Filter secret names for registry pod's sa

hasbro17 · hasbro17 · commit ee40fd9b8495 · 2021-05-18T17:10:07.000-07:00
During the registry server sync the image pull secrets from the catalogsource's spec.secrets are passed
unfiltered to the serviceaccount for the registry pod.
Passing an empty string in the secrets list breaks serverside apply for the registry pod
with the following error:

failed to convert new object (/v1, Kind=Pod) to smd typed:
.spec.imagePullSecrets: element 0: associative list with keys has an element
that omits key field "name" (and doesn't have default value)

This prevents the registry pod from being promoted via the SSA client when
there is an update to the index image.

To fix this, the image pull secrets list is filtered for empty strings
before being set on the serviceaccount.

Signed-off-by: Haseeb Tariq &lt;hasbro17@gmail.com&gt;
diff --git a/pkg/controller/registry/reconciler/grpc.go b/pkg/controller/registry/reconciler/grpc.go
@@ -98,6 +98,9 @@ func (s *grpcCatalogSourceDecorator) ServiceAccount() *corev1.ServiceAccount {
 	blockOwnerDeletion := true
 	isController := true
 	for _, secretName := range s.CatalogSource.Spec.Secrets {
+		if secretName == "" {
+			continue
+		}
 		secrets = append(secrets, corev1.LocalObjectReference{Name: secretName})
 	}
 	return &corev1.ServiceAccount{
diff --git a/pkg/controller/registry/reconciler/grpc_test.go b/pkg/controller/registry/reconciler/grpc_test.go
@@ -33,7 +33,7 @@ func validGrpcCatalogSource(image, address string) *v1alpha1.CatalogSource {
 	}
 }
 
-func grpcCatalogSourceWithSecret(secretName string) *v1alpha1.CatalogSource {
+func grpcCatalogSourceWithSecret(secretNames []string) *v1alpha1.CatalogSource {
 	return &v1alpha1.CatalogSource{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "private-catalog",
@@ -45,7 +45,7 @@ func grpcCatalogSourceWithSecret(secretName string) *v1alpha1.CatalogSource {
 			Image:      "private-image",
 			Address:    "",
 			SourceType: v1alpha1.SourceTypeGrpc,
-			Secrets:    []string{secretName},
+			Secrets:    secretNames,
 		},
 	}
 }
@@ -61,6 +61,10 @@ func TestGrpcRegistryReconciler(t *testing.T) {
 	blockOwnerDeletion := true
 	isController := true
 
+	// We expect the empty string secret name should not be set
+	// on the service account
+	testSecrets := []string{"test-secret", ""}
+
 	type cluster struct {
 		k8sObjs []runtime.Object
 	}
@@ -225,7 +229,7 @@ func TestGrpcRegistryReconciler(t *testing.T) {
 						},
 					},
 				},
-				catsrc: grpcCatalogSourceWithSecret("test-secret"),
+				catsrc: grpcCatalogSourceWithSecret(testSecrets),
 			},
 			out: out{
 				status: &v1alpha1.RegistryServiceStatus{
