remove image pull secret

2025-02-03 02:50:03 -05:00 · 2022-08-28 15:57:08 +02:00 · 2022-08-28 15:57:08 +02:00 · 6b8a2a0063
commit 6b8a2a0063
parent d972f053f9
11 changed files with 8 additions and 105 deletions
--- a/bootstrapper/internal/kubernetes/k8sapi/resources/access_manager.go
+++ b/bootstrapper/internal/kubernetes/k8sapi/resources/access_manager.go
@ -1,7 +1,6 @@
 package resources
 import (
 	"github.com/edgelesssys/constellation/internal/secrets"
 	"github.com/edgelesssys/constellation/internal/versions"
 	"google.golang.org/protobuf/proto"
 	apps "k8s.io/api/apps/v1"
@ -19,7 +18,6 @@ type accessManagerDeployment struct {
 	Role           rbac.Role
 	RoleBinding    rbac.RoleBinding
 	DaemonSet      apps.DaemonSet
 	ImagePullSecret k8s.Secret
 }
 // NewAccessManagerDeployment creates a new *accessManagerDeployment which manages the SSH users for the cluster.
@ -92,11 +90,6 @@ func NewAccessManagerDeployment(sshUsers map[string]string) *accessManagerDeploy
 								Effect:   k8s.TaintEffectNoSchedule,
 							},
 						},
 						ImagePullSecrets: []k8s.LocalObjectReference{
 							{
 								Name: secrets.PullSecretName,
 							},
 						},
 						Containers: []k8s.Container{
 							{
 								Name:            "pause",
@ -194,7 +187,6 @@ func NewAccessManagerDeployment(sshUsers map[string]string) *accessManagerDeploy
 				},
 			},
 		},
 		ImagePullSecret: NewImagePullSecret(accessManagerNamespace),
 	}
 }
--- a/bootstrapper/internal/kubernetes/k8sapi/resources/gcp_guest_agent.go
+++ b/bootstrapper/internal/kubernetes/k8sapi/resources/gcp_guest_agent.go
@ -1,7 +1,6 @@
 package resources
 import (
 	"github.com/edgelesssys/constellation/internal/secrets"
 	"github.com/edgelesssys/constellation/internal/versions"
 	apps "k8s.io/api/apps/v1"
 	k8s "k8s.io/api/core/v1"
@ -56,11 +55,6 @@ func NewGCPGuestAgentDaemonset() *gcpGuestAgentDaemonset {
 								Effect:   k8s.TaintEffectNoSchedule,
 							},
 						},
 						ImagePullSecrets: []k8s.LocalObjectReference{
 							{
 								Name: secrets.PullSecretName,
 							},
 						},
 						Containers: []k8s.Container{
 							{
 								Name:  "gcp-guest-agent",
--- a/bootstrapper/internal/kubernetes/k8sapi/resources/image_pull_secret.go
+++ b/bootstrapper/internal/kubernetes/k8sapi/resources/image_pull_secret.go
@ -1,32 +0,0 @@
 package resources
 import (
 	"encoding/base64"
 	"fmt"
 	"github.com/edgelesssys/constellation/internal/secrets"
 	k8s "k8s.io/api/core/v1"
 	meta "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 // NewImagePullSecret creates a new k8s.Secret from the config for authenticating when pulling images.
 func NewImagePullSecret(namespace string) k8s.Secret {
 	base64EncodedSecret := base64.StdEncoding.EncodeToString(
 		[]byte(fmt.Sprintf("%s:%s", secrets.PullSecretUser, secrets.PullSecretToken)),
 	)
 	pullSecretDockerCfgJSON := fmt.Sprintf(`{"auths":{"ghcr.io":{"auth":"%s"}}}`, base64EncodedSecret)
 	return k8s.Secret{
 		TypeMeta: meta.TypeMeta{
 			APIVersion: "v1",
 			Kind:       "Secret",
 		},
 		ObjectMeta: meta.ObjectMeta{
 			Name:      secrets.PullSecretName,
 			Namespace: namespace,
 		},
 		StringData: map[string]string{".dockerconfigjson": pullSecretDockerCfgJSON},
 		Type:       "kubernetes.io/dockerconfigjson",
 	}
 }
--- a/bootstrapper/internal/kubernetes/k8sapi/resources/image_pull_secret_test.go
+++ b/bootstrapper/internal/kubernetes/k8sapi/resources/image_pull_secret_test.go
@ -1,14 +0,0 @@
 package resources
 import (
 	"testing"
 	"github.com/stretchr/testify/assert"
 )
 func TestImagePullSecret(t *testing.T) {
 	imgPullSec := NewImagePullSecret("namespace")
 	_, err := imgPullSec.Marshal()
 	assert.NoError(t, err)
 	assert.Equal(t, "namespace", imgPullSec.Namespace)
 }
--- a/bootstrapper/internal/kubernetes/k8sapi/resources/joinservice.go
+++ b/bootstrapper/internal/kubernetes/k8sapi/resources/joinservice.go
@ -4,7 +4,6 @@ import (
 	"fmt"
 	"github.com/edgelesssys/constellation/internal/constants"
 	"github.com/edgelesssys/constellation/internal/secrets"
 	"github.com/edgelesssys/constellation/internal/versions"
 	apps "k8s.io/api/apps/v1"
 	k8s "k8s.io/api/core/v1"
@ -128,11 +127,6 @@ func NewJoinServiceDaemonset(csp, measurementsJSON, enforcedPCRsJSON string, mea
 						NodeSelector: map[string]string{
 							"node-role.kubernetes.io/control-plane": "",
 						},
 						ImagePullSecrets: []k8s.LocalObjectReference{
 							{
 								Name: secrets.PullSecretName,
 							},
 						},
 						Containers: []k8s.Container{
 							{
 								Name:  "join-service",
--- a/bootstrapper/internal/kubernetes/k8sapi/resources/kms.go
+++ b/bootstrapper/internal/kubernetes/k8sapi/resources/kms.go
@ -4,7 +4,6 @@ import (
 	"fmt"
 	"github.com/edgelesssys/constellation/internal/constants"
 	"github.com/edgelesssys/constellation/internal/secrets"
 	"github.com/edgelesssys/constellation/internal/versions"
 	apps "k8s.io/api/apps/v1"
 	k8s "k8s.io/api/core/v1"
@ -22,7 +21,6 @@ type kmsDeployment struct {
 	ClusterRoleBinding rbac.ClusterRoleBinding
 	Deployment         apps.Deployment
 	MasterSecret       k8s.Secret
 	ImagePullSecret    k8s.Secret
 }
 // KMSConfig is the configuration needed to set up Constellation's key management service.
@ -167,11 +165,6 @@ func NewKMSDeployment(csp string, config KMSConfig) *kmsDeployment {
 						NodeSelector: map[string]string{
 							"node-role.kubernetes.io/control-plane": "",
 						},
 						ImagePullSecrets: []k8s.LocalObjectReference{
 							{
 								Name: secrets.PullSecretName,
 							},
 						},
 						Volumes: []k8s.Volume{
 							{
 								Name: "config",
@ -249,7 +242,6 @@ func NewKMSDeployment(csp string, config KMSConfig) *kmsDeployment {
 			},
 			Type: "Opaque",
 		},
 		ImagePullSecret: NewImagePullSecret(kmsNamespace),
 	}
 }
--- a/bootstrapper/internal/kubernetes/k8sapi/resources/node_operator.go
+++ b/bootstrapper/internal/kubernetes/k8sapi/resources/node_operator.go
@ -4,7 +4,6 @@ import (
 	_ "embed"
 	"time"
 	"github.com/edgelesssys/constellation/internal/secrets"
 	"github.com/edgelesssys/constellation/internal/versions"
 	operatorsv1 "github.com/operator-framework/api/pkg/operators/v1"
 	operatorsv1alpha1 "github.com/operator-framework/api/pkg/operators/v1alpha1"
@ -29,8 +28,6 @@ type nodeOperatorDeployment struct {
 	CatalogSource operatorsv1alpha1.CatalogSource
 	OperatorGroup operatorsv1.OperatorGroup
 	Subscription  operatorsv1alpha1.Subscription
 	CatalogPullSecret corev1.Secret
 	ImagePullSecret   corev1.Secret
 }
 // NewNodeOperatorDeployment creates a new constellation node operator deployment.
@ -45,7 +42,6 @@ func NewNodeOperatorDeployment(cloudProvider string, uid string) *nodeOperatorDe
 			},
 			Spec: operatorsv1alpha1.CatalogSourceSpec{
 				SourceType:  "grpc",
 				Secrets:     []string{secrets.PullSecretName},
 				Image:       versions.NodeOperatorCatalogImage + ":" + versions.NodeOperatorVersion,
 				DisplayName: "Constellation Node Operator",
 				Publisher:   "Edgeless Systems",
@ -88,8 +84,6 @@ func NewNodeOperatorDeployment(cloudProvider string, uid string) *nodeOperatorDe
 				},
 			},
 		},
 		CatalogPullSecret: NewImagePullSecret(nodeOperatorCatalogNamespace),
 		ImagePullSecret:   NewImagePullSecret(nodeOperatorNamespace),
 	}
 }
--- a/bootstrapper/internal/kubernetes/k8sapi/resources/verification.go
+++ b/bootstrapper/internal/kubernetes/k8sapi/resources/verification.go
@ -4,7 +4,6 @@ import (
 	"fmt"
 	"github.com/edgelesssys/constellation/internal/constants"
 	"github.com/edgelesssys/constellation/internal/secrets"
 	"github.com/edgelesssys/constellation/internal/versions"
 	apps "k8s.io/api/apps/v1"
 	k8s "k8s.io/api/core/v1"
@ -66,11 +65,6 @@ func NewVerificationDaemonSet(csp string) *verificationDaemonset {
 								Effect:   k8s.TaintEffectNoSchedule,
 							},
 						},
 						ImagePullSecrets: []k8s.LocalObjectReference{
 							{
 								Name: secrets.PullSecretName,
 							},
 						},
 						Containers: []k8s.Container{
 							{
 								Name:  "verification-service",
--- a/internal/secrets/secrets.go
+++ b/internal/secrets/secrets.go
@ -1,7 +0,0 @@
 package secrets
 const (
 	PullSecretName = "***REMOVED***"
 	PullSecretToken = "***REMOVED***"
 	PullSecretUser = "***REMOVED***"
 )
--- a/operators/constellation-node-operator/README.md
+++ b/operators/constellation-node-operator/README.md
@ -220,8 +220,6 @@ In production, it is recommended to deploy the operator using the [operator life
        namespace: olm
    spec:
        sourceType: grpc
        secrets:
        - "constellation-pull"
        # TODO: user: set desired operator catalog version here
        image: ghcr.io/edgelesssys/constellation/node-operator-catalog:v0.0.1
        displayName: Constellation Node Operator
--- a/operators/constellation-node-operator/config/manager/manager.yaml
+++ b/operators/constellation-node-operator/config/manager/manager.yaml
@ -78,8 +78,6 @@ spec:
          optional: true
      nodeSelector:
        node-role.kubernetes.io/control-plane: ""
      imagePullSecrets:
      - name: constellation-pull # workaround until https://github.com/operator-framework/operator-lifecycle-manager/issues/2682 is fixed
      tolerations:
      - effect: NoSchedule
        key: node-role.kubernetes.io/control-plane