diff --git a/.gitignore b/.gitignore index 8e327ea6..e660fd93 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -registry-creds +bin/ diff --git a/Dockerfile b/Dockerfile index 98e55721..df68cd45 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,6 +4,6 @@ MAINTAINER Steve Sloka RUN apk add --update ca-certificates && \ rm -rf /var/cache/apk/* -ADD registry-creds registry-creds +COPY registry-creds registry-creds ENTRYPOINT ["/registry-creds"] diff --git a/Makefile b/Makefile index 811e52d8..554462fa 100644 --- a/Makefile +++ b/Makefile @@ -2,24 +2,45 @@ # MAINTAINER: Steve Sloka # If you update this image please bump the tag value before pushing. -.PHONY: all binary container push clean test - TAG = 1.6 PREFIX = upmcenterprises +BIN = registry-creds + +# docker build arguments for internal proxy +ifneq ($(http_proxy),) +HTTP_PROXY_BUILD_ARG=--build-arg http_proxy=$(http_proxy) +else +HTTP_PROXY_BUILD_ARG= +endif + +ifneq ($(https_proxy),) +HTTPS_PROXY_BUILD_ARG=--build-arg https_proxy=$(https_proxy) +else +HTTPS_PROXY_BUILD_ARG= +endif + +.PHONY: all all: container +.PHONY: build build: main.go - GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -a -installsuffix cgo -o registry-creds --ldflags '-w' ./main.go + GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -a -installsuffix cgo -o $(BIN) --ldflags '-w' $< +.PHONY: container container: build - docker build -t $(PREFIX)/registry-creds:$(TAG) . + docker build -t $(PREFIX)/$(BIN):$(TAG) \ + $(HTTP_PROXY_BUILD_ARG) \ + $(HTTPS_PROXY_BUILD_ARG) . +.PHONY: push push: - docker push $(PREFIX)/registry-creds:$(TAG) + docker push $(PREFIX)/$(BIN):$(TAG) +.PHONY: clean clean: - rm -f registry-creds + rm -f $(BIN) +.PHONY: test test: clean go test -v $(go list ./... | grep -v vendor) diff --git a/README.md b/README.md index 41ea587a..b700a209 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,6 @@ # Registry Credentials -Allow for Registry credentials to be refreshed inside your Kubernetes cluster via ImagePullSecrets + +Allow for Registry credentials to be refreshed inside your Kubernetes cluster via `ImagePullSecrets`. ## How it works @@ -9,89 +10,119 @@ Allow for Registry credentials to be refreshed inside your Kubernetes cluster vi - Then it sets up this secret to be used in the `ImagePullSecrets` for the default service account - Whenever a pod is created, this secret is attached to the pod - The container will refresh the credentials by default every 60 minutes -- Enabled for use with Minikube as an addon (https://github.com/kubernetes/minikube#add-ons) +- Enabled for use with Minikube as an [addon](https://github.com/kubernetes/minikube#add-ons) -_NOTE: This will setup credentials across ALL namespaces!_ +> **NOTE:** This will setup credentials across ALL namespaces! ## Parameters The following parameters are driven via Environment variables. - Environment Variables: - - AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY: Credentials to access AWS - - awsaccount: AWS Account Id - - awsregion: (optional) Can override the default aws region by setting this variable. Note: The region can also be specified as an arg to the binary. + - AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY: Credentials to access AWS. + - awsaccount: AWS Account Id. + - awsregion: (optional) Can override the default AWS region by setting this variable. + > **Note:** The region can also be specified as an arg to the binary. ## How to setup running in AWS 1. Clone the repo and navigate to directory -2a. If running on AWS EC2, make sure your EC2 instances have the following IAM permissions: +2. Configure + + 1. If running on AWS EC2, make sure your EC2 instances have the following IAM permissions: + + ```json + { + "Effect": "Allow", + "Action": [ + "ecr:GetAuthorizationToken", + "ecr:BatchCheckLayerAvailability", + "ecr:GetDownloadUrlForLayer", + "ecr:GetRepositoryPolicy", + "ecr:DescribeRepositories", + "ecr:ListImages", + "ecr:BatchGetImage" + ], + "Resource": "*" + } + ``` + + 2. If you are not running in AWS Cloud, then you can still use this tool! Edit & create the sample [secret](k8s/secret.yaml) and update values for `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `aws-account`, and `aws-region` (base64 encoded). + + ```bash + echo -n "secret-key" | base64 + + kubectl create -f k8s/secret.yaml + ``` + +3. Create the replication controller. + + ```bash + kubectl create -f k8s/replicationController.yaml + ``` + + > **NOTE:** If running on premise, no need to provide `AWS_ACCESS_KEY_ID` or `AWS_SECRET_ACCESS_KEY` since that will come from the EC2 instance. + +4. Use `awsecr-cred` for name of `imagePullSecrets` on your `deployment.yaml` file. + +## How to setup running in GCR - ```json - { - "Effect": "Allow", - "Action": [ - "ecr:GetAuthorizationToken", - "ecr:BatchCheckLayerAvailability", - "ecr:GetDownloadUrlForLayer", - "ecr:GetRepositoryPolicy", - "ecr:DescribeRepositories", - "ecr:ListImages", - "ecr:BatchGetImage" - ], - "Resource": "*" - } - ``` +1. Clone the repo and navigate to directory -2b. If you are not running in AWS Cloud, then you can still use this tool! Edit & create the sample [secret](k8s/secret.yaml) and update values for AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS Account Id (base64 encoded) +2. Input your `application_default_credentials.json` information into the `secret.yaml` template located [here](k8s/secret.yaml#L17): +The value for `application_default_credentials.json` can be obtained with the following command: -```bash -echo -n "secret-key" | base64 + ```bash + base64 -w 0 $HOME/.config/gcloud/application_default_credentials.json + ``` -kubectl create -f k8s/secret.yaml -``` +3. Create the secret in kubernetes -3. Create the replication controller. NOTE: If running on prem, no need to provide AWS_ACCESS_KEY_ID or AWS_SECRET_ACCESS_KEY since that will come from the EC2 instance. + ```bash + kubectl create -f k8s/secret.yml + ``` - ```bash - kubectl create -f k8s/replicationController.yaml - ``` -4. Use awsecr-cred for name of imagePullSecrets on your deployment.yaml file. +4. Create the replication controller: -## How to setup running in GCR + ```bash + kubectl create -f k8s/replicationController.yaml + ``` + +## How to setup running in Docker Private Registry 1. Clone the repo and navigate to directory -2. Input your application_default_credentials.json information into the secret.yaml template located [here](k8s/secret.yaml#L17): -The value for application_default_credentials.json can be obtained with the following command: -```bash -base64 -w $HOME/.config/gcloud/application_default_credentials.json -``` +2. Edit the sample [secret](k8s/secret.yaml) and update values for `DOCKER_PRIVATE_REGISTRY_SERVER`, `DOCKER_PRIVATE_REGISTRY_USER`, and `DOCKER_PRIVATE_REGISTRY_PASSWORD` (base64 encoded). + + ```bash + echo -n "secret-key" | base64 + ``` 3. Create the secret in kubernetes -```bash -kubectl create -f k8s/secret.yml -``` -3. Create the replication controller: + ```bash + kubectl create -f k8s/secret.yml + ``` + +4. Create the replication controller: -```bash -kubectl create -f k8s/replicationController.yaml -``` + ```bash + kubectl create -f k8s/replicationController.yaml + ``` ## DockerHub Image -- https://hub.docker.com/r/upmcenterprises/awsecr-creds/ +- [upmcenterprises/registry-creds](https://hub.docker.com/r/upmcenterprises/registry-creds/) ## Developing Locally If you want to hack on this project: 1. Clone the repo -2. Build: `make binary` +2. Build: `make build` 3. Test: `make test` -4. Run on your machine: ` go run ./main.go --kubecfg-file= --use-kubernetes-cluster-service=false +4. Run on your machine: `go run ./main.go --kubecfg-file=` ## About diff --git a/k8s/replicationController.yaml b/k8s/replicationController.yaml index d30d8cae..828d97ef 100644 --- a/k8s/replicationController.yaml +++ b/k8s/replicationController.yaml @@ -41,6 +41,21 @@ spec: secretKeyRef: name: registry-creds-ecr key: aws-region + - name: DOCKER_PRIVATE_REGISTRY_PASSWORD + valueFrom: + secretKeyRef: + name: registry-creds-dpr + key: DOCKER_PRIVATE_REGISTRY_PASSWORD + - name: DOCKER_PRIVATE_REGISTRY_SERVER + valueFrom: + secretKeyRef: + name: registry-creds-dpr + key: DOCKER_PRIVATE_REGISTRY_SERVER + - name: DOCKER_PRIVATE_REGISTRY_USER + valueFrom: + secretKeyRef: + name: registry-creds-dpr + key: DOCKER_PRIVATE_REGISTRY_USER volumeMounts: - name: gcr-creds mountPath: "/root/.config/gcloud" diff --git a/k8s/secret.yaml b/k8s/secret.yaml index 9d4a238e..364a1db2 100644 --- a/k8s/secret.yaml +++ b/k8s/secret.yaml @@ -1,3 +1,20 @@ +apiVersion: v1 +kind: Secret +metadata: + name: registry-creds-dpr + namespace: kube-system + labels: + app: registry-creds + kubernetes.io/minikube-addons: registry-creds + cloud: private +data: + DOCKER_PRIVATE_REGISTRY_SERVER: Y2hhbmdlbWU= + DOCKER_PRIVATE_REGISTRY_USER: Y2hhbmdlbWU= + DOCKER_PRIVATE_REGISTRY_PASSWORD: Y2hhbmdlbWU= +type: Opaque + +--- + apiVersion: v1 kind: Secret metadata: diff --git a/main.go b/main.go index b472780a..2cbd7827 100644 --- a/main.go +++ b/main.go @@ -25,8 +25,10 @@ ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT package main import ( + "encoding/base64" "fmt" "log" + "strings" "os" "time" @@ -43,21 +45,27 @@ import ( ) const ( - dockerCfgTemplate = `{"%s":{"username":"oauth2accesstoken","password":"%s","email":"none"}}` - dockerJSONTemplate = `{"auths":{"%s":{"auth":"%s","email":"none"}}}` + dockerCfgTemplate = `{"%s":{"username":"oauth2accesstoken","password":"%s","email":"none"}}` + dockerJSONTemplate = `{"auths":{"%s":{"auth":"%s","email":"none"}}}` + dockerPrivateRegistryPasswordKey = "DOCKER_PRIVATE_REGISTRY_PASSWORD" + dockerPrivateRegistryServerKey = "DOCKER_PRIVATE_REGISTRY_SERVER" + dockerPrivateRegistryUserKey = "DOCKER_PRIVATE_REGISTRY_USER" ) var ( - flags = flag.NewFlagSet("", flag.ContinueOnError) - argKubecfgFile = flags.String("kubecfg-file", "", `Location of kubecfg file for access to kubernetes master service; --kube_master_url overrides the URL part of this; if neither this nor --kube_master_url are provided, defaults to service account tokens`) - argKubeMasterURL = flags.String("kube-master-url", "", `URL to reach kubernetes master. Env variables in this flag will be expanded.`) - argAWSSecretName = flags.String("aws-secret-name", "awsecr-cred", `Default aws secret name`) - argGCRSecretName = flags.String("gcr-secret-name", "gcr-secret", `Default gcr secret name`) - argDefaultNamespace = flags.String("default-namespace", "default", `Default namespace`) - argGCRURL = flags.String("gcr-url", "https://gcr.io", `Default GCR URL`) - argAWSRegion = flags.String("aws-region", "us-east-1", `Default AWS region`) - argRefreshMinutes = flags.Int("refresh-mins", 60, `Default time to wait before refreshing (60 minutes)`) - argSkipKubeSystem = flags.Bool("skip-kube-system", true, `If true, will not attempt to set ImagePullSecrets on the kube-system namespace`) + flags = flag.NewFlagSet("", flag.ContinueOnError) + argKubecfgFile = flags.String("kubecfg-file", "", `Location of kubecfg file for access to kubernetes master service; --kube_master_url overrides the URL part of this; if neither this nor --kube_master_url are provided, defaults to service account tokens`) + argKubeMasterURL = flags.String("kube-master-url", "", `URL to reach kubernetes master. Env variables in this flag will be expanded.`) + argAWSSecretName = flags.String("aws-secret-name", "awsecr-cred", `Default AWS secret name`) + argDPRSecretName = flags.String("dpr-secret-name", "dpr-secret", `Default Docker Private Registry secret name`) + argGCRSecretName = flags.String("gcr-secret-name", "gcr-secret", `Default GCR secret name`) + argGCRURL = flags.String("gcr-url", "https://gcr.io", `Default GCR URL`) + argAWSRegion = flags.String("aws-region", "us-east-1", `Default AWS region`) + argDPRPassword = flags.String("dpr-password", "", "Docker Private Registry password") + argDPRServer = flags.String("dpr-server", "", "Docker Private Registry server") + argDPRUser = flags.String("dpr-user", "", "Docker Private Registry user") + argRefreshMinutes = flags.Int("refresh-mins", 60, `Default time to wait before refreshing (60 minutes)`) + argSkipKubeSystem = flags.Bool("skip-kube-system", true, `If true, will not attempt to set ImagePullSecrets on the kube-system namespace`) ) var ( @@ -68,6 +76,12 @@ type controller struct { k8sutil *k8sutil.K8sutilInterface ecrClient ecrInterface gcrClient gcrInterface + dprClient dprInterface +} + +// Docker Private Registry interface +type dprInterface interface { + getAuthToken(server, user, password string) (AuthToken, error) } type ecrInterface interface { @@ -82,6 +96,30 @@ func newEcrClient() ecrInterface { return ecr.New(session.New(), aws.NewConfig().WithRegion(*argAWSRegion)) } +type dprClient struct{} + +func (dpr dprClient) getAuthToken(server, user, password string) (AuthToken, error) { + if server == "" { + return AuthToken{}, fmt.Errorf(fmt.Sprintf("Failed to get auth token for docker private registry: empty value for %s", dockerPrivateRegistryServerKey)) + } + + if user == "" { + return AuthToken{}, fmt.Errorf(fmt.Sprintf("Failed to get auth token for docker private registry: empty value for %s", dockerPrivateRegistryUserKey)) + } + + if password == "" { + return AuthToken{}, fmt.Errorf(fmt.Sprintf("Failed to get auth token for docker private registry: empty value for %s", dockerPrivateRegistryPasswordKey)) + } + + token := base64.StdEncoding.EncodeToString([]byte(strings.Join([]string{user, password}, ":"))) + + return AuthToken{AccessToken: token, Endpoint: server}, nil +} + +func newDprClient() dprInterface { + return dprClient{} +} + type gcrClient struct{} func (gcr gcrClient) DefaultTokenSource(ctx context.Context, scope ...string) (oauth2.TokenSource, error) { @@ -92,6 +130,10 @@ func newGcrClient() gcrInterface { return gcrClient{} } +func (c *controller) getDPRToken() (AuthToken, error) { + return c.dprClient.getAuthToken(*argDPRServer, *argDPRUser, *argDPRPassword) +} + func (c *controller) getGCRAuthorizationKey() (AuthToken, error) { ts, err := c.gcrClient.DefaultTokenSource(context.TODO(), "https://www.googleapis.com/auth/cloud-platform") if err != nil { @@ -183,6 +225,12 @@ func getSecretGenerators(c *controller) []SecretGenerator { SecretName: *argAWSSecretName, }) + secretGenerators = append(secretGenerators, SecretGenerator{ + TokenGenFxn: c.getDPRToken, + IsJSONCfg: true, + SecretName: *argDPRSecretName, + }) + return secretGenerators } @@ -255,6 +303,9 @@ func validateParams() { // Allow environment variables to overwrite args awsAccountIDEnv := os.Getenv("awsaccount") awsRegionEnv := os.Getenv("awsregion") + dprPassword := os.Getenv(dockerPrivateRegistryPasswordKey) + dprServer := os.Getenv(dockerPrivateRegistryServerKey) + dprUser := os.Getenv(dockerPrivateRegistryUserKey) if len(awsRegionEnv) > 0 { argAWSRegion = &awsRegionEnv @@ -263,6 +314,18 @@ func validateParams() { if len(awsAccountIDEnv) > 0 { awsAccountID = awsAccountIDEnv } + + if len(dprPassword) > 0 { + argDPRPassword = &dprPassword + } + + if len(dprServer) > 0 { + argDPRServer = &dprServer + } + + if len(dprUser) > 0 { + argDPRUser = &dprUser + } } func handler(c *controller, ns *v1.Namespace) error { @@ -289,7 +352,7 @@ func main() { validateParams() log.Print("Using AWS Account: ", awsAccountID) - log.Printf("Using AWS Region: %s", *argAWSRegion) + log.Print("Using AWS Region: ", *argAWSRegion) log.Print("Refresh Interval (minutes): ", *argRefreshMinutes) util, err := k8sutil.New(*argKubecfgFile, *argKubeMasterURL) @@ -300,7 +363,8 @@ func main() { ecrClient := newEcrClient() gcrClient := newGcrClient() - c := &controller{util, ecrClient, gcrClient} + dprClient := newDprClient() + c := &controller{util, ecrClient, gcrClient, dprClient} util.WatchNamespaces(time.Duration(*argRefreshMinutes)*time.Minute, func(ns *v1.Namespace) error { return handler(c, ns) diff --git a/main_test.go b/main_test.go index 3085d7fa..1a454744 100644 --- a/main_test.go +++ b/main_test.go @@ -219,6 +219,18 @@ func (f *fakeFailingGcrClient) DefaultTokenSource(ctx context.Context, scope ... return nil, errors.New("fake error") } +type fakeDprClient struct{} + +func (f *fakeDprClient) getAuthToken(server, user, password string) (AuthToken, error) { + return AuthToken{AccessToken: "fakeToken", Endpoint: "fakeEndpoint"}, nil +} + +type fakeFailingDprClient struct{} + +func (f *fakeFailingDprClient) getAuthToken(server, user, password string) (AuthToken, error){ + return AuthToken{}, errors.New("fake error") +} + func newKubeUtil() *k8sutil.K8sutilInterface { return &k8sutil.K8sutilInterface{ Kclient: newFakeKubeClient(), @@ -296,6 +308,10 @@ func newFakeGcrClient() *fakeGcrClient { return &fakeGcrClient{} } +func newFakeDprClient() *fakeDprClient { + return &fakeDprClient{} +} + func newFakeFailingGcrClient() *fakeFailingGcrClient { return &fakeFailingGcrClient{} } @@ -304,6 +320,10 @@ func newFakeFailingEcrClient() *fakeFailingEcrClient { return &fakeFailingEcrClient{} } +func newFakeFailingDprClient() *fakeFailingDprClient { + return &fakeFailingDprClient{} +} + func process(t *testing.T, c *controller) { namespaces, _ := c.k8sutil.Kclient.Namespaces().List(v1.ListOptions{}) for _, ns := range namespaces.Items { @@ -316,7 +336,8 @@ func TestGetECRAuthorizationKey(t *testing.T) { util := newKubeUtil() ecrClient := newFakeEcrClient() gcrClient := newFakeGcrClient() - c := &controller{util, ecrClient, gcrClient} + dprClient := newFakeDprClient() + c := &controller{util, ecrClient, gcrClient, dprClient} token, err := c.getECRAuthorizationKey() @@ -331,7 +352,8 @@ func TestProcessOnce(t *testing.T) { ecrClient := newFakeEcrClient() *argGCRURL = "fakeEndpoint" gcrClient := newFakeGcrClient() - c := &controller{util, ecrClient, gcrClient} + dprClient := newFakeDprClient() + c := &controller{util, ecrClient, gcrClient, dprClient} process(t, c) @@ -385,12 +407,12 @@ func TestProcessOnce(t *testing.T) { serviceAccount, err = c.k8sutil.GetServiceAccount("namespace2", "default") assert.Nil(t, err) - assert.Equal(t, 2, len(serviceAccount.ImagePullSecrets)) + assert.Equal(t, 3, len(serviceAccount.ImagePullSecrets)) assert.Equal(t, *argAWSSecretName, serviceAccount.ImagePullSecrets[1].Name) serviceAccount, err = c.k8sutil.GetServiceAccount("namespace2", "default") assert.Nil(t, err) - assert.Equal(t, 2, len(serviceAccount.ImagePullSecrets)) + assert.Equal(t, 3, len(serviceAccount.ImagePullSecrets)) assert.Equal(t, *argAWSSecretName, serviceAccount.ImagePullSecrets[1].Name) } @@ -399,8 +421,9 @@ func TestProcessTwice(t *testing.T) { ecrClient := newFakeEcrClient() *argGCRURL = "fakeEndpoint" gcrClient := newFakeGcrClient() - c := &controller{util, ecrClient, gcrClient} + dprClient := newFakeDprClient() + c := &controller{util, ecrClient, gcrClient, dprClient} process(t, c) // test processing twice for idempotency process(t, c) @@ -455,12 +478,12 @@ func TestProcessTwice(t *testing.T) { serviceAccount, err = c.k8sutil.GetServiceAccount("namespace2", "default") assert.Nil(t, err) - assert.Equal(t, 2, len(serviceAccount.ImagePullSecrets)) + assert.Equal(t, 3, len(serviceAccount.ImagePullSecrets)) assert.Equal(t, *argAWSSecretName, serviceAccount.ImagePullSecrets[1].Name) serviceAccount, err = c.k8sutil.GetServiceAccount("namespace2", "default") assert.Nil(t, err) - assert.Equal(t, 2, len(serviceAccount.ImagePullSecrets)) + assert.Equal(t, 3, len(serviceAccount.ImagePullSecrets)) assert.Equal(t, *argAWSSecretName, serviceAccount.ImagePullSecrets[1].Name) } @@ -469,7 +492,8 @@ func TestProcessWithExistingSecrets(t *testing.T) { ecrClient := newFakeEcrClient() *argGCRURL = "fakeEndpoint" gcrClient := newFakeGcrClient() - c := &controller{util, ecrClient, gcrClient} + dprClient := newFakeDprClient() + c := &controller{util, ecrClient, gcrClient, dprClient} secretGCR := &v1.Secret{ ObjectMeta: v1.ObjectMeta{ @@ -501,6 +525,21 @@ func TestProcessWithExistingSecrets(t *testing.T) { err = c.k8sutil.CreateSecret("namespace2", secretAWS) assert.Nil(t, err) + secretDPR := &v1.Secret{ + ObjectMeta: v1.ObjectMeta{ + Name: *argDPRSecretName, + }, + Data: map[string][]byte{ + ".dockerconfigjson": []byte("some other config"), + }, + Type: "some other type", + } + + err = c.k8sutil.CreateSecret("namespace1", secretDPR) + assert.Nil(t, err) + err = c.k8sutil.CreateSecret("namespace2", secretDPR) + assert.Nil(t, err) + process(t, c) // Test GCR @@ -568,6 +607,23 @@ func TestProcessWithExistingSecrets(t *testing.T) { ".dockerconfigjson": []byte(fmt.Sprintf(dockerJSONTemplate, "fakeEndpoint", "fakeToken")), }, secretAWS.Data) assert.Equal(t, v1.SecretType("kubernetes.io/dockerconfigjson"), secretAWS.Type) + + // Test Private Docker Registry + secretDPR, err = c.k8sutil.GetSecret("namespace1", *argDPRSecretName) + assert.Nil(t, err) + assert.Equal(t, *argDPRSecretName, secretDPR.Name) + assert.Equal(t, map[string][]byte{ + ".dockerconfigjson": []byte(fmt.Sprintf(dockerJSONTemplate, "fakeEndpoint", "fakeToken")), + }, secretDPR.Data) + assert.Equal(t, v1.SecretType("kubernetes.io/dockerconfigjson"), secretDPR.Type) + + secretDPR, err = c.k8sutil.GetSecret("namespace2", *argDPRSecretName) + assert.Nil(t, err) + assert.Equal(t, *argDPRSecretName, secretDPR.Name) + assert.Equal(t, map[string][]byte{ + ".dockerconfigjson": []byte(fmt.Sprintf(dockerJSONTemplate, "fakeEndpoint", "fakeToken")), + }, secretDPR.Data) + assert.Equal(t, v1.SecretType("kubernetes.io/dockerconfigjson"), secretDPR.Type) } // func TestProcessNoDefaultServiceAccount(t *testing.T) { @@ -590,7 +646,8 @@ func TestProcessWithExistingImagePullSecrets(t *testing.T) { util := newKubeUtil() ecrClient := newFakeEcrClient() gcrClient := newFakeGcrClient() - c := &controller{util, ecrClient, gcrClient} + dprClient := newFakeDprClient() + c := &controller{util, ecrClient, gcrClient, dprClient} serviceAccount, err := c.k8sutil.GetServiceAccount("namespace1", "default") assert.Nil(t, err) @@ -606,14 +663,14 @@ func TestProcessWithExistingImagePullSecrets(t *testing.T) { serviceAccount, err = c.k8sutil.GetServiceAccount("namespace1", "default") assert.Nil(t, err) - assert.Equal(t, 3, len(serviceAccount.ImagePullSecrets)) + assert.Equal(t, 4, len(serviceAccount.ImagePullSecrets)) assert.Equal(t, "someOtherSecret", serviceAccount.ImagePullSecrets[0].Name) assert.Equal(t, *argGCRSecretName, serviceAccount.ImagePullSecrets[1].Name) assert.Equal(t, *argAWSSecretName, serviceAccount.ImagePullSecrets[2].Name) serviceAccount, err = c.k8sutil.GetServiceAccount("namespace2", "default") assert.Nil(t, err) - assert.Equal(t, 3, len(serviceAccount.ImagePullSecrets)) + assert.Equal(t, 4, len(serviceAccount.ImagePullSecrets)) assert.Equal(t, "someOtherSecret", serviceAccount.ImagePullSecrets[0].Name) assert.Equal(t, *argGCRSecretName, serviceAccount.ImagePullSecrets[1].Name) assert.Equal(t, *argAWSSecretName, serviceAccount.ImagePullSecrets[2].Name) @@ -637,7 +694,8 @@ func TestFailingGcrPassingEcrStillSucceeds(t *testing.T) { util := newKubeUtil() ecrClient := newFakeEcrClient() gcrClient := newFakeFailingGcrClient() - c := &controller{util, ecrClient, gcrClient} + dprClient := newFakeFailingDprClient() + c := &controller{util, ecrClient, gcrClient, dprClient} process(t, c) } @@ -646,7 +704,8 @@ func TestPassingGcrPassingEcrStillSucceeds(t *testing.T) { util := newKubeUtil() ecrClient := newFakeFailingEcrClient() gcrClient := newFakeGcrClient() - c := controller{util, ecrClient, gcrClient} + dprClient := newFakeFailingDprClient() + c := controller{util, ecrClient, gcrClient, dprClient} process(t, &c) }