add rule to manage secrets in the kubeapps namespace (#268)

* import fixes from vmware-archive/helm-crd/pull/23 * add rule to manage secrets in the kubeapps namespace * address review comments
vmware-tanzu · Apr 24, 2018 · 28a50ac · 28a50ac
1 parent 05a4f32
commit 28a50ac
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 8 deletions.
diff --git a/cmd/apprepository-controller/controller.go b/cmd/apprepository-controller/controller.go
@@ -527,8 +527,10 @@ func apprepoSyncJobEnvVars(apprepo *apprepov1alpha1.AppRepository) []corev1.EnvV
 	})
 	if apprepo.Spec.Auth.Header != nil {
 		envVars = append(envVars, corev1.EnvVar{
-			Name:      "AUTHORIZATION_HEADER",
-			ValueFrom: apprepo.Spec.Auth.Header,
+			Name: "AUTHORIZATION_HEADER",
+			ValueFrom: &corev1.EnvVarSource{
+				SecretKeyRef: &apprepo.Spec.Auth.Header.SecretKeyRef,
+			},
 		})
 	}
 	return envVars

diff --git a/cmd/apprepository-controller/pkg/apis/apprepository/v1alpha1/types.go b/cmd/apprepository-controller/pkg/apis/apprepository/v1alpha1/types.go
@@ -44,7 +44,12 @@ type AppRepositorySpec struct {
 
 // AppRepositoryAuth is the auth for an AppRepository resource
 type AppRepositoryAuth struct {
-	Header *corev1.EnvVarSource `json:"header,omitempty"`
+	Header *AppRepositoryAuthHeader `json:"header,omitempty"`
+}
+
+type AppRepositoryAuthHeader struct {
+	// Selects a key of a secret in the pod's namespace
+	SecretKeyRef corev1.SecretKeySelector `json:"secretKeyRef,omitempty"`
 }
 
 // AppRepositoryStatus is the status for an AppRepository resource

diff --git a/cmd/chart-repo/utils.go b/cmd/chart-repo/utils.go
@@ -41,8 +41,9 @@ import (
 )
 
 const (
-	chartCollection      = "charts"
-	chartFilesCollection = "files"
+	chartCollection       = "charts"
+	chartFilesCollection  = "files"
+	defaultTimeoutSeconds = 10
 )
 
 type importChartFilesJob struct {
@@ -56,7 +57,7 @@ type httpClient interface {
 }
 
 var netClient httpClient = &http.Client{
-	Timeout: time.Second * 10,
+	Timeout: time.Second * defaultTimeoutSeconds,
 }
 
 func parseRepoUrl(repoURL string) (*url.URL, error) {
@@ -170,6 +171,9 @@ func fetchRepoIndex(r repo) (*helmrepo.IndexFile, error) {
 		req.Header.Set("Authorization", r.AuthorizationHeader)
 	}
 	res, err := netClient.Do(req)
+	if res != nil {
+		defer res.Body.Close()
+	}
 	if err != nil {
 		log.WithFields(log.Fields{"url": req.URL.String()}).WithError(err).Error("error requesting repo index")
 		return nil, err
@@ -180,7 +184,6 @@ func fetchRepoIndex(r repo) (*helmrepo.IndexFile, error) {
 		return nil, errors.New("repo index request failed")
 	}
 
-	defer res.Body.Close()
 	body, err := ioutil.ReadAll(res.Body)
 	if err != nil {
 		return nil, err
@@ -281,10 +284,12 @@ func fetchAndImportIcon(dbSession datastore.Session, c chart) error {
 	}
 
 	res, err := netClient.Do(req)
+	if res != nil {
+		defer res.Body.Close()
+	}
 	if err != nil {
 		return err
 	}
-	defer res.Body.Close()
 
 	if res.StatusCode != http.StatusOK {
 		return fmt.Errorf("%d %s", res.StatusCode, c.Icon)

diff --git a/manifests/kube-api.jsonnet b/manifests/kube-api.jsonnet
@@ -13,6 +13,12 @@ local kube = import "kube.libsonnet";
         resources: ["configmaps"],
         verbs: ["get", "list"],
       },
+      // Kubeapps creates Secrets with authorization token data for private chart repos
+      {
+        apiGroups: [""],
+        resources: ["secrets"],
+        verbs: ["create"],
+      },
       // Kubeapps creates and manages AppRepository CRD objects that define
       // which application (e.g. chart) repositories will be indexed.
       {