From 6b8a2a00632d65675b33a0b52e58bce630c950aa Mon Sep 17 00:00:00 2001 From: Thomas Tendyck Date: Sun, 28 Aug 2022 15:57:08 +0200 Subject: [PATCH] remove image pull secret --- .../k8sapi/resources/access_manager.go | 18 +++-------- .../k8sapi/resources/gcp_guest_agent.go | 6 ---- .../k8sapi/resources/image_pull_secret.go | 32 ------------------- .../resources/image_pull_secret_test.go | 14 -------- .../k8sapi/resources/joinservice.go | 6 ---- .../kubernetes/k8sapi/resources/kms.go | 8 ----- .../k8sapi/resources/node_operator.go | 12 ++----- .../k8sapi/resources/verification.go | 6 ---- internal/secrets/secrets.go | 7 ---- .../constellation-node-operator/README.md | 2 -- .../config/manager/manager.yaml | 2 -- 11 files changed, 8 insertions(+), 105 deletions(-) delete mode 100644 bootstrapper/internal/kubernetes/k8sapi/resources/image_pull_secret.go delete mode 100644 bootstrapper/internal/kubernetes/k8sapi/resources/image_pull_secret_test.go delete mode 100644 internal/secrets/secrets.go diff --git a/bootstrapper/internal/kubernetes/k8sapi/resources/access_manager.go b/bootstrapper/internal/kubernetes/k8sapi/resources/access_manager.go index d9302138a..483d0a1b3 100644 --- a/bootstrapper/internal/kubernetes/k8sapi/resources/access_manager.go +++ b/bootstrapper/internal/kubernetes/k8sapi/resources/access_manager.go @@ -1,7 +1,6 @@ package resources import ( - "github.com/edgelesssys/constellation/internal/secrets" "github.com/edgelesssys/constellation/internal/versions" "google.golang.org/protobuf/proto" apps "k8s.io/api/apps/v1" @@ -14,12 +13,11 @@ const accessManagerNamespace = "kube-system" // accessManagerDeployment holds the configuration for the SSH user creation pods. User/Key definitions are stored in the ConfigMap, and the manager is deployed on each node by the DaemonSet. type accessManagerDeployment struct { - ConfigMap k8s.ConfigMap - ServiceAccount k8s.ServiceAccount - Role rbac.Role - RoleBinding rbac.RoleBinding - DaemonSet apps.DaemonSet - ImagePullSecret k8s.Secret + ConfigMap k8s.ConfigMap + ServiceAccount k8s.ServiceAccount + Role rbac.Role + RoleBinding rbac.RoleBinding + DaemonSet apps.DaemonSet } // NewAccessManagerDeployment creates a new *accessManagerDeployment which manages the SSH users for the cluster. @@ -92,11 +90,6 @@ func NewAccessManagerDeployment(sshUsers map[string]string) *accessManagerDeploy Effect: k8s.TaintEffectNoSchedule, }, }, - ImagePullSecrets: []k8s.LocalObjectReference{ - { - Name: secrets.PullSecretName, - }, - }, Containers: []k8s.Container{ { Name: "pause", @@ -194,7 +187,6 @@ func NewAccessManagerDeployment(sshUsers map[string]string) *accessManagerDeploy }, }, }, - ImagePullSecret: NewImagePullSecret(accessManagerNamespace), } } diff --git a/bootstrapper/internal/kubernetes/k8sapi/resources/gcp_guest_agent.go b/bootstrapper/internal/kubernetes/k8sapi/resources/gcp_guest_agent.go index ca581917a..ba13a43f3 100644 --- a/bootstrapper/internal/kubernetes/k8sapi/resources/gcp_guest_agent.go +++ b/bootstrapper/internal/kubernetes/k8sapi/resources/gcp_guest_agent.go @@ -1,7 +1,6 @@ package resources import ( - "github.com/edgelesssys/constellation/internal/secrets" "github.com/edgelesssys/constellation/internal/versions" apps "k8s.io/api/apps/v1" k8s "k8s.io/api/core/v1" @@ -56,11 +55,6 @@ func NewGCPGuestAgentDaemonset() *gcpGuestAgentDaemonset { Effect: k8s.TaintEffectNoSchedule, }, }, - ImagePullSecrets: []k8s.LocalObjectReference{ - { - Name: secrets.PullSecretName, - }, - }, Containers: []k8s.Container{ { Name: "gcp-guest-agent", diff --git a/bootstrapper/internal/kubernetes/k8sapi/resources/image_pull_secret.go b/bootstrapper/internal/kubernetes/k8sapi/resources/image_pull_secret.go deleted file mode 100644 index c8574e97e..000000000 --- a/bootstrapper/internal/kubernetes/k8sapi/resources/image_pull_secret.go +++ /dev/null @@ -1,32 +0,0 @@ -package resources - -import ( - "encoding/base64" - "fmt" - - "github.com/edgelesssys/constellation/internal/secrets" - k8s "k8s.io/api/core/v1" - meta "k8s.io/apimachinery/pkg/apis/meta/v1" -) - -// NewImagePullSecret creates a new k8s.Secret from the config for authenticating when pulling images. -func NewImagePullSecret(namespace string) k8s.Secret { - base64EncodedSecret := base64.StdEncoding.EncodeToString( - []byte(fmt.Sprintf("%s:%s", secrets.PullSecretUser, secrets.PullSecretToken)), - ) - - pullSecretDockerCfgJSON := fmt.Sprintf(`{"auths":{"ghcr.io":{"auth":"%s"}}}`, base64EncodedSecret) - - return k8s.Secret{ - TypeMeta: meta.TypeMeta{ - APIVersion: "v1", - Kind: "Secret", - }, - ObjectMeta: meta.ObjectMeta{ - Name: secrets.PullSecretName, - Namespace: namespace, - }, - StringData: map[string]string{".dockerconfigjson": pullSecretDockerCfgJSON}, - Type: "kubernetes.io/dockerconfigjson", - } -} diff --git a/bootstrapper/internal/kubernetes/k8sapi/resources/image_pull_secret_test.go b/bootstrapper/internal/kubernetes/k8sapi/resources/image_pull_secret_test.go deleted file mode 100644 index 210acfe04..000000000 --- a/bootstrapper/internal/kubernetes/k8sapi/resources/image_pull_secret_test.go +++ /dev/null @@ -1,14 +0,0 @@ -package resources - -import ( - "testing" - - "github.com/stretchr/testify/assert" -) - -func TestImagePullSecret(t *testing.T) { - imgPullSec := NewImagePullSecret("namespace") - _, err := imgPullSec.Marshal() - assert.NoError(t, err) - assert.Equal(t, "namespace", imgPullSec.Namespace) -} diff --git a/bootstrapper/internal/kubernetes/k8sapi/resources/joinservice.go b/bootstrapper/internal/kubernetes/k8sapi/resources/joinservice.go index aff3809a5..c31db704a 100644 --- a/bootstrapper/internal/kubernetes/k8sapi/resources/joinservice.go +++ b/bootstrapper/internal/kubernetes/k8sapi/resources/joinservice.go @@ -4,7 +4,6 @@ import ( "fmt" "github.com/edgelesssys/constellation/internal/constants" - "github.com/edgelesssys/constellation/internal/secrets" "github.com/edgelesssys/constellation/internal/versions" apps "k8s.io/api/apps/v1" k8s "k8s.io/api/core/v1" @@ -128,11 +127,6 @@ func NewJoinServiceDaemonset(csp, measurementsJSON, enforcedPCRsJSON string, mea NodeSelector: map[string]string{ "node-role.kubernetes.io/control-plane": "", }, - ImagePullSecrets: []k8s.LocalObjectReference{ - { - Name: secrets.PullSecretName, - }, - }, Containers: []k8s.Container{ { Name: "join-service", diff --git a/bootstrapper/internal/kubernetes/k8sapi/resources/kms.go b/bootstrapper/internal/kubernetes/k8sapi/resources/kms.go index cc065dede..74868ab7e 100644 --- a/bootstrapper/internal/kubernetes/k8sapi/resources/kms.go +++ b/bootstrapper/internal/kubernetes/k8sapi/resources/kms.go @@ -4,7 +4,6 @@ import ( "fmt" "github.com/edgelesssys/constellation/internal/constants" - "github.com/edgelesssys/constellation/internal/secrets" "github.com/edgelesssys/constellation/internal/versions" apps "k8s.io/api/apps/v1" k8s "k8s.io/api/core/v1" @@ -22,7 +21,6 @@ type kmsDeployment struct { ClusterRoleBinding rbac.ClusterRoleBinding Deployment apps.Deployment MasterSecret k8s.Secret - ImagePullSecret k8s.Secret } // KMSConfig is the configuration needed to set up Constellation's key management service. @@ -167,11 +165,6 @@ func NewKMSDeployment(csp string, config KMSConfig) *kmsDeployment { NodeSelector: map[string]string{ "node-role.kubernetes.io/control-plane": "", }, - ImagePullSecrets: []k8s.LocalObjectReference{ - { - Name: secrets.PullSecretName, - }, - }, Volumes: []k8s.Volume{ { Name: "config", @@ -249,7 +242,6 @@ func NewKMSDeployment(csp string, config KMSConfig) *kmsDeployment { }, Type: "Opaque", }, - ImagePullSecret: NewImagePullSecret(kmsNamespace), } } diff --git a/bootstrapper/internal/kubernetes/k8sapi/resources/node_operator.go b/bootstrapper/internal/kubernetes/k8sapi/resources/node_operator.go index 4acc5bee3..602d04424 100644 --- a/bootstrapper/internal/kubernetes/k8sapi/resources/node_operator.go +++ b/bootstrapper/internal/kubernetes/k8sapi/resources/node_operator.go @@ -4,7 +4,6 @@ import ( _ "embed" "time" - "github.com/edgelesssys/constellation/internal/secrets" "github.com/edgelesssys/constellation/internal/versions" operatorsv1 "github.com/operator-framework/api/pkg/operators/v1" operatorsv1alpha1 "github.com/operator-framework/api/pkg/operators/v1alpha1" @@ -26,11 +25,9 @@ var NodeOperatorCRDNames = []string{ } type nodeOperatorDeployment struct { - CatalogSource operatorsv1alpha1.CatalogSource - OperatorGroup operatorsv1.OperatorGroup - Subscription operatorsv1alpha1.Subscription - CatalogPullSecret corev1.Secret - ImagePullSecret corev1.Secret + CatalogSource operatorsv1alpha1.CatalogSource + OperatorGroup operatorsv1.OperatorGroup + Subscription operatorsv1alpha1.Subscription } // NewNodeOperatorDeployment creates a new constellation node operator deployment. @@ -45,7 +42,6 @@ func NewNodeOperatorDeployment(cloudProvider string, uid string) *nodeOperatorDe }, Spec: operatorsv1alpha1.CatalogSourceSpec{ SourceType: "grpc", - Secrets: []string{secrets.PullSecretName}, Image: versions.NodeOperatorCatalogImage + ":" + versions.NodeOperatorVersion, DisplayName: "Constellation Node Operator", Publisher: "Edgeless Systems", @@ -88,8 +84,6 @@ func NewNodeOperatorDeployment(cloudProvider string, uid string) *nodeOperatorDe }, }, }, - CatalogPullSecret: NewImagePullSecret(nodeOperatorCatalogNamespace), - ImagePullSecret: NewImagePullSecret(nodeOperatorNamespace), } } diff --git a/bootstrapper/internal/kubernetes/k8sapi/resources/verification.go b/bootstrapper/internal/kubernetes/k8sapi/resources/verification.go index f691a6a9b..5bda67aee 100644 --- a/bootstrapper/internal/kubernetes/k8sapi/resources/verification.go +++ b/bootstrapper/internal/kubernetes/k8sapi/resources/verification.go @@ -4,7 +4,6 @@ import ( "fmt" "github.com/edgelesssys/constellation/internal/constants" - "github.com/edgelesssys/constellation/internal/secrets" "github.com/edgelesssys/constellation/internal/versions" apps "k8s.io/api/apps/v1" k8s "k8s.io/api/core/v1" @@ -66,11 +65,6 @@ func NewVerificationDaemonSet(csp string) *verificationDaemonset { Effect: k8s.TaintEffectNoSchedule, }, }, - ImagePullSecrets: []k8s.LocalObjectReference{ - { - Name: secrets.PullSecretName, - }, - }, Containers: []k8s.Container{ { Name: "verification-service", diff --git a/internal/secrets/secrets.go b/internal/secrets/secrets.go deleted file mode 100644 index c1fe9cbeb..000000000 --- a/internal/secrets/secrets.go +++ /dev/null @@ -1,7 +0,0 @@ -package secrets - -const ( - PullSecretName = "***REMOVED***" - PullSecretToken = "***REMOVED***" - PullSecretUser = "***REMOVED***" -) diff --git a/operators/constellation-node-operator/README.md b/operators/constellation-node-operator/README.md index 0a9d7e180..fa7013de3 100644 --- a/operators/constellation-node-operator/README.md +++ b/operators/constellation-node-operator/README.md @@ -220,8 +220,6 @@ In production, it is recommended to deploy the operator using the [operator life namespace: olm spec: sourceType: grpc - secrets: - - "constellation-pull" # TODO: user: set desired operator catalog version here image: ghcr.io/edgelesssys/constellation/node-operator-catalog:v0.0.1 displayName: Constellation Node Operator diff --git a/operators/constellation-node-operator/config/manager/manager.yaml b/operators/constellation-node-operator/config/manager/manager.yaml index cd8703d93..405238330 100644 --- a/operators/constellation-node-operator/config/manager/manager.yaml +++ b/operators/constellation-node-operator/config/manager/manager.yaml @@ -78,8 +78,6 @@ spec: optional: true nodeSelector: node-role.kubernetes.io/control-plane: "" - imagePullSecrets: - - name: constellation-pull # workaround until https://github.com/operator-framework/operator-lifecycle-manager/issues/2682 is fixed tolerations: - effect: NoSchedule key: node-role.kubernetes.io/control-plane