Mount secret file

Signed-off-by: JenTing Hsiao <[email protected]>

Author: jenting

install/installer/cmd/testdata/render/aws-setup/config.yaml

@@ -11,9 +11,9 @@ containerRegistry:
     certificate:
       kind: secret
       name: aws-ecr-credential
-    credential:
+    credentials:
       kind: secret
-      name: aws-iam-user-credential
+      name: aws-storage
   s3storage:
     region: eu-west-2
     endpoint: registry.amazonaws.com # Invalid endpoint - use to differentiate from objectStorage

install/installer/cmd/testdata/render/aws-setup/output.golden

@@ -16,7 +16,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 )
 
-const storageMount = "/mnt/secrets/storage"
+const StorageMount = "/mnt/secrets/storage"
 
 // StorageConfig produces config service configuration from the installer config
 
@@ -39,7 +39,7 @@ func StorageConfig(context *RenderContext) storageconfig.StorageConfig {
 			GCloudConfig: storageconfig.GCPConfig{
 				Region:          context.Config.Metadata.Region,
 				Project:         context.Config.ObjectStorage.CloudStorage.Project,
-				CredentialsFile: filepath.Join(storageMount, "service-account.json"),
+				CredentialsFile: filepath.Join(StorageMount, "service-account.json"),
 			},
 		}
 	}
@@ -50,7 +50,7 @@ func StorageConfig(context *RenderContext) storageconfig.StorageConfig {
 			S3Config: &storageconfig.S3Config{
 				Region:          context.Config.Metadata.Region,
 				Bucket:          context.Config.ObjectStorage.S3.BucketName,
-				CredentialsFile: filepath.Join(storageMount, "credentials"),
+				CredentialsFile: filepath.Join(StorageMount, "credentials"),
 			},
 		}
 	}
@@ -90,7 +90,7 @@ func StorageConfig(context *RenderContext) storageconfig.StorageConfig {
 }
 
 // mountStorage performs the actual storage mount, which is common across all providers
-func mountStorage(pod *corev1.PodSpec, secret string, container ...string) {
+func MountStorage(pod *corev1.PodSpec, secret string, container ...string) {
 	volumeName := "storage-volume"
 
 	pod.Volumes = append(pod.Volumes,
@@ -124,7 +124,7 @@ func mountStorage(pod *corev1.PodSpec, secret string, container ...string) {
 			corev1.VolumeMount{
 				Name:      volumeName,
 				ReadOnly:  true,
-				MountPath: storageMount,
+				MountPath: StorageMount,
 			},
 		)
 	}
@@ -136,13 +136,13 @@ func mountStorage(pod *corev1.PodSpec, secret string, container ...string) {
 // added to all containers.
 func AddStorageMounts(ctx *RenderContext, pod *corev1.PodSpec, container ...string) error {
 	if ctx.Config.ObjectStorage.CloudStorage != nil {
-		mountStorage(pod, ctx.Config.ObjectStorage.CloudStorage.ServiceAccount.Name, container...)
+		MountStorage(pod, ctx.Config.ObjectStorage.CloudStorage.ServiceAccount.Name, container...)
 
 		return nil
 	}
 
 	if ctx.Config.ObjectStorage.S3 != nil {
-		mountStorage(pod, ctx.Config.ObjectStorage.S3.Credentials.Name, container...)
+		MountStorage(pod, ctx.Config.ObjectStorage.S3.Credentials.Name, container...)
 
 		return nil
 	}

install/installer/pkg/common/storage.go

@@ -5,6 +5,7 @@ package refresh_credential
 
 import (
 	"fmt"
+	"path/filepath"
 
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -18,22 +19,17 @@ func configmap(ctx *common.RenderContext) ([]runtime.Object, error) {
 	privateRegistry := isPrivateAWSECRURL(ctx.Config.ContainerRegistry.External.URL)
 	region := getAWSRegion(ctx.Config.ContainerRegistry.External.URL)
 
-	credentialSecretName, err := credentialSecretName(ctx)
-	if err != nil {
-		return nil, err
-	}
-
 	secretToUpdateName, err := secretToUpdateName(ctx)
 	if err != nil {
 		return nil, err
 	}
 
 	registryCredentialCfg := config.Configuration{
-		Namespace:        ctx.Namespace,
-		CredentialSecret: credentialSecretName,
-		Region:           region,
-		PublicRegistry:   !privateRegistry,
-		SecretToUpdate:   secretToUpdateName,
+		Namespace:       ctx.Namespace,
+		CredentialsFile: filepath.Join(common.StorageMount, "credentials"),
+		Region:          region,
+		PublicRegistry:  !privateRegistry,
+		SecretToUpdate:  secretToUpdateName,
 	}
 
 	json, err := common.ToJSONString(registryCredentialCfg)
@@ -62,10 +58,3 @@ func secretToUpdateName(ctx *common.RenderContext) (string, error) {
 	}
 	return ctx.Config.ContainerRegistry.External.Certificate.Name, nil
 }
-
-func credentialSecretName(ctx *common.RenderContext) (string, error) {
-	if ctx.Config.ContainerRegistry.External == nil {
-		return "", fmt.Errorf("%s: invalid container registry config", Component)
-	}
-	return ctx.Config.ContainerRegistry.External.Credential.Name, nil
-}

install/installer/pkg/components/refresh-credential/configmap.go

@@ -15,6 +15,41 @@ import (
 )
 
 func cronjob(ctx *common.RenderContext) ([]runtime.Object, error) {
+	podSpec := corev1.PodSpec{
+		RestartPolicy:      corev1.RestartPolicyOnFailure,
+		ServiceAccountName: Component,
+		Containers: []corev1.Container{
+			{
+				Name:            Component,
+				Args:            []string{"ecr-update", "/config/config.json"},
+				Image:           ctx.ImageName(ctx.Config.Repository, Component, ctx.VersionManifest.Components.RegistryCredential.Version),
+				ImagePullPolicy: corev1.PullIfNotPresent,
+				SecurityContext: &corev1.SecurityContext{
+					AllowPrivilegeEscalation: pointer.Bool(false),
+				},
+				VolumeMounts: []corev1.VolumeMount{
+					{
+						Name:      "config",
+						MountPath: "/config",
+						ReadOnly:  true,
+					},
+				},
+			},
+		},
+		Volumes: []corev1.Volume{
+			{
+				Name: "config",
+				VolumeSource: corev1.VolumeSource{
+					ConfigMap: &corev1.ConfigMapVolumeSource{
+						LocalObjectReference: corev1.LocalObjectReference{Name: Component},
+					},
+				},
+			},
+		},
+	}
+
+	common.MountStorage(&podSpec, ctx.Config.ContainerRegistry.External.Credentials.Name, Component)
+
 	objectMeta := metav1.ObjectMeta{
 		Name:      Component,
 		Namespace: ctx.Namespace,
@@ -36,38 +71,7 @@ func cronjob(ctx *common.RenderContext) ([]runtime.Object, error) {
 						BackoffLimit: pointer.Int32(10),
 						Template: corev1.PodTemplateSpec{
 							ObjectMeta: objectMeta,
-							Spec: corev1.PodSpec{
-								RestartPolicy:      corev1.RestartPolicyOnFailure,
-								ServiceAccountName: Component,
-								Containers: []corev1.Container{
-									{
-										Name:            Component,
-										Args:            []string{"ecr-update", "/config/config.json"},
-										Image:           ctx.ImageName(ctx.Config.Repository, Component, ctx.VersionManifest.Components.RegistryCredential.Version),
-										ImagePullPolicy: corev1.PullIfNotPresent,
-										SecurityContext: &corev1.SecurityContext{
-											AllowPrivilegeEscalation: pointer.Bool(false),
-										},
-										VolumeMounts: []corev1.VolumeMount{
-											{
-												Name:      "config",
-												MountPath: "/config",
-												ReadOnly:  true,
-											},
-										},
-									},
-								},
-								Volumes: []corev1.Volume{
-									{
-										Name: "config",
-										VolumeSource: corev1.VolumeSource{
-											ConfigMap: &corev1.ConfigMapVolumeSource{
-												LocalObjectReference: corev1.LocalObjectReference{Name: Component},
-											},
-										},
-									},
-								},
-							},
+							Spec:       podSpec,
 						},
 					},
 				},

install/installer/pkg/components/refresh-credential/cronjob.go

@@ -303,7 +303,7 @@ type ContainerRegistry struct {
 type ContainerRegistryExternal struct {
 	URL         string     `json:"url" validate:"required"`
 	Certificate ObjectRef  `json:"certificate" validate:"required"`
-	Credential  *ObjectRef `json:"credential,omitempty"`
+	Credentials *ObjectRef `json:"credentials,omitempty"`
 }
 
 type S3Storage struct {

install/installer/pkg/config/v1/config.go

@@ -150,8 +150,8 @@ func (v version) ClusterValidation(rcfg interface{}) cluster.ValidationChecks {
 		secretName := cfg.ContainerRegistry.External.Certificate.Name
 		res = append(res, cluster.CheckSecret(secretName, cluster.CheckSecretRequiredData(".dockerconfigjson")))
 
-		if cfg.ContainerRegistry.External.Credential != nil {
-			credSecretName := cfg.ContainerRegistry.External.Credential.Name
+		if cfg.ContainerRegistry.External != nil {
+			credSecretName := cfg.ContainerRegistry.External.Credentials.Name
 			res = append(res, cluster.CheckSecret(credSecretName, cluster.CheckSecretRequiredData("accessKeyId", "secretAccessKey")))
 		}
 	}