha1.CatalogSource
+	OperatorGroup operatorsv1.OperatorGroup
+	Subscription  operatorsv1alpha1.Subscription
 }

 // NewNodeOperatorDeployment creates a new constellation node operator deployment.
@ -45,7 +42,6 @@ func NewNodeOperatorDeployment(cloudProvider string, uid string) *nodeOperatorDe
 			},
 			Spec: operatorsv1alpha1.CatalogSourceSpec{
 				SourceType:  "grpc",
-				Secrets:     []string{secrets.PullSecretName},
 				Image:       versions.NodeOperatorCatalogImage + ":" + versions.NodeOperatorVersion,
 				DisplayName: "Constellation Node Operator",
 				Publisher:   "Edgeless Systems",
@ -88,8 +84,6 @@ func NewNodeOperatorDeployment(cloudProvider string, uid string) *nodeOperatorDe
 				},
 			},
 		},
-		CatalogPullSecret: NewImagePullSecret(nodeOperatorCatalogNamespace),
-		ImagePullSecret:   NewImagePullSecret(nodeOperatorNamespace),
 	}
 }

--- a/bootstrapper/internal/kubernetes/k8sapi/resources/verification.go
+++ b/bootstrapper/internal/kubernetes/k8sapi/resources/verification.go
@ -4,7 +4,6 @@ import (
 	"fmt"

 	"github.com/edgelesssys/constellation/internal/constants"
-	"github.com/edgelesssys/constellation/internal/secrets"
 	"github.com/edgelesssys/constellation/internal/versions"
 	apps "k8s.io/api/apps/v1"
 	k8s "k8s.io/api/core/v1"
@ -66,11 +65,6 @@ func NewVerificationDaemonSet(csp string) *verificationDaemonset {
 								Effect:   k8s.TaintEffectNoSchedule,
 							},
 						},
-						ImagePullSecrets: []k8s.LocalObjectReference{
-							{
-								Name: secrets.PullSecretName,
-							},
-						},
 						Containers: []k8s.Container{
 							{
 								Name:  "verification-service",
--- a/internal/secrets/secrets.go
+++ b/internal/secrets/secrets.go
@ -1,7 +0,0 @@
-package secrets
-
-const (
-	PullSecretName = "***REMOVED***"
-	PullSecretToken = "***REMOVED***"
-	PullSecretUser = "***REMOVED***"
-)
--- a/operators/constellation-node-operator/README.md
+++ b/operators/constellation-node-operator/README.md
@ -220,8 +220,6 @@ In production, it is recommended to deploy the operator using the [operator life
        namespace: olm
    spec:
        sourceType: grpc
-        secrets:
-        - "constellation-pull"
        # TODO: user: set desired operator catalog version here
        image: ghcr.io/edgelesssys/constellation/node-operator-catalog:v0.0.1
        displayName: Constellation Node Operator
--- a/operators/constellation-node-operator/config/manager/manager.yaml
+++ b/operators/constellation-node-operator/config/manager/manager.yaml
@ -78,8 +78,6 @@ spec:
          optional: true
      nodeSelector:
        node-role.kubernetes.io/control-plane: ""
-      imagePullSecrets:
-      - name: constellation-pull # workaround until https://github.com/operator-framework/operator-lifecycle-manager/issues/2682 is fixed
      tolerations:
      - effect: NoSchedule
        key: node-role.kubernetes.io/control-plane