From 28a50acde2f81e5d5e01acc7f0590f764a2c343f Mon Sep 17 00:00:00 2001 From: Sameer Naik Date: Tue, 24 Apr 2018 17:30:30 +0530 Subject: [PATCH] add rule to manage secrets in the kubeapps namespace (#268) * import fixes from bitnami-labs/helm-crd/pull/23 * add rule to manage secrets in the kubeapps namespace * address review comments --- cmd/apprepository-controller/controller.go | 6 ++++-- .../pkg/apis/apprepository/v1alpha1/types.go | 7 ++++++- cmd/chart-repo/utils.go | 15 ++++++++++----- manifests/kube-api.jsonnet | 6 ++++++ 4 files changed, 26 insertions(+), 8 deletions(-) diff --git a/cmd/apprepository-controller/controller.go b/cmd/apprepository-controller/controller.go index 1c46e40d2ef..be5256775ea 100644 --- a/cmd/apprepository-controller/controller.go +++ b/cmd/apprepository-controller/controller.go @@ -527,8 +527,10 @@ func apprepoSyncJobEnvVars(apprepo *apprepov1alpha1.AppRepository) []corev1.EnvV }) if apprepo.Spec.Auth.Header != nil { envVars = append(envVars, corev1.EnvVar{ - Name: "AUTHORIZATION_HEADER", - ValueFrom: apprepo.Spec.Auth.Header, + Name: "AUTHORIZATION_HEADER", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &apprepo.Spec.Auth.Header.SecretKeyRef, + }, }) } return envVars diff --git a/cmd/apprepository-controller/pkg/apis/apprepository/v1alpha1/types.go b/cmd/apprepository-controller/pkg/apis/apprepository/v1alpha1/types.go index db396bd4098..49b7dde1923 100644 --- a/cmd/apprepository-controller/pkg/apis/apprepository/v1alpha1/types.go +++ b/cmd/apprepository-controller/pkg/apis/apprepository/v1alpha1/types.go @@ -44,7 +44,12 @@ type AppRepositorySpec struct { // AppRepositoryAuth is the auth for an AppRepository resource type AppRepositoryAuth struct { - Header *corev1.EnvVarSource `json:"header,omitempty"` + Header *AppRepositoryAuthHeader `json:"header,omitempty"` +} + +type AppRepositoryAuthHeader struct { + // Selects a key of a secret in the pod's namespace + SecretKeyRef corev1.SecretKeySelector `json:"secretKeyRef,omitempty"` } // AppRepositoryStatus is the status for an AppRepository resource diff --git a/cmd/chart-repo/utils.go b/cmd/chart-repo/utils.go index 57e1cd6f431..7bfbd433aa6 100644 --- a/cmd/chart-repo/utils.go +++ b/cmd/chart-repo/utils.go @@ -41,8 +41,9 @@ import ( ) const ( - chartCollection = "charts" - chartFilesCollection = "files" + chartCollection = "charts" + chartFilesCollection = "files" + defaultTimeoutSeconds = 10 ) type importChartFilesJob struct { @@ -56,7 +57,7 @@ type httpClient interface { } var netClient httpClient = &http.Client{ - Timeout: time.Second * 10, + Timeout: time.Second * defaultTimeoutSeconds, } func parseRepoUrl(repoURL string) (*url.URL, error) { @@ -170,6 +171,9 @@ func fetchRepoIndex(r repo) (*helmrepo.IndexFile, error) { req.Header.Set("Authorization", r.AuthorizationHeader) } res, err := netClient.Do(req) + if res != nil { + defer res.Body.Close() + } if err != nil { log.WithFields(log.Fields{"url": req.URL.String()}).WithError(err).Error("error requesting repo index") return nil, err @@ -180,7 +184,6 @@ func fetchRepoIndex(r repo) (*helmrepo.IndexFile, error) { return nil, errors.New("repo index request failed") } - defer res.Body.Close() body, err := ioutil.ReadAll(res.Body) if err != nil { return nil, err @@ -281,10 +284,12 @@ func fetchAndImportIcon(dbSession datastore.Session, c chart) error { } res, err := netClient.Do(req) + if res != nil { + defer res.Body.Close() + } if err != nil { return err } - defer res.Body.Close() if res.StatusCode != http.StatusOK { return fmt.Errorf("%d %s", res.StatusCode, c.Icon) diff --git a/manifests/kube-api.jsonnet b/manifests/kube-api.jsonnet index 49650e0fc9b..4163443e806 100644 --- a/manifests/kube-api.jsonnet +++ b/manifests/kube-api.jsonnet @@ -13,6 +13,12 @@ local kube = import "kube.libsonnet"; resources: ["configmaps"], verbs: ["get", "list"], }, + // Kubeapps creates Secrets with authorization token data for private chart repos + { + apiGroups: [""], + resources: ["secrets"], + verbs: ["create"], + }, // Kubeapps creates and manages AppRepository CRD objects that define // which application (e.g. chart) repositories will be indexed. {