Automatically add the builder service account secrets to the signing process (kubernetes-sigs#344)

chr15p · web-flow · commit 7e473bfda0b9 · 2023-01-12T14:32:13.000-05:00
Both spec.imageRepoSecret and the builder secret are mounted as volumes under /docker_config
Changes in signimage in another PR means it then walks this tree looking for secrets and
the appropriate secret for the repo is used.
diff --git a/internal/sign/job/signer.go b/internal/sign/job/signer.go
@@ -126,13 +126,26 @@ func (s *signer) MakeJobTemplate(
 		utils.MakeSecretVolumeMount(signConfig.KeySecret, "/signingkey"),
 	}
 
-	args = append(args, "-secretdir", "/docker_config/")
 	imageSecret := mod.Spec.ImageRepoSecret
+	buildImageSecret, err := s.getSAImageRepoSecret(ctx, &mod, constants.OCPBuilderServiceAccountName)
+	if err != nil {
+		return nil, fmt.Errorf("Failed to get secrets for service account %s: %v", constants.OCPBuilderServiceAccountName, err)
+	}
+
+	args = append(args, "-secretdir", "/docker_config/")
 	if imageSecret != nil {
 		volumes = append(volumes, utils.MakeSecretVolume(imageSecret, "", ""))
 		volumeMounts = append(volumeMounts, utils.MakeSecretVolumeMount(imageSecret, "/docker_config/"+imageSecret.Name))
 	}
 
+	if len(buildImageSecret) > 0 {
+		for _, secret := range buildImageSecret {
+			buildSecret := &v1.LocalObjectReference{Name: secret.Name}
+			volumes = append(volumes, utils.MakeSecretVolume(buildSecret, "", ""))
+			volumeMounts = append(volumeMounts, utils.MakeSecretVolumeMount(buildSecret, "/docker_config/"+constants.OCPBuilderServiceAccountName+"/"+secret.Name))
+		}
+	}
+
 	specTemplate := v1.PodTemplateSpec{
 		Spec: v1.PodSpec{
 			Containers: []v1.Container{
@@ -187,6 +200,19 @@ func (s *signer) getHashAnnotationValue(ctx context.Context, privateSecret, publ
 	return getHashValue(podTemplate, publicKeyData, privateKeyData)
 }
 
+func (s *signer) getSAImageRepoSecret(ctx context.Context, mod *kmmv1beta1.Module, accountName string) ([]v1.ObjectReference, error) {
+	serviceaccount := v1.ServiceAccount{}
+
+	namespacedName := types.NamespacedName{Name: accountName, Namespace: mod.Namespace}
+
+	err := s.client.Get(ctx, namespacedName, &serviceaccount)
+	if err != nil {
+		return nil, err
+	}
+
+	return serviceaccount.Secrets, nil
+}
+
 func (s *signer) getSecretData(ctx context.Context, secretName, secretDataKey, namespace string) ([]byte, error) {
 	secret := v1.Secret{}
 	namespacedName := types.NamespacedName{Name: secretName, Namespace: namespace}
diff --git a/internal/sign/job/signer_test.go b/internal/sign/job/signer_test.go
@@ -208,6 +208,12 @@ var _ = Describe("MakeJobTemplate", func() {
 
 		gomock.InOrder(
 			helper.EXPECT().GetRelevantSign(mod.Spec, km, kernelVersion).Return(km.Sign, nil),
+			clnt.EXPECT().Get(ctx, types.NamespacedName{Name: "builder", Namespace: mod.Namespace}, gomock.Any()).DoAndReturn(
+				func(_ interface{}, _ interface{}, svcaccnt *v1.ServiceAccount, _ ...ctrlclient.GetOption) error {
+					svcaccnt.Secrets = []v1.ObjectReference{}
+					return nil
+				},
+			),
 			clnt.EXPECT().Get(ctx, types.NamespacedName{Name: km.Sign.KeySecret.Name, Namespace: mod.Namespace}, gomock.Any()).DoAndReturn(
 				func(_ interface{}, _ interface{}, secret *v1.Secret, _ ...ctrlclient.GetOption) error {
 					secret.Data = privateSignData
@@ -255,6 +261,12 @@ var _ = Describe("MakeJobTemplate", func() {
 
 		gomock.InOrder(
 			helper.EXPECT().GetRelevantSign(mod.Spec, km, kernelVersion).Return(km.Sign, nil),
+			clnt.EXPECT().Get(ctx, types.NamespacedName{Name: "builder", Namespace: mod.Namespace}, gomock.Any()).DoAndReturn(
+				func(_ interface{}, _ interface{}, svcaccnt *v1.ServiceAccount, _ ...ctrlclient.GetOption) error {
+					svcaccnt.Secrets = []v1.ObjectReference{}
+					return nil
+				},
+			),
 			clnt.EXPECT().Get(ctx, types.NamespacedName{Name: km.Sign.KeySecret.Name, Namespace: mod.Namespace}, gomock.Any()).DoAndReturn(
 				func(_ interface{}, _ interface{}, secret *v1.Secret, _ ...ctrlclient.GetOption) error {
 					secret.Data = privateSignData
@@ -317,15 +329,21 @@ var _ = Describe("MakeJobTemplate", func() {
 				CertSecret:               &v1.LocalObjectReference{Name: "securebootcert"},
 			},
 		}
-
 		gomock.InOrder(
 			helper.EXPECT().GetRelevantSign(mod.Spec, km, kernelVersion).Return(km.Sign, nil),
+			clnt.EXPECT().Get(ctx, types.NamespacedName{Name: "builder", Namespace: mod.Namespace}, gomock.Any()).DoAndReturn(
+				func(_ interface{}, _ interface{}, svcaccnt *v1.ServiceAccount, _ ...ctrlclient.GetOption) error {
+					svcaccnt.Secrets = []v1.ObjectReference{}
+					return nil
+				},
+			),
 			clnt.EXPECT().Get(ctx, types.NamespacedName{Name: km.Sign.KeySecret.Name, Namespace: mod.Namespace}, gomock.Any()).DoAndReturn(
 				func(_ interface{}, _ interface{}, secret *v1.Secret, _ ...ctrlclient.GetOption) error {
 					secret.Data = privateSignData
 					return nil
 				},
 			),
+
 			clnt.EXPECT().Get(ctx, types.NamespacedName{Name: km.Sign.CertSecret.Name, Namespace: mod.Namespace}, gomock.Any()).DoAndReturn(
 				func(_ interface{}, _ interface{}, secret *v1.Secret, _ ...ctrlclient.GetOption) error {
 					secret.Data = publicSignData
