draft accept wasm pull secret as env var

add a unit test and assert

Signed-off-by: craig <[email protected]>

rh-pre-commit.version: 2.2.0
rh-pre-commit.check-secrets: ENABLED

controllers/istio_extension_reconciler.go

@@ -16,6 +16,7 @@ import (
 	"k8s.io/apimachinery/pkg/labels"
 	k8stypes "k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/dynamic"
+	"k8s.io/utils/env"
 	"k8s.io/utils/ptr"
 
 	kuadrantv1 "github.com/kuadrant/kuadrant-operator/api/v1"
@@ -27,6 +28,8 @@ import (
 	"github.com/kuadrant/kuadrant-operator/pkg/wasm"
 )
 
+var wasmImagePullSecret = env.GetString("WASM_IMAGE_PULL_SECRET", "")
+
 //+kubebuilder:rbac:groups=extensions.istio.io,resources=wasmplugins,verbs=get;list;watch;create;update;patch;delete
 
 // IstioExtensionReconciler reconciles Istio WasmPlugin custom resources
@@ -78,7 +81,7 @@ func (r *IstioExtensionReconciler) Reconcile(ctx context.Context, _ []controller
 	for _, gateway := range gateways {
 		gatewayKey := k8stypes.NamespacedName{Name: gateway.GetName(), Namespace: gateway.GetNamespace()}
 
-		desiredWasmPlugin := buildIstioWasmPluginForGateway(gateway, wasmConfigs[gateway.GetLocator()])
+		desiredWasmPlugin := buildIstioWasmPluginForGateway(gateway, wasmConfigs[gateway.GetLocator()], wasmImagePullSecret)
 
 		resource := r.client.Resource(kuadrantistio.WasmPluginsResource).Namespace(desiredWasmPlugin.GetNamespace())
 
@@ -228,7 +231,7 @@ func hasAuthAccess(actionSet []wasm.Action) bool {
 }
 
 // buildIstioWasmPluginForGateway builds a desired WasmPlugin custom resource for a given gateway and corresponding wasm config
-func buildIstioWasmPluginForGateway(gateway *machinery.Gateway, wasmConfig wasm.Config) *istioclientgoextensionv1alpha1.WasmPlugin {
+func buildIstioWasmPluginForGateway(gateway *machinery.Gateway, wasmConfig wasm.Config, imagePullSecret string) *istioclientgoextensionv1alpha1.WasmPlugin {
 	wasmPlugin := &istioclientgoextensionv1alpha1.WasmPlugin{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       kuadrantistio.WasmPluginGroupKind.Kind,
@@ -262,6 +265,9 @@ func buildIstioWasmPluginForGateway(gateway *machinery.Gateway, wasmConfig wasm.
 			Phase:        istioextensionsv1alpha1.PluginPhase_STATS, // insert the plugin before Istio stats filters and after Istio authorization filters.
 		},
 	}
+	if imagePullSecret != "" {
+		wasmPlugin.Spec.ImagePullSecret = imagePullSecret
+	}
 
 	if len(wasmConfig.ActionSets) == 0 {
 		utils.TagObjectToDelete(wasmPlugin)

controllers/istio_extenstion_reconciler_test.go

@@ -0,0 +1,75 @@
+//go:build unit
+
+package controllers
+
+import (
+	"testing"
+
+	"github.com/kuadrant/kuadrant-operator/pkg/wasm"
+	"github.com/kuadrant/policy-machinery/machinery"
+	istioclientgoextensionv1alpha1 "istio.io/client-go/pkg/apis/extensions/v1alpha1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	v1 "sigs.k8s.io/gateway-api/apis/v1"
+)
+
+func Test_buildIstioWasmPluginForGateway(t *testing.T) {
+	var imagePullSecret = "testsecret"
+	var testGateway = &machinery.Gateway{
+		Gateway: &v1.Gateway{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "test",
+				Namespace: "test",
+			},
+		},
+	}
+	var testWasmConfig = wasm.Config{
+		ActionSets: []wasm.ActionSet{
+			{
+				Name: "test",
+			},
+		},
+	}
+	testCases := []struct {
+		Name            string
+		Gateway         *machinery.Gateway
+		WasmConfig      wasm.Config
+		ImagePullSecret string
+		Assert          func(t *testing.T, plugin *istioclientgoextensionv1alpha1.WasmPlugin)
+	}{
+		{
+			Name:            "ensure image pull secret is set in wasmPlugin",
+			Gateway:         testGateway,
+			WasmConfig:      testWasmConfig,
+			ImagePullSecret: imagePullSecret,
+			Assert: func(t *testing.T, plugin *istioclientgoextensionv1alpha1.WasmPlugin) {
+				if plugin == nil {
+					t.Fatalf("Expected a wasmplugin")
+				}
+				if plugin.Spec.ImagePullSecret != imagePullSecret {
+					t.Fatalf("Expected wasm plugin to have imagePullSecret %s but got %s", imagePullSecret, plugin.Spec.ImagePullSecret)
+				}
+			},
+		},
+		{
+			Name:       "ensure image pull secret is NOT set in wasmPlugin",
+			Gateway:    testGateway,
+			WasmConfig: testWasmConfig,
+			Assert: func(t *testing.T, plugin *istioclientgoextensionv1alpha1.WasmPlugin) {
+				if plugin == nil {
+					t.Fatalf("Expected a wasmplugin")
+				}
+				if plugin.Spec.ImagePullSecret != "" {
+					t.Fatalf("Expected wasm plugin to have not imagePullSecret %s", plugin.Spec.ImagePullSecret)
+				}
+			},
+		},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.Name, func(t *testing.T) {
+			plugin := buildIstioWasmPluginForGateway(testCase.Gateway, testCase.WasmConfig, testCase.ImagePullSecret)
+			testCase.Assert(t, plugin)
+		})
+	}
+
+}

tests/istio/extension_reconciler_test.go

@@ -146,6 +146,8 @@ var _ = Describe("Rate Limiting WasmPlugin controller", func() {
 			Expect(existingWasmPlugin.Spec.TargetRefs[0].Group).To(Equal("gateway.networking.k8s.io"))
 			Expect(existingWasmPlugin.Spec.TargetRefs[0].Kind).To(Equal("Gateway"))
 			Expect(existingWasmPlugin.Spec.TargetRefs[0].Name).To(Equal(gateway.Name))
+			// has the correct pull secret set
+			Expect(existingWasmPlugin.Spec.ImagePullSecret).To(Equal(wasmImagePullSecret))
 			existingWASMConfig, err := wasm.ConfigFromStruct(existingWasmPlugin.Spec.PluginConfig)
 			Expect(err).ToNot(HaveOccurred())
 			Expect(existingWASMConfig).To(Equal(&wasm.Config{

tests/istio/suite_test.go

@@ -45,6 +45,8 @@ var k8sClient client.Client
 var testEnv *envtest.Environment
 var kuadrantInstallationNS string
 
+const wasmImagePullSecret = "tessPullImage"
+
 func testClient() client.Client { return k8sClient }
 
 func TestAPIs(t *testing.T) {
@@ -128,6 +130,7 @@ func TestMain(m *testing.M) {
 		log.SetMode(log.ModeDev),
 		log.WriteTo(GinkgoWriter),
 	).WithName("istio_controller_test")
+	os.Setenv("WASM_IMAGE_PULL_SECRET", wasmImagePullSecret)
 	log.SetLogger(logger)
 	os.Exit(m.Run())
 }