Copy image pull secrets before generating workspaces

Safwan Ahmedrequested to merge
saf-copy-image-pull-secrets-before-generating-workspaces into master

Issue: Agent: Copy image pull secrets before generatin... (gitlab-org/gitlab#474994 - closed)

  • fix build

  • Add secret duplication to reconcilaiton logic

  • Add client secret creation/update apis

  • Add Secrets Informer

What does this MR do and why?

This MR includes functionality to copy Image pull secrets associated with a workspace from the original secrets namespace to the workspaces namespace, and functionality to synchronize the copied secrets on delete and on update of the original values. The main reason behind this is to facilitate private container registry access.

How to test locally

Steps:

  • create a valid image_pull_secret like so:
kubectl create secret docker-registry test-secret-name  \
  --docker-server=registry.gitlab.com/saahmed/test \
  --docker-username=saahmed \
  --docker-password=glpat-donotaskformysecret \
  --docker-email=safhmed@gitlab.com \
  --namespace=test-secret-namespace

Observation: running kubectl get secrets -A | grep test-secret-name will give you the secret as the only one that exists

  • Have GDK setup and checkout this current branch for the gitlab-k8s-agent
  • ImagePullSecrets are not directly available from the rails side yet see gitlab-org/gitlab#474989 (comment 2101856721) To simulate an image pull secret, you could hardcode an entry in the ImagePullSecrets array here like so:
workspaceRailsInfo.ImagePullSecrets = []ImagePullSecret{{Name: "test-secret-name", Namespace: "test-secret-namespace"}}

Tests secret can be created in the workspace

  • Create a workspace and verify you can access it and then run kubectl get secrets -A | grep test-secret-name Observation: Apart from the original secret you created, another one with the same name but in the namespace corresponding to the workspace namespace exists`

Tests secret can be updated in the workspace

  • Edit the original secret by running kubectl edit secret test-secret-name -n test-secret-namespace and updating a metadata field (add label for example)
  • run kubectl get secrets test-secret-name -n $WORKSPACE_NAMESPACE -o yaml Observation: this secret data should be updated to mirror the above change.

Test secret can be deleted in the workspace when the original is deleted

  • run kubectl delete secret test-secret-name -n test-secret-namespace and then kubectl get secrets -A | grep test-secret-name Observation:The original and duplicate secrets are gone
Edited by Vishal Tak

Merge request reports