Skip to content

add imagePullSecrets to sidecar injection template #24365

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 4, 2020
Merged

add imagePullSecrets to sidecar injection template #24365

merged 1 commit into from
Jun 4, 2020
+560 −3

Conversation

tariq1890
Copy link
Contributor

@tariq1890 tariq1890 commented Jun 3, 2020
edited by istio-policy-bot
Loading

Since imagePullSecrets is a part of the SidecarInjectionSpec, it would be good to illustrate the usage of this through the manifest charts. Moreover, global values are used as settings in the sidecar injection template, so it only makes sense that we use the same pattern for providing the imagePullSecrets via .Values.global

[X] Configuration Infrastructure
[ ] Docs
[X] Installation
[ ] Networking
[ ] Performance and Scalability
[ ] Policies and Telemetry
[ ] Security
[ ] Test and Release
[X] User Experience
[ ] Developer Infrastructure

@tariq1890 tariq1890 requested a review from a team as a code owner June 3, 2020 05:34
@istio-testing istio-testing added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Jun 3, 2020
@googlebot googlebot added the cla: yes Set by the Google CLA bot to indicate the author of a PR has signed the Google CLA. label Jun 3, 2020
morvencao
morvencao reviewed Jun 3, 2020
View reviewed changes
Copy link
Member

@morvencao morvencao left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have you tested this case? What if the original pod already has imagePullSecrets?

howardjohn
howardjohn reviewed Jun 3, 2020
View reviewed changes
Copy link
Member

@howardjohn howardjohn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

won't you need to add this secret to every namespace?

We should at least add a test under inject_test.go for this if we are going to add this.

@tariq1890
Copy link
Contributor Author

Have you tested this case? What if the original pod already has imagePullSecrets?

In this case, it should append to the list of imagePullSecrets. I thought the code already does that?

@tariq1890
Copy link
Contributor Author

won't you need to add this secret to every namespace?

I think this is OK to assume. If any istio participating workload needs to pull down the istio-proxy image, the pullSecrets will have to be made available in all namespaces

@howardjohn
Copy link
Member

In this case, it should append to the list of imagePullSecrets. I thought the code already does that?

If you add a test then we won't have to guess 🙂

@tariq1890 tariq1890 requested review from costinm, linsun, rshriram and a team as code owners June 4, 2020 08:09
@istio-testing istio-testing added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Jun 4, 2020
@googlebot
Copy link
Collaborator

All (the pull request submitter and all commit authors) CLAs are signed, but one or more commits were authored or co-authored by someone other than the pull request submitter.

We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that by leaving a comment that contains only @googlebot I consent. in this pull request.

Note to project maintainer: There may be cases where the author cannot leave a comment, or the comment is not properly detected as consent. In those cases, you can manually confirm consent of the commit author(s), and set the cla label to yes (if enabled on your project).

ℹ️ Googlers: Go here for more info.

@googlebot googlebot added cla: no Set by the Google CLA bot to indicate the author of a PR has not signed the Google CLA. and removed cla: yes Set by the Google CLA bot to indicate the author of a PR has signed the Google CLA. labels Jun 4, 2020
@tariq1890
add imagePullSecrets to sidecar injection template

Unverified

This user has not yet uploaded their public signing key.
GPG key ID: DFC94E4A008B908A
Learn about vigilant mode
ab2aa4d 
add imagePullSecrets to sidecar injection template
@tariq1890 tariq1890 force-pushed the inject-img-secrets branch from fa559bb to ab2aa4d Compare June 4, 2020 08:11
@googlebot
Copy link
Collaborator

CLAs look good, thanks!

ℹ️ Googlers: Go here for more info.

@googlebot googlebot added cla: yes Set by the Google CLA bot to indicate the author of a PR has signed the Google CLA. and removed cla: no Set by the Google CLA bot to indicate the author of a PR has not signed the Google CLA. labels Jun 4, 2020
@istio-testing istio-testing added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Jun 4, 2020
tariq1890
tariq1890 commented Jun 4, 2020
View reviewed changes
pkg/kube/inject/inject.go
@@ -761,6 +761,8 @@ func IntoObject(sidecarTemplate string, valuesConfig string, revision string, me

podSpec.DNSConfig = spec.DNSConfig

podSpec.ImagePullSecrets = append(podSpec.ImagePullSecrets, spec.ImagePullSecrets...)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks to the unit tests, I added this bugfix :).

Good call @howardjohn !

@tariq1890
Copy link
Contributor Author

Thanks for the approve @howardjohn . Do you agree this needs to be cherrypicked to release-1.6?

sdake
sdake approved these changes Jun 4, 2020
View reviewed changes
Copy link
Member

@sdake sdake left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. At some point, @istio/wg-environments-maintainers needs to have a discussion and agreement about "one API" to rule hem all. Currently we have three, and this PR adds to the deprecated API global.yaml. I understand completely why this option is necessary, although at some point, we need to consider a reorg of all of the 3 APIs (values,yaml, IsitoOperator, and MeshConfig) into one API.

The current (fuzzy) agreement as I understand it is to push everything to MeshConfig. I am not convinced this is a good choice as MeshConfig is already poorly organized.

What I'd like to see is one new object, that every component understands, that meets the criteria for a stable API. This viewpoint means deprecating MeshConfig in favor of IstioConfig - which would be a new take on IstioOperator - but with all of the stuff in MeshConfig.

For now, we can make an exception and add to values.yaml - but again, the WG needs to have further discussion and a concrete agreement on one API - used throughout istiod (mostly PIlot), as well as istioctl and the standalone operator and the helm charts.

Cheers,
-steve

@sdake
Copy link
Member

sdake commented Jun 4, 2020

cc / @rcernich I know you may be doing some work in this area. Also @ostromart is looking into this deeply.

I can bring us together - but would need an initial proposal.

@howardjohn
Copy link
Member

.global.imagePullSecrets is not a new option, it has existed forever. Just not applied to injection template

@sdake
Copy link
Member

sdake commented Jun 4, 2020

@tariq1890 I've selected this PR for backport to 1.6.

Cheers,
-steve

@istio-testing istio-testing merged commit 2e3459b into master Jun 4, 2020
@istio-testing istio-testing deleted the inject-img-secrets branch June 4, 2020 18:34
@istio-testing
Copy link
Collaborator

In response to a cherrypick label: #24365 failed to apply on top of branch "release-1.6":

Using index info to reconstruct a base tree...
M	manifests/charts/global.yaml
M	manifests/charts/istio-control/istio-discovery/files/gen-istio.yaml
M	manifests/charts/istio-control/istio-discovery/files/injection-template.yaml
M	manifests/charts/istiod-remote/files/gen-istiod-remote.yaml
M	manifests/charts/istiod-remote/files/injection-template.yaml
M	operator/cmd/mesh/profile-common.go
M	operator/cmd/mesh/testdata/manifest-generate/data-snapshot/charts/istio-control/istio-discovery/files/gen-istio.yaml
M	operator/cmd/mesh/testdata/manifest-generate/data-snapshot/charts/istio-control/istio-discovery/files/injection-template.yaml
M	operator/cmd/mesh/testdata/manifest-generate/output/all_on.golden-show-in-gh-pull-request.yaml
M	operator/cmd/mesh/testdata/manifest-generate/output/flag_output_set_profile.golden.yaml
M	operator/cmd/mesh/testdata/manifest-generate/output/flag_set_values.golden.yaml
M	operator/cmd/mesh/testdata/manifest-generate/output/pilot_default.golden.yaml
M	pkg/kube/inject/inject.go
M	pkg/kube/inject/inject_test.go
Falling back to patching base and 3-way merge...
Auto-merging pkg/kube/inject/inject_test.go
Auto-merging pkg/kube/inject/inject.go
Auto-merging operator/cmd/mesh/testdata/manifest-generate/output/pilot_default.golden.yaml
Auto-merging operator/cmd/mesh/testdata/manifest-generate/output/flag_set_values.golden.yaml
Auto-merging operator/cmd/mesh/testdata/manifest-generate/output/flag_output_set_profile.golden.yaml
CONFLICT (content): Merge conflict in operator/cmd/mesh/testdata/manifest-generate/output/flag_output_set_profile.golden.yaml
Auto-merging operator/cmd/mesh/testdata/manifest-generate/output/all_on.golden-show-in-gh-pull-request.yaml
CONFLICT (content): Merge conflict in operator/cmd/mesh/testdata/manifest-generate/output/all_on.golden-show-in-gh-pull-request.yaml
Auto-merging operator/cmd/mesh/testdata/manifest-generate/data-snapshot/charts/istio-control/istio-discovery/files/injection-template.yaml
Auto-merging operator/cmd/mesh/testdata/manifest-generate/data-snapshot/charts/istio-control/istio-discovery/files/gen-istio.yaml
CONFLICT (content): Merge conflict in operator/cmd/mesh/testdata/manifest-generate/data-snapshot/charts/istio-control/istio-discovery/files/gen-istio.yaml
Auto-merging operator/cmd/mesh/profile-common.go
Auto-merging manifests/charts/istiod-remote/files/injection-template.yaml
Auto-merging manifests/charts/istiod-remote/files/gen-istiod-remote.yaml
Auto-merging manifests/charts/istio-control/istio-discovery/files/injection-template.yaml
Auto-merging manifests/charts/istio-control/istio-discovery/files/gen-istio.yaml
Auto-merging manifests/charts/global.yaml
error: Failed to merge in the changes.
Patch failed at 0001 add imagePullSecrets to sidecar injection template

@istio-testing istio-testing mentioned this pull request Jun 4, 2020
Closed
@istio-testing
Copy link
Collaborator

In response to a cherrypick label: new issue created for failed cherrypick: #24437

tariq1890 added a commit that referenced this pull request Jun 4, 2020
@tariq1890
add imagePullSecrets to sidecar injection template (#24365)

Unverified

This user has not yet uploaded their public signing key.
GPG key ID: DFC94E4A008B908A
Learn about vigilant mode
40c7e90 
(cherry picked from commit 2e3459b)
@tariq1890
Copy link
Contributor Author

#24446

@tariq1890
Copy link
Contributor Author

Thanks @sdake @howardjohn

istio-testing pushed a commit that referenced this pull request Jun 5, 2020
@tariq1890
add imagePullSecrets to sidecar injection template (#24365) (#24446)

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode
4440d94 
(cherry picked from commit 2e3459b)
@rcernich
Copy link
Contributor

@sdake, I'm working on a POC that reorganizes the settings in values.yaml based on feature/area of concern. I've also drafted an RFC, which should be ready for review next week.

@ericvn ericvn mentioned this pull request Jun 17, 2020
Merged
nschhina pushed a commit to nschhina/istio that referenced this pull request Jun 18, 2020
@tariq1890 @nschhina
add imagePullSecrets to sidecar injection template (istio#24365)
91ef626 
add imagePullSecrets to sidecar injection template
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@morvencao morvencao

@howardjohn howardjohn

@sdake sdake

@costinm costinm

@linsun linsun

@rshriram rshriram

Assignees
No one assigned
Labels
area/config area/environments area/user experience cla: yes Set by the Google CLA bot to indicate the author of a PR has signed the Google CLA. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
8 participants
@tariq1890 @howardjohn @googlebot @sdake @istio-testing @rcernich @morvencao @istio-policy-bot