feat: foward image pull secrets (#1583)

* feat: foward image pull secrets

Adds a new controller CLI flag to allow used to define a list of secret
that must be set in the policy server deployments to allow the container
image to be downloaded from a private registry.

Signed-off-by: José Guilherme Vanz <jguilhermevanz@suse.com>
Assisted-by: Github Copilot

* feat(charts): use flag to define image pull secrets

Updates the kubewarden-controller Helm chart to use the new controller
CLI flag that allow users to define a list of secrets with the data to
allowing container image download from private registries.

Signed-off-by: José Guilherme Vanz <jguilhermevanz@suse.com>
Assisted-by: Github Copilot

* docs: Restore CRD, helm values docstrings

Signed-off-by: Víctor Cuadrado Juan <vcuadradojuan@suse.de>

---------

Signed-off-by: José Guilherme Vanz <jguilhermevanz@suse.com>
Signed-off-by: Víctor Cuadrado Juan <vcuadradojuan@suse.de>
Co-authored-by: Víctor Cuadrado Juan <vcuadradojuan@suse.de>

Author: jvanz

api/policies/v1/policyserver_types.go

@@ -67,7 +67,7 @@ type PolicyServerSpec struct {
 	// +optional
 	ServiceAccountName string `json:"serviceAccountName,omitempty"`
 
-	// Name of ImagePullSecret secret in the same namespace, used for pulling
+	// Name of ImagePullSecret secret in the same namespace. used for pulling
 	// policies from repositories.
 	// +optional
 	ImagePullSecret string `json:"imagePullSecret,omitempty"`

charts/kubewarden-controller/templates/_helpers.tpl

@@ -112,6 +112,24 @@ Create the name of the service account to use for kubewarden-controller
 {{- end -}}
 {{- end -}}
 
+{{/*
+Build a comma-separated list of Secret names from .Values.imagePullSecrets,
+for use with the controller --image-pull-secrets flag. Handles both string
+entries and {name: ...} objects. Returns an empty string when no secrets
+are configured.
+*/}}
+{{- define "policyServerImagePullSecretNames" -}}
+{{- $names := list -}}
+{{- range .Values.imagePullSecrets -}}
+  {{- if kindIs "string" . -}}
+    {{- $names = append $names . -}}
+  {{- else -}}
+    {{- $names = append $names .name -}}
+  {{- end -}}
+{{- end -}}
+{{- join "," $names -}}
+{{- end -}}
+
 {{- define "audit-scanner.command" -}}
 {{- $parallelNamespaces := .Values.auditScanner.parallelNamespaces | int -}}
 {{- $parallelResources := .Values.auditScanner.parallelResources | int -}}

charts/kubewarden-controller/templates/deployment.yaml

@@ -58,6 +58,10 @@ spec:
        {{- if .Values.mTLS.enable }}
         - --client-ca-configmap-name={{ .Values.mTLS.configMapName }}
        {{- end }}
+       {{- $imagePullSecretNames := include "policyServerImagePullSecretNames" . }}
+       {{- if $imagePullSecretNames }}
+        - --image-pull-secrets={{ $imagePullSecretNames }}
+       {{- end }}
        {{- if or .Values.telemetry.metrics .Values.telemetry.tracing }}
        {{- if eq .Values.telemetry.mode "sidecar" }}
         - --enable-otel-sidecar

charts/kubewarden-controller/tests/image_pull_secrets_test.yaml

@@ -0,0 +1,38 @@
+suite: image-pull-secrets flag
+templates:
+  - deployment.yaml
+tests:
+  - it: "should not include --image-pull-secrets when imagePullSecrets is empty (default)"
+    asserts:
+      - notContains:
+          path: spec.template.spec.containers[0].args
+          content: "--image-pull-secrets"
+          any: true
+
+  - it: "should include --image-pull-secrets when imagePullSecrets contains a string entry"
+    set:
+      imagePullSecrets:
+        - my-registry-secret
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].args
+          content: "--image-pull-secrets=my-registry-secret"
+
+  - it: "should include --image-pull-secrets when imagePullSecrets contains an object entry"
+    set:
+      imagePullSecrets:
+        - name: my-registry-secret
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].args
+          content: "--image-pull-secrets=my-registry-secret"
+
+  - it: "should include multiple imagePullSecrets as a comma-separated list"
+    set:
+      imagePullSecrets:
+        - secret-one
+        - secret-two
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].args
+          content: "--image-pull-secrets=secret-one,secret-two"

cmd/controller/main.go

@@ -23,6 +23,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"strings"
 
 	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
 	// to ensure that exec-entrypoint and run can make use of them.
@@ -72,6 +73,7 @@ type Configuration struct {
 	ClientCAConfigMapName                              string
 	FeatureGateAdmissionWebhookMatchConditions         bool
 	WebhookServiceName                                 string
+	ImagePullSecrets                                   []corev1.LocalObjectReference
 }
 
 func init() {
@@ -93,6 +95,7 @@ func main() {
 	var enableOtelSidecar bool
 	var openTelemetryClientCertificateSecret string
 	var openTelemetryCertificateSecret string
+	var imagePullSecretsFlag string
 
 	flag.StringVar(&mgrOpts.MetricsAddr, "metrics-bind-address", ":8088", "The address the metric endpoint binds to.")
 	flag.StringVar(&mgrOpts.ProbeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
@@ -120,11 +123,16 @@ func main() {
 		false,
 		"Always accept admission reviews targeting the deployments-namespace.")
 	flag.StringVar(&config.ClientCAConfigMapName, "client-ca-configmap-name", "", "The name of the ConfigMap containing the client CA certificate. If provided, mTLS will be enabled.")
+	flag.StringVar(&imagePullSecretsFlag,
+		"image-pull-secrets",
+		"",
+		"Comma-separated list of Secret names to use as imagePullSecrets on every policy-server Deployment. The secrets must exist in the deployments namespace.")
 
 	opts := zap.Options{}
 	opts.BindFlags(flag.CommandLine)
 	flag.Parse()
 	mgrOpts.EnableMutualTLS = config.ClientCAConfigMapName != ""
+	config.ImagePullSecrets = parseImagePullSecrets(imagePullSecretsFlag)
 	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))
 
 	if enableMetrics {
@@ -290,6 +298,7 @@ func setupReconcilers(mgr ctrl.Manager,
 		AlwaysAcceptAdmissionReviewsInDeploymentsNamespace: config.AlwaysAcceptAdmissionReviewsOnDeploymentsNamespace,
 		TelemetryConfiguration:                             otelConfiguration,
 		ClientCAConfigMapName:                              config.ClientCAConfigMapName,
+		ImagePullSecrets:                                   config.ImagePullSecrets,
 	}).SetupWithManager(mgr); err != nil {
 		return errors.Join(errors.New("unable to create PolicyServer controller"), err)
 	}
@@ -365,3 +374,20 @@ func setupWebhooks(mgr ctrl.Manager, deploymentsNamespace string) error {
 	}
 	return nil
 }
+
+// parseImagePullSecrets converts a comma-separated list of secret names into a
+// slice of LocalObjectReferences. Empty names are ignored. An empty or blank
+// input string returns nil.
+func parseImagePullSecrets(s string) []corev1.LocalObjectReference {
+	if s == "" {
+		return nil
+	}
+	var refs []corev1.LocalObjectReference
+	for _, name := range strings.Split(s, ",") {
+		name = strings.TrimSpace(name)
+		if name != "" {
+			refs = append(refs, corev1.LocalObjectReference{Name: name})
+		}
+	}
+	return refs
+}

internal/controller/policyserver_controller.go

@@ -23,6 +23,7 @@ import (
 
 	"github.com/go-logr/logr"
 
+	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -62,6 +63,10 @@ type PolicyServerReconciler struct {
 	DeploymentsNamespace                               string
 	AlwaysAcceptAdmissionReviewsInDeploymentsNamespace bool
 	ClientCAConfigMapName                              string
+	// ImagePullSecrets is the list of image pull secrets to add to every
+	// policy-server Deployment, sourced from the controller's own
+	// --image-pull-secrets flag.
+	ImagePullSecrets []corev1.LocalObjectReference
 }
 
 // TelemetryConfiguration is a struct that contains the configuration for the

internal/controller/policyserver_controller_deployment.go

@@ -136,6 +136,7 @@ func (r *PolicyServerReconciler) updatePolicyServerDeployment(ctx context.Contex
 		configMapVersion,
 		templateAnnotations,
 		podSecurityContext,
+		r.ImagePullSecrets,
 	)
 	r.adaptDeploymentForMetricsAndTracingConfiguration(policyServerDeployment, templateAnnotations)
 	r.adaptDeploymentSettingsForPolicyServer(policyServerDeployment, policyServer)
@@ -414,6 +415,7 @@ func buildPolicyServerDeploymentSpec(
 	configMapVersion string,
 	templateAnnotations map[string]string,
 	podSecurityContext *corev1.PodSecurityContext,
+	imagePullSecrets []corev1.LocalObjectReference,
 ) appsv1.DeploymentSpec {
 	templateLabels := map[string]string{
 		//nolint:staticcheck // this label will remove soon when policy lifecycle is revisited
@@ -444,6 +446,7 @@ func buildPolicyServerDeploymentSpec(
 			Spec: corev1.PodSpec{
 				SecurityContext:    podSecurityContext,
 				Containers:         []corev1.Container{admissionContainer},
+				ImagePullSecrets:   imagePullSecrets,
 				ServiceAccountName: policyServer.Spec.ServiceAccountName,
 				Tolerations:        policyServer.Spec.Tolerations,
 				Affinity:           &policyServer.Spec.Affinity,

internal/controller/policyserver_controller_test.go

@@ -31,6 +31,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	k8spoliciesv1 "k8s.io/api/policy/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
@@ -1303,6 +1304,90 @@ var _ = Describe("PolicyServer controller", func() {
 		})
 	})
 
+	When("a PolicyServer has spec.imagePullSecret set", func() {
+		It("should mount the Docker config volume but NOT add it to Deployment imagePullSecrets", func() {
+			secretName := newName("pull-secret")
+			pullSecret := &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      secretName,
+					Namespace: deploymentsNamespace,
+				},
+				Type: corev1.SecretTypeDockerConfigJson,
+				Data: map[string][]byte{
+					corev1.DockerConfigJsonKey: []byte(`{"auths":{}}`),
+				},
+			}
+			Expect(k8sClient.Create(ctx, pullSecret)).To(haveSucceededOrAlreadyExisted())
+
+			policyServer := policiesv1.NewPolicyServerFactory().WithName(policyServerName).WithImagePullSecret(secretName).Build()
+			createPolicyServerAndWaitForItsService(ctx, policyServer)
+
+			Eventually(func() *appsv1.Deployment {
+				deployment, err := getTestPolicyServerDeployment(ctx, policyServerName)
+				if err != nil {
+					return nil
+				}
+				return deployment
+			}, timeout, pollInterval).Should(PointTo(MatchFields(IgnoreExtras, Fields{
+				"Spec": MatchFields(IgnoreExtras, Fields{
+					"Template": MatchFields(IgnoreExtras, Fields{
+						"Spec": MatchFields(IgnoreExtras, Fields{
+							"ImagePullSecrets": Not(ContainElement(MatchFields(IgnoreExtras, Fields{
+								"Name": Equal(secretName),
+							}))),
+							"Volumes": ContainElement(MatchFields(IgnoreExtras, Fields{
+								"Name": Equal(imagePullSecretVolumeName),
+								"VolumeSource": MatchFields(IgnoreExtras, Fields{
+									"Secret": PointTo(MatchFields(IgnoreExtras, Fields{
+										"SecretName": Equal(secretName),
+									})),
+								}),
+							})),
+							"Containers": ContainElement(MatchFields(IgnoreExtras, Fields{
+								"VolumeMounts": ContainElement(MatchFields(IgnoreExtras, Fields{
+									"Name":      Equal(imagePullSecretVolumeName),
+									"MountPath": Equal(dockerConfigJSONPolicyServerPath),
+								})),
+								"Env": ContainElement(MatchFields(IgnoreExtras, Fields{
+									"Name":  Equal("KUBEWARDEN_DOCKER_CONFIG_JSON_PATH"),
+									"Value": Equal(dockerConfigJSONPolicyServerPath),
+								})),
+							})),
+						}),
+					}),
+				}),
+			})))
+		})
+	})
+
+	When("a PolicyServer has no spec.imagePullSecret but reconciler has ImagePullSecrets", func() {
+		It("should set reconciler secrets in Deployment imagePullSecrets without mounting a Docker config volume", func() {
+			policyServer := policiesv1.NewPolicyServerFactory().WithName(policyServerName).Build()
+			createPolicyServerAndWaitForItsService(ctx, policyServer)
+
+			Eventually(func() *appsv1.Deployment {
+				deployment, err := getTestPolicyServerDeployment(ctx, policyServerName)
+				if err != nil {
+					return nil
+				}
+				return deployment
+			}, timeout, pollInterval).Should(PointTo(MatchFields(IgnoreExtras, Fields{
+				"Spec": MatchFields(IgnoreExtras, Fields{
+					"Template": MatchFields(IgnoreExtras, Fields{
+						"Spec": MatchFields(IgnoreExtras, Fields{
+							"ImagePullSecrets": ContainElement(MatchFields(IgnoreExtras, Fields{
+								"Name": Equal(reconcilerImagePullSecret),
+							})),
+							"Volumes": Not(ContainElement(MatchFields(IgnoreExtras, Fields{
+								"Name": Equal(imagePullSecretVolumeName),
+							}))),
+						}),
+					}),
+				}),
+			})))
+		})
+	})
+
 	When("deleting a PolicyServer", func() {
 		BeforeEach(func() {
 			createPolicyServerAndWaitForItsService(ctx, policiesv1.NewPolicyServerFactory().WithName(policyServerName).Build())

internal/controller/suite_test.go

@@ -126,6 +126,7 @@ var _ = SynchronizedBeforeSuite(func() []byte {
 		Scheme:                k8sManager.GetScheme(),
 		DeploymentsNamespace:  deploymentsNamespace,
 		ClientCAConfigMapName: clientCAConfigMapName,
+		ImagePullSecrets:      []corev1.LocalObjectReference{{Name: reconcilerImagePullSecret}},
 	}).SetupWithManager(k8sManager)
 	Expect(err).ToNot(HaveOccurred())
 

internal/controller/utils_test.go

@@ -42,6 +42,7 @@ const (
 	integrationTestsFinalizer = "kubewarden.io/integration-tests-safety-net-finalizer"
 	clientCAConfigMapName     = "client-ca"
 	fakeSigstoreTrustConfig   = `{"trusted_root": {"version": "test"}}`
+	reconcilerImagePullSecret = "reconciler-pull-secret"
 )
 
 func getTestClusterAdmissionPolicy(ctx context.Context, name string) (*policiesv1.ClusterAdmissionPolicy, error) {