From 5c7fa2a955264afb135cbb661075296df98c101f Mon Sep 17 00:00:00 2001 From: Steven Powell Date: Fri, 19 Jan 2024 11:56:53 -0800 Subject: [PATCH 1/6] Refresh all pull image secrets every hour --- Makefile | 2 +- go.mod | 4 +++- go.sum | 9 +++++++++ server.go | 56 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 69 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index e1dc491..8269000 100644 --- a/Makefile +++ b/Makefile @@ -3,7 +3,7 @@ VERSION=v0.1.0 GOOS?=$(shell go env GOOS) GOARCH?=$(shell go env GOARCH) ARCH=$(if $(findstring amd64, $(GOARCH)),x86_64,$(GOARCH)) -KO_VERSION=0.13.0 +KO_VERSION=0.15.1 BASE_IMAGE?=gcr.io/distroless/static:nonroot build: ## Build the gcp-auth-webhook binary diff --git a/go.mod b/go.mod index ac1e34a..52b3851 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,8 @@ module github.com/GoogleContainerTools/gcp-auth-webhook -go 1.18 +go 1.21 + +toolchain go1.21.6 require ( github.com/GoogleCloudPlatform/docker-credential-gcr v2.0.5+incompatible diff --git a/go.sum b/go.sum index 8de9675..3031f51 100644 --- a/go.sum +++ b/go.sum @@ -89,6 +89,7 @@ github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g= github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= +github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= @@ -142,6 +143,7 @@ github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= @@ -187,6 +189,7 @@ github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+o github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= @@ -201,15 +204,19 @@ github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjY github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/onsi/ginkgo/v2 v2.13.0 h1:0jY9lJquiL8fcf3M4LAXN5aMlS/b2BV86HFFPCPMgE4= +github.com/onsi/ginkgo/v2 v2.13.0/go.mod h1:TE309ZR8s5FsKKpuB1YAQYBzCaAfUgatB/xlT/ETL/o= github.com/onsi/gomega v1.29.0 h1:KIA/t2t5UBzoirT4H9tsML45GEbo3ouUnBHsCfD2tVg= +github.com/onsi/gomega v1.29.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= +github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog= github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= +github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= @@ -221,6 +228,7 @@ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= +github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= @@ -458,6 +466,7 @@ golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.16.1 h1:TLyB3WofjdOEepBHAU20JdNC1Zbg87elYofWYAY5oZA= +golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= diff --git a/server.go b/server.go index 627afec..f467538 100644 --- a/server.go +++ b/server.go @@ -153,6 +153,61 @@ func createPullSecret(clientset *kubernetes.Clientset, ns *corev1.Namespace, cre return nil } +// createAllPullSecrets creates an image registry pull secret for all namespaces +func createAllPullSecrets(clientset *kubernetes.Clientset, namespaces []corev1.Namespace) error { + ctx := context.Background() + creds, err := google.FindDefaultCredentials(ctx) + if err != nil { + return fmt.Errorf("finding default credentials: %v", err) + } + for _, ns := range namespaces { + if err := createPullSecret(clientset, &ns, creds); err != nil { + log.Printf("failed creating pull secret in %s namespace: %v", ns.Name, err) + } + } + return nil +} + +// deleteAllPullSecrets deletes the image registry pull secret for all namespaces +func deleteAllPullSecrets(clientset *kubernetes.Clientset, namespaces []corev1.Namespace) { + for _, ns := range namespaces { + secrets := clientset.CoreV1().Secrets(ns.Name) + if err := secrets.Delete(context.TODO(), gcpAuth, metav1.DeleteOptions{}); err != nil { + log.Printf("failed deleting %s secret in %s namespace: %v", gcpAuth, ns.Name, err) + } + } +} + +// refreshAllPullSecrets deletes and recreates image registry pull secrets for all namespaces +func refreshAllPullSecrets() error { + cfg, err := rest.InClusterConfig() + if err != nil { + return fmt.Errorf("getting cluster config: %v", err) + } + clientset, err := kubernetes.NewForConfig(cfg) + if err != nil { + return fmt.Errorf("getting clientset: %v", err) + } + namespaceList, err := clientset.CoreV1().Namespaces().List(context.TODO(), metav1.ListOptions{}) + if err != nil { + return fmt.Errorf("listing namespaces: %v", err) + } + deleteAllPullSecrets(clientset, namespaceList.Items) + if err := createAllPullSecrets(clientset, namespaceList.Items); err != nil { + return fmt.Errorf("creating all pull secrets: %v", err) + } + return nil +} + +// pullSecretTicker refreshes all the image registry pull secrets every hour +func pullSecretTicker() { + for range time.Tick(1 * time.Hour) { + if err := refreshAllPullSecrets(); err != nil { + log.Print(err) + } + } +} + func skipNamespace(name string) bool { return name == metav1.NamespaceSystem || name == gcpAuth } @@ -464,6 +519,7 @@ func main() { log.Print("GCP Auth Webhook started!") go updateTicker() + go pullSecretTicker() go func() { if err := watchNamespaces(); err != nil { log.Printf("Failed to watch namespaces, please update minikube and disable/re-enable the gcp-auth addon: %v", err) From 29f7d44b1a38200613818df8a2931b41bd695b9b Mon Sep 17 00:00:00 2001 From: Steven Powell Date: Fri, 19 Jan 2024 12:01:28 -0800 Subject: [PATCH 2/6] CI: set go version to fix build failure --- .github/workflows/build.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 2d37466..d59bf5e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -7,4 +7,6 @@ jobs: steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 + with: + go-version: 1.21 - run: make build From 64df76f0a1f2ff3bf17ffdeabe2c862898e52bc0 Mon Sep 17 00:00:00 2001 From: Steven Powell Date: Fri, 19 Jan 2024 12:18:14 -0800 Subject: [PATCH 3/6] refactor refresh pull secret logic --- server.go | 43 +++++++++++++++++++------------------------ 1 file changed, 19 insertions(+), 24 deletions(-) diff --git a/server.go b/server.go index f467538..5847382 100644 --- a/server.go +++ b/server.go @@ -153,33 +153,21 @@ func createPullSecret(clientset *kubernetes.Clientset, ns *corev1.Namespace, cre return nil } -// createAllPullSecrets creates an image registry pull secret for all namespaces -func createAllPullSecrets(clientset *kubernetes.Clientset, namespaces []corev1.Namespace) error { - ctx := context.Background() - creds, err := google.FindDefaultCredentials(ctx) - if err != nil { - return fmt.Errorf("finding default credentials: %v", err) - } - for _, ns := range namespaces { - if err := createPullSecret(clientset, &ns, creds); err != nil { - log.Printf("failed creating pull secret in %s namespace: %v", ns.Name, err) - } +// deletePullSecret deletes the image registry pull secret for the provided namespace +func deletePullSecret(clientset *kubernetes.Clientset, ns corev1.Namespace) error { + secrets := clientset.CoreV1().Secrets(ns.Name) + if err := secrets.Delete(context.TODO(), gcpAuth, metav1.DeleteOptions{}); err != nil { + return fmt.Errorf("deleting %s secret in %s namespace: %v", gcpAuth, ns.Name, err) } return nil } -// deleteAllPullSecrets deletes the image registry pull secret for all namespaces -func deleteAllPullSecrets(clientset *kubernetes.Clientset, namespaces []corev1.Namespace) { - for _, ns := range namespaces { - secrets := clientset.CoreV1().Secrets(ns.Name) - if err := secrets.Delete(context.TODO(), gcpAuth, metav1.DeleteOptions{}); err != nil { - log.Printf("failed deleting %s secret in %s namespace: %v", gcpAuth, ns.Name, err) - } - } -} - // refreshAllPullSecrets deletes and recreates image registry pull secrets for all namespaces func refreshAllPullSecrets() error { + creds, err := google.FindDefaultCredentials(context.Background()) + if err != nil { + return fmt.Errorf("finding default credentials: %v", err) + } cfg, err := rest.InClusterConfig() if err != nil { return fmt.Errorf("getting cluster config: %v", err) @@ -192,9 +180,16 @@ func refreshAllPullSecrets() error { if err != nil { return fmt.Errorf("listing namespaces: %v", err) } - deleteAllPullSecrets(clientset, namespaceList.Items) - if err := createAllPullSecrets(clientset, namespaceList.Items); err != nil { - return fmt.Errorf("creating all pull secrets: %v", err) + for _, ns := range namespaceList.Items { + if ns.Name == "kube-system" || ns.Name == "gcp-auth" { + continue + } + if err := deletePullSecret(clientset, ns); err != nil { + log.Println(err) + } + if err := createPullSecret(clientset, &ns, creds); err != nil { + log.Println(err) + } } return nil } From 9563c29b9b4068504a0a045d7e0d1440578a4fcb Mon Sep 17 00:00:00 2001 From: Steven Powell Date: Mon, 22 Jan 2024 12:52:39 -0800 Subject: [PATCH 4/6] increase pull secret ticker to every 6 hours --- server.go | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/server.go b/server.go index 5847382..f54c0dc 100644 --- a/server.go +++ b/server.go @@ -181,22 +181,23 @@ func refreshAllPullSecrets() error { return fmt.Errorf("listing namespaces: %v", err) } for _, ns := range namespaceList.Items { - if ns.Name == "kube-system" || ns.Name == "gcp-auth" { + if skipNamespace(ns.Name) { continue } if err := deletePullSecret(clientset, ns); err != nil { - log.Println(err) + log.Print(err) } if err := createPullSecret(clientset, &ns, creds); err != nil { - log.Println(err) + log.Print(err) } } return nil } -// pullSecretTicker refreshes all the image registry pull secrets every hour +// pullSecretTicker refreshes all the image registry pull secrets every six hours func pullSecretTicker() { - for range time.Tick(1 * time.Hour) { + for range time.Tick(6 * time.Hour) { + log.Print("refreshing image pull secrets") if err := refreshAllPullSecrets(); err != nil { log.Print(err) } From 8461add964d1e8be817ac48bb87e2c6d73452631 Mon Sep 17 00:00:00 2001 From: Steven Powell Date: Tue, 30 Jan 2024 08:57:02 -0800 Subject: [PATCH 5/6] revert to refreshing every hour --- server.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/server.go b/server.go index f54c0dc..65afd39 100644 --- a/server.go +++ b/server.go @@ -194,9 +194,9 @@ func refreshAllPullSecrets() error { return nil } -// pullSecretTicker refreshes all the image registry pull secrets every six hours +// pullSecretTicker refreshes all the image registry pull secrets every hour func pullSecretTicker() { - for range time.Tick(6 * time.Hour) { + for range time.Tick(1 * time.Hour) { log.Print("refreshing image pull secrets") if err := refreshAllPullSecrets(); err != nil { log.Print(err) From 822c2bc2d8a80644c8649780befe372a8bbd824b Mon Sep 17 00:00:00 2001 From: Steven Powell Date: Tue, 20 Feb 2024 15:34:24 -0800 Subject: [PATCH 6/6] CI: Update Go to 1.22 --- .github/workflows/build.yml | 2 +- Makefile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d59bf5e..18573a5 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -8,5 +8,5 @@ jobs: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 with: - go-version: 1.21 + go-version: 1.22 - run: make build diff --git a/Makefile b/Makefile index 8269000..69eee41 100644 --- a/Makefile +++ b/Makefile @@ -1,5 +1,5 @@ REGISTRY?=gcr.io/k8s-minikube -VERSION=v0.1.0 +VERSION=v0.1.1 GOOS?=$(shell go env GOOS) GOARCH?=$(shell go env GOARCH) ARCH=$(if $(findstring amd64, $(GOARCH)),x86_64,$(GOARCH))