Skip to content

Commit a0cca8a

Browse files
imjasonhimjasonh
authored
k8schain: Log and proceed if secret or SA are not found (#1472)
1 parent 02f47e1 commit a0cca8a

File tree

2 files changed

+57
-9
lines changed

2 files changed

+57
-9
lines changed

pkg/authn/kubernetes/keychain.go

Lines changed: 22 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,9 @@ import (
2525
"strings"
2626

2727
"github.com/google/go-containerregistry/pkg/authn"
28+
"github.com/google/go-containerregistry/pkg/logs"
2829
corev1 "k8s.io/api/core/v1"
30+
k8serrors "k8s.io/apimachinery/pkg/api/errors"
2931
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
3032
"k8s.io/client-go/kubernetes"
3133
"k8s.io/client-go/rest"
@@ -65,23 +67,33 @@ func New(ctx context.Context, client kubernetes.Interface, opt Options) (authn.K
6567
var pullSecrets []corev1.Secret
6668
for _, name := range opt.ImagePullSecrets {
6769
ps, err := client.CoreV1().Secrets(opt.Namespace).Get(ctx, name, metav1.GetOptions{})
68-
if err != nil {
70+
if k8serrors.IsNotFound(err) {
71+
logs.Warn.Printf("secret %s/%s not found; ignoring", opt.Namespace, name)
72+
continue
73+
} else if err != nil {
6974
return nil, err
7075
}
7176
pullSecrets = append(pullSecrets, *ps)
7277
}
7378

7479
// Second, fetch all of the pull secrets attached to our service account.
7580
sa, err := client.CoreV1().ServiceAccounts(opt.Namespace).Get(ctx, opt.ServiceAccountName, metav1.GetOptions{})
76-
if err != nil {
81+
if k8serrors.IsNotFound(err) {
82+
logs.Warn.Printf("serviceaccount %s/%s not found; ignoring", opt.Namespace, opt.ServiceAccountName)
83+
} else if err != nil {
7784
return nil, err
7885
}
79-
for _, localObj := range sa.ImagePullSecrets {
80-
ps, err := client.CoreV1().Secrets(opt.Namespace).Get(ctx, localObj.Name, metav1.GetOptions{})
81-
if err != nil {
82-
return nil, err
86+
if sa != nil {
87+
for _, localObj := range sa.ImagePullSecrets {
88+
ps, err := client.CoreV1().Secrets(opt.Namespace).Get(ctx, localObj.Name, metav1.GetOptions{})
89+
if k8serrors.IsNotFound(err) {
90+
logs.Warn.Printf("secret %s/%s not found; ignoring", opt.Namespace, localObj.Name)
91+
continue
92+
} else if err != nil {
93+
return nil, err
94+
}
95+
pullSecrets = append(pullSecrets, *ps)
8396
}
84-
pullSecrets = append(pullSecrets, *ps)
8597
}
8698

8799
return NewFromPullSecrets(ctx, pullSecrets)
@@ -236,8 +248,9 @@ func splitURL(url *url.URL) (parts []string, port string) {
236248
// glob wild cards in the host name.
237249
//
238250
// Examples:
239-
// globURL=*.docker.io, targetURL=blah.docker.io => match
240-
// globURL=*.docker.io, targetURL=not.right.io => no match
251+
//
252+
// globURL=*.docker.io, targetURL=blah.docker.io => match
253+
// globURL=*.docker.io, targetURL=not.right.io => no match
241254
//
242255
// Note that we don't support wildcards in ports and paths yet.
243256
func urlsMatch(globURL *url.URL, targetURL *url.URL) (bool, error) {

pkg/authn/kubernetes/keychain_test.go

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -89,6 +89,41 @@ func TestAnonymousFallback(t *testing.T) {
8989
testResolve(t, kc, registry(t, "fake.registry.io"), authn.Anonymous)
9090
}
9191

92+
func TestSecretNotFound(t *testing.T) {
93+
client := fakeclient.NewSimpleClientset(&corev1.ServiceAccount{
94+
ObjectMeta: metav1.ObjectMeta{
95+
Name: "default",
96+
Namespace: "default",
97+
},
98+
})
99+
100+
kc, err := New(context.Background(), client, Options{
101+
ImagePullSecrets: []string{"not-found"},
102+
})
103+
if err != nil {
104+
t.Errorf("New() = %v", err)
105+
}
106+
107+
testResolve(t, kc, registry(t, "fake.registry.io"), authn.Anonymous)
108+
}
109+
110+
func TestServiceAccountNotFound(t *testing.T) {
111+
client := fakeclient.NewSimpleClientset(&corev1.ServiceAccount{
112+
ObjectMeta: metav1.ObjectMeta{
113+
Name: "default",
114+
Namespace: "default",
115+
},
116+
})
117+
kc, err := New(context.Background(), client, Options{
118+
ServiceAccountName: "not-found",
119+
})
120+
if err != nil {
121+
t.Errorf("New() = %v", err)
122+
}
123+
124+
testResolve(t, kc, registry(t, "fake.registry.io"), authn.Anonymous)
125+
}
126+
92127
func TestAttachedServiceAccount(t *testing.T) {
93128
username, password := "foo", "bar"
94129
client := fakeclient.NewSimpleClientset(&corev1.ServiceAccount{

0 commit comments

Comments
 (0)