Refactor secrets linking

1. when linking secret to SA, don't add it if already present 2. unlink secret from SA upon imageRepository deletion 3. don't link secret anymore to imagePullSecrets (used for the image pod is using, task/pipeline bundle image) 4. new option to clean up secret links via spec.credentials.verify-linking - It will link secret to service account if link is missing. - It will remove duplicate links of secret in service account. - It will remove secret from imagePullSecrets in service account. - It will unlink secret from service account, if secret doesn't exist (can recreated by using 'regenerate-token'). STONEBLD-2540 Signed-off-by: Robert Cerven <[email protected]>
konflux-ci · Jul 11, 2024 · 4d0be12 · 4d0be12
1 parent cec0ccb
commit 4d0be12
Show file tree

Hide file tree

Showing 7 changed files with 558 additions and 49 deletions.
diff --git a/README.md b/README.md
@@ -111,7 +111,28 @@ spec:
     regenerate-token: true
   ...
 ```
-After token rotation, the `spec.credentials` section will be deleted and `status.credentials.generationTimestamp` updated.
+After token rotation, the `spec.credentials.regenerate-token` section will be deleted and `status.credentials.generationTimestamp` updated.
+
+---
+
+### Verify and fix secrets links
+
+It will link secret to service account if link is missing.
+It will remove duplicate links of secret in service account.
+It will remove secret from imagePullSecrets in service account.
+It will unlink secret from service account, if secret doesn't exist (you can recreate secret using 'regenerate-token').
+It's possible to request verification and fixing of secrets linking to service account by adding:
+```yaml
+...
+spec:
+  ...
+  credentials:
+    verify-linking: true
+  ...
+```
+After verification, the `spec.credentials.verify-linking` section will be deleted.
+
+---
 
 ### Error handling
 

diff --git a/api/v1alpha1/imagerepository_types.go b/api/v1alpha1/imagerepository_types.go
@@ -64,6 +64,10 @@ type ImageCredentials struct {
 	// Refreshes both, push and pull tokens.
 	// The field gets cleared after the refresh.
 	RegenerateToken *bool `json:"regenerate-token,omitempty"`
+	// VerifyLinking defines a request to verify and fix
+	// secret linking in pipeline service account.
+	// The field gets cleared after fixing.
+	VerifyLinking *bool `json:"verify-linking,omitempty"`
 }
 
 type Notifications struct {

diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/config/crd/bases/appstudio.redhat.com_imagerepositories.yaml b/config/crd/bases/appstudio.redhat.com_imagerepositories.yaml
@@ -50,6 +50,11 @@ spec:
                       accessing credentials. Refreshes both, push and pull tokens.
                       The field gets cleared after the refresh.
                     type: boolean
+                  verify-linking:
+                    description: VerifyLinking defines a request to verify and fix
+                      secret linking in pipeline service account. The field gets cleared
+                      after fixing.
+                    type: boolean
                 type: object
               image:
                 description: Requested image repository configuration.