authn: also read mount secrets (#1560)

lcarva · web-flow · commit eb7d746c941e · 2023-02-08T09:20:19.000-05:00
Fixes: #1558 Signed-off-by: Luiz Carvalho <lucarval@redhat.com>
diff --git a/pkg/authn/kubernetes/keychain.go b/pkg/authn/kubernetes/keychain.go
@@ -58,6 +58,12 @@ type Options struct {
 	// ImagePullSecrets holds the names of the Kubernetes secrets (scoped to
 	// Namespace) containing credential data to use for the image pull.
 	ImagePullSecrets []string
+
+	// UseMountSecrets determines whether or not mount secrets in the ServiceAccount
+	// should be considered. Mount secrets are those listed under the `.secrets`
+	// attribute of the ServiceAccount resource. Ignored if ServiceAccountName is set
+	// to NoServiceAccount.
+	UseMountSecrets bool
 }
 
 // New returns a new authn.Keychain suitable for resolving image references as
@@ -111,6 +117,19 @@ func New(ctx context.Context, client kubernetes.Interface, opt Options) (authn.K
 				}
 				pullSecrets = append(pullSecrets, *ps)
 			}
+
+			if opt.UseMountSecrets {
+				for _, obj := range sa.Secrets {
+					s, err := client.CoreV1().Secrets(opt.Namespace).Get(ctx, obj.Name, metav1.GetOptions{})
+					if k8serrors.IsNotFound(err) {
+						logs.Warn.Printf("secret %s/%s not found; ignoring", opt.Namespace, obj.Name)
+						continue
+					} else if err != nil {
+						return nil, err
+					}
+					pullSecrets = append(pullSecrets, *s)
+				}
+			}
 		}
 	}
 
diff --git a/pkg/authn/kubernetes/keychain_test.go b/pkg/authn/kubernetes/keychain_test.go
@@ -28,6 +28,7 @@ import (
 	"github.com/google/go-containerregistry/pkg/name"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
 	fakeclient "k8s.io/client-go/kubernetes/fake"
 )
 
@@ -131,7 +132,7 @@ func TestServiceAccountNotFound(t *testing.T) {
 	testResolve(t, kc, registry(t, "fake.registry.io"), authn.Anonymous)
 }
 
-func TestAttachedServiceAccount(t *testing.T) {
+func TestImagePullSecretAttachedServiceAccount(t *testing.T) {
 	username, password := "foo", "bar"
 	client := fakeclient.NewSimpleClientset(&corev1.ServiceAccount{
 		ObjectMeta: metav1.ObjectMeta{
@@ -160,6 +161,73 @@ func TestAttachedServiceAccount(t *testing.T) {
 		&authn.Basic{Username: username, Password: password})
 }
 
+func TestSecretAttachedServiceAccount(t *testing.T) {
+	username, password := "foo", "bar"
+
+	cases := []struct {
+		name            string
+		createSecret    bool
+		useMountSecrets bool
+		expected        authn.Authenticator
+	}{
+		{
+			name:            "resolved successfully",
+			createSecret:    true,
+			useMountSecrets: true,
+			expected:        &authn.Basic{Username: username, Password: password},
+		},
+		{
+			name:            "missing secret skipped",
+			createSecret:    false,
+			useMountSecrets: true,
+			expected:        &authn.Basic{},
+		},
+		{
+			name:            "skip option",
+			createSecret:    true,
+			useMountSecrets: false,
+			expected:        &authn.Basic{},
+		},
+	}
+
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+
+			objs := []runtime.Object{
+				&corev1.ServiceAccount{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "svcacct",
+						Namespace: "ns",
+					},
+					Secrets: []corev1.ObjectReference{{
+						Name: "secret",
+					}},
+				},
+			}
+			if c.createSecret {
+				objs = append(objs, dockerCfgSecretType.Create(
+					t, "ns", "secret", "fake.registry.io", authn.AuthConfig{
+						Username: username,
+						Password: password,
+					}))
+			}
+			client := fakeclient.NewSimpleClientset(objs...)
+
+			kc, err := New(context.Background(), client, Options{
+				Namespace:          "ns",
+				ServiceAccountName: "svcacct",
+				UseMountSecrets:    c.useMountSecrets,
+			})
+			if err != nil {
+				t.Fatalf("New() = %v", err)
+			}
+
+			testResolve(t, kc, registry(t, "fake.registry.io"), c.expected)
+		})
+	}
+
+}
+
 // Prioritze picking the first secret
 func TestSecretPriority(t *testing.T) {
 	secrets := []corev1.Secret{
