feat: adding auth secret for terraform controller and it's jobs

Signed-off-by: Duc Thang Tran <[email protected]>

feat: upgrading go version in github workflow and Dockerfile

Signed-off-by: Duc Thang Tran <[email protected]>

feat: upgrading go version in github workflow

Signed-off-by: Duc Thang Tran <[email protected]>

.github/workflows/unit-test.yml

@@ -15,7 +15,7 @@ on:
 
 env:
   # Common versions
-  GO_VERSION: '1.17.6'
+  GO_VERSION: '1.18.0'
 
 jobs:
   lint:

chart/templates/terraform_controller.yaml

@@ -20,6 +20,10 @@ spec:
         - name: terraform-controller
           image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- if .Values.authSecretName }}
+          imagePullSecrets:
+          - name: {{ .Values.authSecretName }}
+          {{- end }}
           args:
             {{- if .Values.controllerNamespace }}
             - --controller-namespace={{ .Values.controllerNamespace }}
@@ -38,6 +42,10 @@ spec:
               value: {{ .Values.busyboxImage}}
             - name: GIT_IMAGE
               value: {{ .Values.gitImage}}
+            {{- if .Values.jobAuthSecret }}
+            - name: JOB_AUTH_SECRET
+              value: {{ .Values.jobAuthSecret }}
+            {{- end }}
             - name: GITHUB_BLOCKED
               value: {{ .Values.githubBlocked }}
             {{ if .Values.jobBackoffLimit }}

chart/values.yaml

@@ -10,6 +10,9 @@ busyboxImage: busybox:latest
 terraformImage: oamdev/docker-terraform:1.1.5
 controllerNamespace: ""
 
+authSecretName: ""
+jobAuthSecret: ""
+
 # "{\"nat\": \"true\"}"
 jobNodeSelector: ""
 jobBackoffLimit: ""

controllers/configuration_controller.go

@@ -373,6 +373,8 @@ func (r *ConfigurationReconciler) preCheck(ctx context.Context, configuration *v
 		}
 	}
 
+	meta.JobAuthSecret = os.Getenv("JOB_AUTH_SECRET")
+
 	if err := r.preCheckResourcesSetting(meta); err != nil {
 		return err
 	}

controllers/configuration_controller_test.go

@@ -803,6 +803,31 @@ func TestPreCheck(t *testing.T) {
 			},
 			want: want{},
 		},
+		{
+			name: "wrong value in environment variable JOB_AUTH_SECRET",
+			prepare: func(t *testing.T) {
+				t.Setenv("JOB_AUTH_SECRET", "test-secret")
+			},
+			args: args{
+				r: r,
+				configuration: &v1beta2.Configuration{
+					ObjectMeta: v1.ObjectMeta{
+						Name: "abc",
+					},
+					Spec: v1beta2.ConfigurationSpec{
+						HCL: "bbb",
+					},
+				},
+				meta: &process.TFConfigurationMeta{
+					ConfigurationCMName: "abc",
+					ProviderReference: &crossplane.Reference{
+						Namespace: "default",
+						Name:      "default",
+					},
+				},
+			},
+			want: want{},
+		},
 	}
 
 	for _, tc := range testcases {

controllers/process/meta.go

@@ -57,6 +57,9 @@ type TFConfigurationMeta struct {
 	BusyboxImage   string
 	GitImage       string
 
+	// JobAuthSecret is the secret name for pulling image in the Terraform job
+	JobAuthSecret string
+
 	// BackoffLimit specifies the number of retries to mark the Job as failed
 	BackoffLimit int32
 

controllers/process/process.go

@@ -328,6 +328,7 @@ func (meta *TFConfigurationMeta) assembleTerraformJob(executionType types.Terraf
 					Volumes:            executorVolumes,
 					RestartPolicy:      v1.RestartPolicyOnFailure,
 					NodeSelector:       meta.JobNodeSelector,
+					ImagePullSecrets:   []v1.LocalObjectReference{{Name: meta.JobAuthSecret}},
 				},
 			},
 		},