From ee40fd9b8495ea23fc34daef74c689aad942fd2f Mon Sep 17 00:00:00 2001
From: Haseeb Tariq <hasbro17@gmail.com>
Date: Tue, 18 May 2021 16:46:46 -0700
Subject: [PATCH] Filter secret names for registry pod's sa

During the registry server sync the image pull secrets from the catalogsource's spec.secrets are passed
unfiltered to the serviceaccount for the registry pod.
Passing an empty string in the secrets list breaks serverside apply for the registry pod
with the following error:

failed to convert new object (/v1, Kind=Pod) to smd typed:
.spec.imagePullSecrets: element 0: associative list with keys has an element
that omits key field "name" (and doesn't have default value)

This prevents the registry pod from being promoted via the SSA client when
there is an update to the index image.

To fix this, the image pull secrets list is filtered for empty strings
before being set on the serviceaccount.

Signed-off-by: Haseeb Tariq <hasbro17@gmail.com>
---
 pkg/controller/registry/reconciler/grpc.go      |  3 +++
 pkg/controller/registry/reconciler/grpc_test.go | 10 +++++++---
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/pkg/controller/registry/reconciler/grpc.go b/pkg/controller/registry/reconciler/grpc.go
index 3cea3472c9..f8f296a960 100644
--- a/pkg/controller/registry/reconciler/grpc.go
+++ b/pkg/controller/registry/reconciler/grpc.go
@@ -98,6 +98,9 @@ func (s *grpcCatalogSourceDecorator) ServiceAccount() *corev1.ServiceAccount {
 	blockOwnerDeletion := true
 	isController := true
 	for _, secretName := range s.CatalogSource.Spec.Secrets {
+		if secretName == "" {
+			continue
+		}
 		secrets = append(secrets, corev1.LocalObjectReference{Name: secretName})
 	}
 	return &corev1.ServiceAccount{
diff --git a/pkg/controller/registry/reconciler/grpc_test.go b/pkg/controller/registry/reconciler/grpc_test.go
index a5926f681f..5418832219 100644
--- a/pkg/controller/registry/reconciler/grpc_test.go
+++ b/pkg/controller/registry/reconciler/grpc_test.go
@@ -33,7 +33,7 @@ func validGrpcCatalogSource(image, address string) *v1alpha1.CatalogSource {
 	}
 }
 
-func grpcCatalogSourceWithSecret(secretName string) *v1alpha1.CatalogSource {
+func grpcCatalogSourceWithSecret(secretNames []string) *v1alpha1.CatalogSource {
 	return &v1alpha1.CatalogSource{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "private-catalog",
@@ -45,7 +45,7 @@ func grpcCatalogSourceWithSecret(secretName string) *v1alpha1.CatalogSource {
 			Image:      "private-image",
 			Address:    "",
 			SourceType: v1alpha1.SourceTypeGrpc,
-			Secrets:    []string{secretName},
+			Secrets:    secretNames,
 		},
 	}
 }
@@ -61,6 +61,10 @@ func TestGrpcRegistryReconciler(t *testing.T) {
 	blockOwnerDeletion := true
 	isController := true
 
+	// We expect the empty string secret name should not be set
+	// on the service account
+	testSecrets := []string{"test-secret", ""}
+
 	type cluster struct {
 		k8sObjs []runtime.Object
 	}
@@ -225,7 +229,7 @@ func TestGrpcRegistryReconciler(t *testing.T) {
 						},
 					},
 				},
-				catsrc: grpcCatalogSourceWithSecret("test-secret"),
+				catsrc: grpcCatalogSourceWithSecret(testSecrets),
 			},
 			out: out{
 				status: &v1alpha1.RegistryServiceStatus{