✨ Add an option to set the ImagePullSecrets

2025-07-31 16:25:22 +00:00 · 2023-01-07 14:20:01 +03:00 · 2023-01-07 14:20:01 +03:00 · 894f97ca41
commit 894f97ca41
parent 45f8c8a834
7 changed files with 47 additions and 18 deletions
--- a/cmd/tap.go
+++ b/cmd/tap.go
@ -46,6 +46,8 @@ func init() {

 	tapCmd.Flags().StringP(configStructs.DockerRegistryLabel, "r", defaultTapConfig.Docker.Registry, "The Docker registry that's hosting the images.")
 	tapCmd.Flags().StringP(configStructs.DockerTagLabel, "t", defaultTapConfig.Docker.Tag, "The tag of the Docker images that are going to be pulled.")
+	tapCmd.Flags().String(configStructs.DockerImagePullPolicy, defaultTapConfig.Docker.ImagePullPolicy, "ImagePullPolicy for the Docker images.")
+	tapCmd.Flags().StringSlice(configStructs.DockerImagePullSecrets, defaultTapConfig.Docker.ImagePullSecrets, "ImagePullSecrets for the Docker images.")
 	tapCmd.Flags().Uint16(configStructs.ProxyFrontPortLabel, defaultTapConfig.Proxy.Front.SrcPort, "Provide a custom port for the front-end proxy/port-forward.")
 	tapCmd.Flags().Uint16(configStructs.ProxyHubPortLabel, defaultTapConfig.Proxy.Hub.SrcPort, "Provide a custom port for the Hub proxy/port-forward.")
 	tapCmd.Flags().String(configStructs.ProxyHostLabel, defaultTapConfig.Proxy.Host, "Provide a custom host for the proxy/port-forward.")
--- a/cmd/tapRunner.go
+++ b/cmd/tapRunner.go
@ -82,7 +82,7 @@ func tap() {
 	}

 	log.Info().Msg(fmt.Sprintf("Waiting for the creation of %s resources...", misc.Software))
-	if state.selfServiceAccountExists, err = resources.CreateHubResources(ctx, kubernetesProvider, config.Config.IsNsRestrictedMode(), config.Config.SelfNamespace, config.Config.Tap.Resources.Hub, config.Config.ImagePullPolicy(), config.Config.Tap.Debug); err != nil {
+	if state.selfServiceAccountExists, err = resources.CreateHubResources(ctx, kubernetesProvider, config.Config.IsNsRestrictedMode(), config.Config.SelfNamespace, config.Config.Tap.Resources.Hub, config.Config.ImagePullPolicy(), config.Config.ImagePullSecrets(), config.Config.Tap.Debug); err != nil {
 		var statusError *k8serrors.StatusError
 		if errors.As(err, &statusError) && (statusError.ErrStatus.Reason == metav1.StatusReasonAlreadyExists) {
 			log.Warn().Msg(fmt.Sprintf("%s is already running in this namespace, change the `selfnamespace` configuration or run `%s clean` to remove the currently running %s instance", misc.Software, misc.Program, misc.Software))
@ -134,6 +134,7 @@ func startWorkerSyncer(ctx context.Context, cancel context.CancelFunc, provider
 		SelfNamespace:            config.Config.SelfNamespace,
 		WorkerResources:          config.Config.Tap.Resources.Worker,
 		ImagePullPolicy:          config.Config.ImagePullPolicy(),
+		ImagePullSecrets:         config.Config.ImagePullSecrets(),
 		SelfServiceAccountExists: state.selfServiceAccountExists,
 		ServiceMesh:              config.Config.Tap.ServiceMesh,
 		Tls:                      config.Config.Tap.Tls,
--- a/config/configStruct.go
+++ b/config/configStruct.go
@ -45,6 +45,15 @@ func (config *ConfigStruct) ImagePullPolicy() v1.PullPolicy {
 	return v1.PullPolicy(config.Tap.Docker.ImagePullPolicy)
 }

+func (config *ConfigStruct) ImagePullSecrets() []v1.LocalObjectReference {
+	var ref []v1.LocalObjectReference
+	for _, name := range config.Tap.Docker.ImagePullSecrets {
+		ref = append(ref, v1.LocalObjectReference{Name: name})
+	}
+
+	return ref
+}
+
 func (config *ConfigStruct) IsNsRestrictedMode() bool {
 	return config.SelfNamespace != misc.Program // Notice "kubeshark" string must match the default SelfNamespace
 }
--- a/config/configStructs/tapConfig.go
+++ b/config/configStructs/tapConfig.go
@ -10,19 +10,21 @@ import (
 )

 const (
-	DockerRegistryLabel = "docker-registry"
-	DockerTagLabel      = "docker-tag"
-	ProxyFrontPortLabel = "proxy-front-port"
-	ProxyHubPortLabel   = "proxy-hub-port"
-	ProxyHostLabel      = "proxy-host"
-	NamespacesLabel     = "namespaces"
-	AllNamespacesLabel  = "allnamespaces"
-	StorageLimitLabel   = "storagelimit"
-	DryRunLabel         = "dryrun"
-	PcapLabel           = "pcap"
-	ServiceMeshLabel    = "servicemesh"
-	TlsLabel            = "tls"
-	DebugLabel          = "debug"
+	DockerRegistryLabel    = "docker-registry"
+	DockerTagLabel         = "docker-tag"
+	DockerImagePullPolicy  = "docker-imagepullpolicy"
+	DockerImagePullSecrets = "docker-imagepullsecrets"
+	ProxyFrontPortLabel    = "proxy-front-port"
+	ProxyHubPortLabel      = "proxy-hub-port"
+	ProxyHostLabel         = "proxy-host"
+	NamespacesLabel        = "namespaces"
+	AllNamespacesLabel     = "allnamespaces"
+	StorageLimitLabel      = "storagelimit"
+	DryRunLabel            = "dryrun"
+	PcapLabel              = "pcap"
+	ServiceMeshLabel       = "servicemesh"
+	TlsLabel               = "tls"
+	DebugLabel             = "debug"
 )

 type WorkerConfig struct {
@ -48,9 +50,10 @@ type ProxyConfig struct {
 }

 type DockerConfig struct {
-	Registry        string `yaml:"registry" default:"docker.io/kubeshark"`
-	Tag             string `yaml:"tag" default:"latest"`
-	ImagePullPolicy string `yaml:"imagepullpolicy" default:"Always"`
+	Registry         string   `yaml:"registry" default:"docker.io/kubeshark"`
+	Tag              string   `yaml:"tag" default:"latest"`
+	ImagePullPolicy  string   `yaml:"imagepullpolicy" default:"Always"`
+	ImagePullSecrets []string `yaml:"imagepullsecrets"`
 }

 type ResourcesConfig struct {
--- a/kubernetes/provider.go
+++ b/kubernetes/provider.go
@ -177,6 +177,7 @@ type PodOptions struct {
 	ServiceAccountName string
 	Resources          Resources
 	ImagePullPolicy    core.PullPolicy
+	ImagePullSecrets   []core.LocalObjectReference
 	Debug              bool
 }

@ -251,6 +252,7 @@ func (provider *Provider) BuildHubPod(opts *PodOptions) (*core.Pod, error) {
 					Effect:   core.TaintEffectNoSchedule,
 				},
 			},
+			ImagePullSecrets: opts.ImagePullSecrets,
 		},
 	}

@ -353,6 +355,7 @@ func (provider *Provider) BuildFrontPod(opts *PodOptions, hubHost string, hubPor
 					Effect:   core.TaintEffectNoSchedule,
 				},
 			},
+			ImagePullSecrets: opts.ImagePullSecrets,
 		},
 	}

@ -664,6 +667,7 @@ func (provider *Provider) ApplyWorkerDaemonSet(
 	serviceAccountName string,
 	resources Resources,
 	imagePullPolicy core.PullPolicy,
+	imagePullSecrets []core.LocalObjectReference,
 	serviceMesh bool,
 	tls bool,
 	debug bool,
@ -812,6 +816,12 @@ func (provider *Provider) ApplyWorkerDaemonSet(
 	podSpec.WithTolerations(noExecuteToleration, noScheduleToleration)
 	podSpec.WithVolumes(procfsVolume, sysfsVolume)

+	localObjectReference := applyconfcore.LocalObjectReference()
+	for _, secret := range imagePullSecrets {
+		localObjectReference.WithName(secret.Name)
+	}
+	podSpec.WithImagePullSecrets(localObjectReference)
+
 	podTemplate := applyconfcore.PodTemplateSpec()
 	podTemplate.WithLabels(map[string]string{
 		"app":          workerPodName,
--- a/kubernetes/workerSyncer.go
+++ b/kubernetes/workerSyncer.go
@ -42,6 +42,7 @@ type WorkerSyncerConfig struct {
 	SelfNamespace            string
 	WorkerResources          Resources
 	ImagePullPolicy          v1.PullPolicy
+	ImagePullSecrets         []v1.LocalObjectReference
 	SelfServiceAccountExists bool
 	ServiceMesh              bool
 	Tls                      bool
@ -363,6 +364,7 @@ func (workerSyncer *WorkerSyncer) updateWorkers() error {
 			serviceAccountName,
 			workerSyncer.config.WorkerResources,
 			workerSyncer.config.ImagePullPolicy,
+			workerSyncer.config.ImagePullSecrets,
 			workerSyncer.config.ServiceMesh,
 			workerSyncer.config.Tls,
 			workerSyncer.config.Debug); err != nil {
--- a/resources/createResources.go
+++ b/resources/createResources.go
@ -13,7 +13,7 @@ import (
 	core "k8s.io/api/core/v1"
 )

-func CreateHubResources(ctx context.Context, kubernetesProvider *kubernetes.Provider, isNsRestrictedMode bool, selfNamespace string, hubResources kubernetes.Resources, imagePullPolicy core.PullPolicy, debug bool) (bool, error) {
+func CreateHubResources(ctx context.Context, kubernetesProvider *kubernetes.Provider, isNsRestrictedMode bool, selfNamespace string, hubResources kubernetes.Resources, imagePullPolicy core.PullPolicy, imagePullSecrets []core.LocalObjectReference, debug bool) (bool, error) {
 	if !isNsRestrictedMode {
 		if err := createSelfNamespace(ctx, kubernetesProvider, selfNamespace); err != nil {
 			return false, err
@ -39,6 +39,7 @@ func CreateHubResources(ctx context.Context, kubernetesProvider *kubernetes.Prov
 		ServiceAccountName: serviceAccountName,
 		Resources:          hubResources,
 		ImagePullPolicy:    imagePullPolicy,
+		ImagePullSecrets:   imagePullSecrets,
 		Debug:              debug,
 	}

@ -49,6 +50,7 @@ func CreateHubResources(ctx context.Context, kubernetesProvider *kubernetes.Prov
 		ServiceAccountName: serviceAccountName,
 		Resources:          hubResources,
 		ImagePullPolicy:    imagePullPolicy,
+		ImagePullSecrets:   imagePullSecrets,
 		Debug:              debug,
 	}