[go: up one dir, main page]

Agent: Copy image pull secrets before generating workspace resources

MR: Copy image pull secrets before generating works... (gitlab-org/cluster-integration/gitlab-agent!1811 - merged)

Description

As per the plan in Provide support to use images from private cont... (&14664 - closed) , copy image pull secrets before generating workspace resources.

Although the list of image pull secrets are directly available through the agent configuration, we should not rely on them because we are trying to move away from the agent config file to native GitLab settings as part of UX: Move GitLab Agent config to UI element (#457760)

Thus, the list of image pull secrets that need to be copied in the namespace of the workspace will be provided as part of the reconciliation response from rails to agent.

Changes required in the agent are

  • Define a new struct ImagePullSecret containing Name and Namespace, both string.
  • Add a new field ImagePullSecrets in WorkspaceRailsInfo struct which is an array of ImagePullSecret defined above.
  • As part of agent startup, a new informer will need to be started for secrets of type kubernetes.io/dockercfg and type kubernetes.io/dockerconfigjson(along with the existing informer for Deployment). This informer will synchronize the duplicated image_pull_secrets in the workspace namespace. This is useful for example in the case of a pod restart were we would need to re-pull images from a private registry. This informer will delete duplicated image_pull_secrets when the originals are deleted.
  • When workspace changes are getting applied in the agent, after checking if the namespaces exists or not, we will check the following
    • For each WorkspaceRailsInfo.ImagePullSecrets, check if the secret with name Name and in namespace Namespace is available in the informer for secret.
    • If not, log a warning only and proceed.
    • If yes, check if the secret with name Name and in namespace of the workspace is available in the informer for secret. If no, create the secret. Else, update the existing secret. (need to check if this create/update can be done without any check. I think there are helper functions in the go SDK).

Acceptance Criteria

  • The image pull secrets passed in the WorkspaceRailsInfo are copied to the namespace of the workspace.
  • The image pull secrets are synchronized when deleted/updated from their source namespaces.
  • If any of the image pull secrets do not exist, a warning log will be generated and we proceed with workspace creation.
Edited by Safwan Ahmed