🚧 Duplicate kinto builder docker secret in each user namespace (#27)

.env-example

@@ -2,28 +2,38 @@ KUBE_CONFIG_PATH=/Users/<USER_NAME>/.kube/config
 
 ## verbose | debug | info | warn | error | fatal | panic
 LOG_LEVEL=debug
+
 GRPC_PORT=8080
-GRPC_WEB_PORT=8090
+GRPC_WEB_PORT=8090 # Port number accessed by the dashboard
 
+## Domain/Subdomain used to create external name for api and web app services
 KINTO_DOMAIN=oss.kintohub.net
 
+## Kinto Builder api host (see https://github.com/kintoproj/kinto-builder)
 BUILD_API_HOST=kinto-builder:8080
 
-## Max time in past to send to client on initial connection
-CONSOLE_LOGS_HISTORY_SECONDS=93600
-## Max lines to send to client on initial connection. If more than this number, it won't be sent to the client
-CONSOLE_LOGS_MAX_LINES_ON_START=1000
+## Logs configuration
+CONSOLE_LOGS_HISTORY_SECONDS=93600 # Max time in past to send to client on initial connection
+CONSOLE_LOGS_MAX_LINES_ON_START=1000 # Max lines to send to client on initial connection.
 
-## If false, all external access will be create without certificates
-SSL_ENABLED=false
+## SSL configuration
+SSL_ENABLED=false # If false, all external access will be create without certificates
 [email protected]
 CERT_MANAGER_ISSUER_SERVER=https://acme-staging-v02.api.letsencrypt.org/directory
 
-## Allowed host for CORS. Defaults to * which allows everything. kintohub.com,www.kintohub.com is accepted
+## Allowed host for CORS. Defaults to * which allows everything.
 CORS_ALLOWED_HOST=*
 
+## Metrics and health refresh frequency for the dashboard
 HEALTH_UPDATE_TICK_SECONDS=1
 METRICS_UPDATE_TICK_SECONDS=5
 
 ## Enables dev proxy (chisel) into every namespace for proxy / teleport related functionality
 KINTO_DEV_PROXY_ENABLED=true
+
+KINTO_CORE_NAMESPACE=kintohub
+
+# Kubernetes secret used by kinto builder to push the image into the container registry
+# Must be a docker secret - `kubernetes.io/dockerconfigjson`
+# Must be in ${KINTO_CORE_NAMESPACE}
+KINTO_BUILDER_DOCKER_SECRET=kinto-builder-workflow-docker

README.md

@@ -13,33 +13,10 @@
 ## Dependencies
 - [utils-go](https://github.com/kintohub/utils-go) our own reusable utils functions
 
-## Configuration
-
-The following table lists the configurable parameters of the core and their default values.
-
-|            Parameter              |                                  Description                               |                           Default                        |        Required         |
-|-----------------------------------|----------------------------------------------------------------------------|----------------------------------------------------------|-------------------------|
-| `LOG_LEVEL`                       | Log levels from `verbose` to `panic`                                       | `debug`                                                  |                         |
-| `KUBE_CONFIG_PATH`                | Only for local development                                                 |                                                          |                         |
-| `GRPC_PORT`                       | GRPC port                                                                  | `8080`                                                   |                         |
-| `GRPC_WEB_PORT`                   | GRPC web port                                                              | `8090`                                                   |                         |
-| `CORS_ALLOWED_HOST`               | Specify the hosts allowed to call the server                               | `*`                                                      |                         |
-| `CONSOLE_LOGS_HISTORY_SECONDS`    | Max time in seconds to query the logs                                      | `86400`                                                  |                         |
-| `CONSOLE_LOGS_MAX_LINES_ON_START` | Max number of lines to query the logs                                      | `1000`                                                   |                         |
-| `METRICS_UPDATE_TICK_SECONDS`     | Refresh frequency in seconds for querying the metrics                      | `5`                                                      |                         |
-| `HEALTH_UPDATE_TICK_SECONDS`      | Refresh frequency in seconds for querying the health of the services       | `1`                                                      |                         |
-| `KINTO_DOMAIN`                    | Domain/Subdomain used to create external name for api and web app services |                                                          | Yes                     |
-| `BUILD_API_HOST`                  | `kinto-builder` api host                                                   | `kinto-builder:8080`                                     |                         |
-| `ENABLE_SSL`                      | Enable or disable SSL certs for external URL                               | `false`                                                  |                         |
-| `CERT_MANAGER_ISSUER_EMAIL`       | Email used on every certificate for every external service                 |                                                          | If `ENABLE_SSL == true` |
-| `CERT_MANAGER_ISSUER_SERVER`      | Let's encrypt server                                                       | `https://acme-staging-v02.api.letsencrypt.org/directory` |                         |
-| `KINTO_DEV_PROXY_ENABLED`         | Is kinto-cli allowed to connect                                            | `true`                                                   |                         |
-| `PROXLESS_FQDN`                   | Proxless kubernetes FQDN                                                   | `kinto-proxless.kintohub.svc.cluster.local`              |                         |
-
 ## Development Setup
 
 Duplicate the `.env.example` file into a `.env` file.  
-Modify the variables if needed. See configuration above for more information.
+Modify the variables if needed.
 
 ```shell script
 $ go run cmd/main.go

internal/config/config.go

@@ -26,6 +26,9 @@ var (
 
 	KintoDevProxyEnabled bool
 	ProxlessFQDN         string
+
+	KintoCoreNamespace       string
+	KintoBuilderDockerSecret string
 )
 
 func InitConfig() {
@@ -51,4 +54,7 @@ func InitConfig() {
 
 	KintoDevProxyEnabled = utilsGoConfig.GetBool("KINTO_DEV_PROXY_ENABLED", true)
 	ProxlessFQDN = utilsGoConfig.GetString("PROXLESS_FQDN", "kinto-proxless.kintohub.svc.cluster.local")
+
+	KintoCoreNamespace = utilsGoConfig.GetString("KINTO_CORE_NAMESPACE", "kintohub")
+	KintoBuilderDockerSecret = utilsGoConfig.GetString("KINTO_BUILDER_DOCKER_SECRET", "kinto-builder-workflow-docker")
 }

internal/store/kube/dockerSecret.go

@@ -0,0 +1,56 @@
+package kube
+
+import (
+	"context"
+	"github.com/kintohub/utils-go/klog"
+	"github.com/kintoproj/kinto-core/pkg/consts"
+	v1 "k8s.io/api/core/v1"
+	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+	"time"
+)
+
+func upsertDockerSecret(
+	kubeClient kubernetes.Interface, dockerSecretName, kintoCoreNamespace, userNamespace string) (*v1.Secret, error) {
+	defer klog.LogDuration(time.Now(), "upsertDockerSecret")
+
+	// retrieving the kinto build docker secret
+	kintoBuildDockerSecret, err := kubeClient.CoreV1().Secrets(kintoCoreNamespace).Get(
+		context.TODO(), dockerSecretName, metav1.GetOptions{})
+
+	if err != nil {
+		return nil, err
+	}
+
+	// retrieving the user docker secret
+	userDockerSecret, err := kubeClient.CoreV1().Secrets(userNamespace).Get(
+		context.TODO(), dockerSecretName, metav1.GetOptions{})
+
+	if k8serrors.IsNotFound(err) { // we create it if not found
+		userDockerSecret := genDockerSecretFromExistingCoreSecret(kintoBuildDockerSecret, userNamespace)
+		return kubeClient.CoreV1().Secrets(userNamespace).Create(
+			context.TODO(), userDockerSecret, metav1.CreateOptions{})
+	} else if err != nil {
+		return nil, err
+	}
+
+	// we update it if found
+	userDockerSecret.Data = kintoBuildDockerSecret.Data
+	return kubeClient.CoreV1().Secrets(userNamespace).Update(
+		context.TODO(), userDockerSecret, metav1.UpdateOptions{})
+}
+
+func genDockerSecretFromExistingCoreSecret(kintoBuildDockerSecret *v1.Secret, userNamespace string) *v1.Secret {
+	return &v1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      kintoBuildDockerSecret.Name,
+			Namespace: userNamespace,
+			Labels: map[string]string{
+				consts.OwnerLabelKey: consts.OwnerLabelValue,
+			},
+		},
+		Data: kintoBuildDockerSecret.Data,
+		Type: v1.SecretTypeDockerConfigJson,
+	}
+}

internal/store/kube/environment.go

@@ -3,6 +3,7 @@ package kube
 import (
 	"context"
 	"fmt"
+	"github.com/kintoproj/kinto-core/internal/config"
 	"time"
 
 	"k8s.io/client-go/kubernetes"
@@ -29,13 +30,17 @@ func (k *KubeStore) GetEnvironment(envId string) (*types.Environment, *utilsGoSe
 		Name: ns.Labels[consts.EnvNameLabelKey],
 	}
 
-	// TODO see how to upsert network policy in a better place - having it here is useful for processing all
-	// the existing namespaces.
 	_, err := upsertNetworkPolicy(k.kubeClient, envId)
 	if err != nil { // we don't return the error since it does not impact the user
 		klog.ErrorfWithErr(err, "error upserting the network policy for namespace %s", envId)
 	}
 
+	// duplicate kinto build docker secret into user namespace
+	_, err = upsertDockerSecret(k.kubeClient, config.KintoBuilderDockerSecret, config.KintoCoreNamespace, envId)
+	if err != nil { // we return an error since it will impact the build
+		return nil, utilsGoServer.NewInternalErrorWithErr("could not upsert docker secret", err)
+	}
+
 	return env, nil
 }