Allow providing a pull secret for the plugin daemonsets

cmd/operator/main.go

@@ -34,6 +34,7 @@ import (
 
 	devicepluginv1 "github.com/intel/intel-device-plugins-for-kubernetes/pkg/apis/deviceplugin/v1"
 	fpgav2 "github.com/intel/intel-device-plugins-for-kubernetes/pkg/apis/fpga/v2"
+	"github.com/intel/intel-device-plugins-for-kubernetes/pkg/controllers"
 	"github.com/intel/intel-device-plugins-for-kubernetes/pkg/controllers/dlb"
 	"github.com/intel/intel-device-plugins-for-kubernetes/pkg/controllers/dsa"
 	"github.com/intel/intel-device-plugins-for-kubernetes/pkg/controllers/fpga"
@@ -61,7 +62,7 @@ func init() {
 	// +kubebuilder:scaffold:scheme
 }
 
-type devicePluginControllerAndWebhook map[string](func(ctrl.Manager, string, bool) error)
+type devicePluginControllerAndWebhook map[string](func(ctrl.Manager, controllers.ControllerArgs) error)
 
 type flagList []string
 
@@ -208,15 +209,17 @@ func main() {
 		os.Exit(1)
 	}
 
-	ns := os.Getenv("DEVICEPLUGIN_NAMESPACE")
-	if ns == "" {
-		ns = devicePluginNamespace
+	cargs := controllers.ControllerArgs{WithWebhook: true}
+
+	cargs.Namespace = os.Getenv("DEVICEPLUGIN_NAMESPACE")
+	if cargs.Namespace == "" {
+		cargs.Namespace = devicePluginNamespace
 	}
 
-	withWebhook := true
+	cargs.Secret = os.Getenv("DEVICEPLUGIN_SECRET")
 
 	for _, device := range devices {
-		if err = setupControllerAndWebhook[device](mgr, ns, withWebhook); err != nil {
+		if err = setupControllerAndWebhook[device](mgr, cargs); err != nil {
 			setupLog.Error(err, "unable to initialize controller", "controller", device)
 			os.Exit(1)
 		}

pkg/controllers/dlb/controller.go

@@ -43,13 +43,13 @@ var defaultNodeSelector map[string]string = deployments.DLBPluginDaemonSet().Spe
 // +kubebuilder:rbac:groups=deviceplugin.intel.com,resources=dlbdeviceplugins/finalizers,verbs=update
 
 // SetupReconciler creates a new reconciler for DlbDevicePlugin objects.
-func SetupReconciler(mgr ctrl.Manager, namespace string, withWebhook bool) error {
-	c := &controller{scheme: mgr.GetScheme(), ns: namespace}
+func SetupReconciler(mgr ctrl.Manager, args controllers.ControllerArgs) error {
+	c := &controller{scheme: mgr.GetScheme(), args: args}
 	if err := controllers.SetupWithManager(mgr, c, devicepluginv1.GroupVersion.String(), "DlbDevicePlugin", ownerKey); err != nil {
 		return err
 	}
 
-	if withWebhook {
+	if args.WithWebhook {
 		return (&devicepluginv1.DlbDevicePlugin{}).SetupWebhookWithManager(mgr)
 	}
 
@@ -59,7 +59,7 @@ func SetupReconciler(mgr ctrl.Manager, namespace string, withWebhook bool) error
 type controller struct {
 	controllers.DefaultServiceAccountFactory
 	scheme *runtime.Scheme
-	ns     string
+	args   controllers.ControllerArgs
 }
 
 func (c *controller) CreateEmptyObject() client.Object {
@@ -92,7 +92,13 @@ func (c *controller) NewDaemonSet(rawObj client.Object) *apps.DaemonSet {
 		setInitContainer(&ds.Spec.Template.Spec, devicePlugin.Spec)
 	}
 
-	ds.ObjectMeta.Namespace = c.ns
+	ds.ObjectMeta.Namespace = c.args.Namespace
+
+	if len(c.args.Secret) > 0 {
+		ds.Spec.Template.Spec.ImagePullSecrets = []v1.LocalObjectReference{
+			{Name: c.args.Secret},
+		}
+	}
 
 	ds.Spec.Template.Spec.Containers[0].Args = getPodArgs(devicePlugin)
 	ds.Spec.Template.Spec.Containers[0].Image = devicePlugin.Spec.Image

pkg/controllers/dlb/controller_test.go

@@ -45,7 +45,7 @@ func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet
 			APIVersion: "apps/v1",
 		},
 		ObjectMeta: metav1.ObjectMeta{
-			Namespace: c.ns,
+			Namespace: c.args.Namespace,
 			Name:      appLabel + "-" + devicePlugin.Name,
 			Labels: map[string]string{
 				"app": appLabel,
@@ -155,6 +155,12 @@ func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet
 		},
 	}
 
+	if len(c.args.Secret) > 0 {
+		daemonSet.Spec.Template.Spec.ImagePullSecrets = []v1.LocalObjectReference{
+			{Name: c.args.Secret},
+		}
+	}
+
 	return &daemonSet
 }
 
@@ -171,4 +177,12 @@ func TestNewDaemonSetDLB(t *testing.T) {
 	if !reflect.DeepEqual(expected, actual) {
 		t.Errorf("expected and actuall daemonsets differ: %+s", diff.ObjectGoPrintDiff(expected, actual))
 	}
+
+	c.args.Secret = "mysecret"
+
+	expected = c.newDaemonSetExpected(plugin)
+	actual = c.NewDaemonSet(plugin)
+	if !reflect.DeepEqual(expected, actual) {
+		t.Errorf("expected and actual daemonsets with secret differ: %+s", diff.ObjectGoPrintDiff(expected, actual))
+	}
 }

pkg/controllers/dsa/controller.go

@@ -47,13 +47,13 @@ var defaultNodeSelector = deployments.DSAPluginDaemonSet().Spec.Template.Spec.No
 // +kubebuilder:rbac:groups=deviceplugin.intel.com,resources=dsadeviceplugins/finalizers,verbs=update
 
 // SetupReconciler creates a new reconciler for DsaDevicePlugin objects.
-func SetupReconciler(mgr ctrl.Manager, namespace string, withWebhook bool) error {
-	c := &controller{scheme: mgr.GetScheme(), ns: namespace}
+func SetupReconciler(mgr ctrl.Manager, args controllers.ControllerArgs) error {
+	c := &controller{scheme: mgr.GetScheme(), args: args}
 	if err := controllers.SetupWithManager(mgr, c, devicepluginv1.GroupVersion.String(), "DsaDevicePlugin", ownerKey); err != nil {
 		return err
 	}
 
-	if withWebhook {
+	if args.WithWebhook {
 		return (&devicepluginv1.DsaDevicePlugin{}).SetupWebhookWithManager(mgr)
 	}
 
@@ -63,7 +63,7 @@ func SetupReconciler(mgr ctrl.Manager, namespace string, withWebhook bool) error
 type controller struct {
 	controllers.DefaultServiceAccountFactory
 	scheme *runtime.Scheme
-	ns     string
+	args   controllers.ControllerArgs
 }
 
 func (c *controller) CreateEmptyObject() client.Object {
@@ -200,14 +200,20 @@ func (c *controller) NewDaemonSet(rawObj client.Object) *apps.DaemonSet {
 		daemonSet.Spec.Template.Spec.Tolerations = devicePlugin.Spec.Tolerations
 	}
 
-	daemonSet.ObjectMeta.Namespace = c.ns
+	daemonSet.ObjectMeta.Namespace = c.args.Namespace
 	daemonSet.Spec.Template.Spec.Containers[0].Args = getPodArgs(devicePlugin)
 	daemonSet.Spec.Template.Spec.Containers[0].Image = devicePlugin.Spec.Image
 
 	if devicePlugin.Spec.InitImage != "" {
 		addInitContainer(daemonSet, devicePlugin)
 	}
 
+	if len(c.args.Secret) > 0 {
+		daemonSet.Spec.Template.Spec.ImagePullSecrets = []v1.LocalObjectReference{
+			{Name: c.args.Secret},
+		}
+	}
+
 	return daemonSet
 }
 

pkg/controllers/dsa/controller_test.go

@@ -47,7 +47,7 @@ func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet
 			APIVersion: "apps/v1",
 		},
 		ObjectMeta: metav1.ObjectMeta{
-			Namespace: c.ns,
+			Namespace: c.args.Namespace,
 			Name:      appLabel + "-" + devicePlugin.Name,
 			Labels: map[string]string{
 				"app": appLabel,
@@ -177,6 +177,12 @@ func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet
 		addInitContainer(&daemonSet, devicePlugin)
 	}
 
+	if len(c.args.Secret) > 0 {
+		daemonSet.Spec.Template.Spec.ImagePullSecrets = []v1.LocalObjectReference{
+			{Name: c.args.Secret},
+		}
+	}
+
 	return &daemonSet
 }
 
@@ -193,4 +199,12 @@ func TestNewDaemonSetDSA(t *testing.T) {
 	if !reflect.DeepEqual(expected, actual) {
 		t.Errorf("expected and actuall daemonsets differ: %+s", diff.ObjectGoPrintDiff(expected, actual))
 	}
+
+	c.args.Secret = "mysecret"
+
+	expected = c.newDaemonSetExpected(plugin)
+	actual = c.NewDaemonSet(plugin)
+	if !reflect.DeepEqual(expected, actual) {
+		t.Errorf("expected and actual daemonsets with secret differ: %+s", diff.ObjectGoPrintDiff(expected, actual))
+	}
 }

pkg/controllers/fpga/controller.go

@@ -22,6 +22,7 @@ import (
 	"strings"
 
 	apps "k8s.io/api/apps/v1"
+	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/client-go/tools/reference"
 	ctrl "sigs.k8s.io/controller-runtime"
@@ -42,13 +43,13 @@ var defaultNodeSelector = deployments.FPGAPluginDaemonSet().Spec.Template.Spec.N
 // +kubebuilder:rbac:groups=deviceplugin.intel.com,resources=fpgadeviceplugins/finalizers,verbs=update
 
 // SetupReconciler creates a new reconciler for FpgaDevicePlugin objects.
-func SetupReconciler(mgr ctrl.Manager, namespace string, withWebhook bool) error {
-	c := &controller{scheme: mgr.GetScheme(), ns: namespace}
+func SetupReconciler(mgr ctrl.Manager, args controllers.ControllerArgs) error {
+	c := &controller{scheme: mgr.GetScheme(), args: args}
 	if err := controllers.SetupWithManager(mgr, c, devicepluginv1.GroupVersion.String(), "FpgaDevicePlugin", ownerKey); err != nil {
 		return err
 	}
 
-	if withWebhook {
+	if args.WithWebhook {
 		return (&devicepluginv1.FpgaDevicePlugin{}).SetupWebhookWithManager(mgr)
 	}
 
@@ -58,7 +59,7 @@ func SetupReconciler(mgr ctrl.Manager, namespace string, withWebhook bool) error
 type controller struct {
 	controllers.DefaultServiceAccountFactory
 	scheme *runtime.Scheme
-	ns     string
+	args   controllers.ControllerArgs
 }
 
 func (c *controller) CreateEmptyObject() client.Object {
@@ -84,7 +85,13 @@ func (c *controller) NewDaemonSet(rawObj client.Object) *apps.DaemonSet {
 		daemonSet.Spec.Template.Spec.Tolerations = devicePlugin.Spec.Tolerations
 	}
 
-	daemonSet.ObjectMeta.Namespace = c.ns
+	daemonSet.ObjectMeta.Namespace = c.args.Namespace
+
+	if len(c.args.Secret) > 0 {
+		daemonSet.Spec.Template.Spec.ImagePullSecrets = []v1.LocalObjectReference{
+			{Name: c.args.Secret},
+		}
+	}
 
 	daemonSet.Spec.Template.Spec.Containers[0].Args = getPodArgs(devicePlugin)
 	daemonSet.Spec.Template.Spec.Containers[0].Image = devicePlugin.Spec.Image

pkg/controllers/fpga/controller_test.go

@@ -42,13 +42,13 @@ func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet
 	maxUnavailable := intstr.FromInt(1)
 	maxSurge := intstr.FromInt(0)
 
-	return &apps.DaemonSet{
+	ds := &apps.DaemonSet{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "DaemonSet",
 			APIVersion: "apps/v1",
 		},
 		ObjectMeta: metav1.ObjectMeta{
-			Namespace: c.ns,
+			Namespace: c.args.Namespace,
 			Name:      appLabel + "-" + devicePlugin.Name,
 			Labels: map[string]string{
 				"app": appLabel,
@@ -198,6 +198,14 @@ func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet
 			},
 		},
 	}
+
+	if len(c.args.Secret) > 0 {
+		ds.Spec.Template.Spec.ImagePullSecrets = []v1.LocalObjectReference{
+			{Name: c.args.Secret},
+		}
+	}
+
+	return ds
 }
 
 // Test that FPGA daemonset created by using go:embed is
@@ -218,4 +226,12 @@ func TestNewDaemonSetFPGA(t *testing.T) {
 	if !reflect.DeepEqual(expected, actual) {
 		t.Errorf("expected and actuall daemonsets differ: %+s", diff.ObjectGoPrintDiff(expected, actual))
 	}
+
+	c.args.Secret = "mysecret"
+
+	expected = c.newDaemonSetExpected(plugin)
+	actual = c.NewDaemonSet(plugin)
+	if !reflect.DeepEqual(expected, actual) {
+		t.Errorf("expected and actual daemonsets with secret differ: %+s", diff.ObjectGoPrintDiff(expected, actual))
+	}
 }

pkg/controllers/gpu/controller.go

@@ -49,13 +49,13 @@ var defaultNodeSelector = deployments.GPUPluginDaemonSet().Spec.Template.Spec.No
 // +kubebuilder:rbac:groups=deviceplugin.intel.com,resources=gpudeviceplugins/finalizers,verbs=update
 
 // SetupReconciler creates a new reconciler for GpuDevicePlugin objects.
-func SetupReconciler(mgr ctrl.Manager, namespace string, withWebhook bool) error {
-	c := &controller{scheme: mgr.GetScheme(), ns: namespace}
+func SetupReconciler(mgr ctrl.Manager, args controllers.ControllerArgs) error {
+	c := &controller{scheme: mgr.GetScheme(), args: args}
 	if err := controllers.SetupWithManager(mgr, c, devicepluginv1.GroupVersion.String(), "GpuDevicePlugin", ownerKey); err != nil {
 		return err
 	}
 
-	if withWebhook {
+	if args.WithWebhook {
 		return (&devicepluginv1.GpuDevicePlugin{}).SetupWebhookWithManager(mgr)
 	}
 
@@ -64,7 +64,7 @@ func SetupReconciler(mgr ctrl.Manager, namespace string, withWebhook bool) error
 
 type controller struct {
 	scheme *runtime.Scheme
-	ns     string
+	args   controllers.ControllerArgs
 }
 
 func (c *controller) CreateEmptyObject() client.Object {
@@ -80,7 +80,7 @@ func (c *controller) NewSharedServiceAccount() *v1.ServiceAccount {
 	return &v1.ServiceAccount{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      serviceAccountName,
-			Namespace: c.ns,
+			Namespace: c.args.Namespace,
 		},
 	}
 }
@@ -89,13 +89,13 @@ func (c *controller) NewSharedClusterRoleBinding() *rbacv1.ClusterRoleBinding {
 	return &rbacv1.ClusterRoleBinding{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      roleBindingName,
-			Namespace: c.ns,
+			Namespace: c.args.Namespace,
 		},
 		Subjects: []rbacv1.Subject{
 			{
 				Kind:      "ServiceAccount",
 				Name:      serviceAccountName,
-				Namespace: c.ns,
+				Namespace: c.args.Namespace,
 			},
 		},
 		RoleRef: rbacv1.RoleRef{
@@ -140,10 +140,16 @@ func (c *controller) NewDaemonSet(rawObj client.Object) *apps.DaemonSet {
 		daemonSet.Spec.Template.Spec.Tolerations = devicePlugin.Spec.Tolerations
 	}
 
-	daemonSet.ObjectMeta.Namespace = c.ns
+	daemonSet.ObjectMeta.Namespace = c.args.Namespace
 	daemonSet.Spec.Template.Spec.Containers[0].Args = getPodArgs(devicePlugin)
 	daemonSet.Spec.Template.Spec.Containers[0].Image = devicePlugin.Spec.Image
 
+	if len(c.args.Secret) > 0 {
+		daemonSet.Spec.Template.Spec.ImagePullSecrets = []v1.LocalObjectReference{
+			{Name: c.args.Secret},
+		}
+	}
+
 	if devicePlugin.Spec.InitImage == "" {
 		daemonSet.Spec.Template.Spec.InitContainers = nil
 		daemonSet.Spec.Template.Spec.Volumes = removeVolume(daemonSet.Spec.Template.Spec.Volumes, "nfd-features")