--no-secret flag on namespace init

Fixes #984
projectriff · Nov 28, 2018 · 3456f8f · 3456f8f
1 parent 1f007ae
commit 3456f8f
Show file tree

Hide file tree

Showing 4 changed files with 59 additions and 28 deletions.
diff --git a/cmd/commands/namespace.go b/cmd/commands/namespace.go
@@ -49,7 +49,8 @@ func NamespaceInit(manifests map[string]*core.Manifest, kc *core.KubectlClient)
 		),
 		PreRunE: FlagsValidatorAsCobraRunE(
 			FlagsValidationConjunction(
-				AtMostOneOf("gcr", "dockerhub"),
+				AtMostOneOf("gcr", "dockerhub", "no-secret"),
+				AtMostOneOf("secret", "no-secret"),
 				NotBlank("secret"),
 			),
 		),
@@ -70,6 +71,7 @@ func NamespaceInit(manifests map[string]*core.Manifest, kc *core.KubectlClient)
 
 	command.Flags().StringVarP(&options.Manifest, "manifest", "m", "stable", "manifest of YAML files to be applied; can be a named manifest (stable or latest) or a path or URL of a manifest file")
 
+	command.Flags().BoolVarP(&options.NoSecret, "no-secret", "", false, "no secret required for the image registry")
 	command.Flags().StringVarP(&options.SecretName, "secret", "s", "push-credentials", "the name of a `secret` containing credentials for the image registry")
 	command.Flags().StringVar(&options.GcrTokenPath, "gcr", "", "path to a file containing Google Container Registry credentials")
 	command.Flags().StringVar(&options.DockerHubUsername, "dockerhub", "", "dockerhub username for authentication; password will be read from stdin")

diff --git a/docs/riff_namespace_init.md b/docs/riff_namespace_init.md
@@ -23,6 +23,7 @@ riff namespace init [flags]
       --gcr string         path to a file containing Google Container Registry credentials
   -h, --help               help for init
   -m, --manifest string    manifest of YAML files to be applied; can be a named manifest (stable or latest) or a path or URL of a manifest file (default "stable")
+      --no-secret          no secret required for the image registry
   -s, --secret secret      the name of a secret containing credentials for the image registry (default "push-credentials")
 ```
 

diff --git a/pkg/core/namespace.go b/pkg/core/namespace.go
@@ -38,22 +38,26 @@ const serviceAccountName = "riff-build"
 type secretType int
 
 const (
-	secretTypeUserProvided secretType = iota
+	secretTypeNone secretType = iota
+	secretTypeUserProvided
 	secretTypeGcr
 	secretTypeDockerHub
 )
 
 type NamespaceInitOptions struct {
 	NamespaceName string
-	SecretName    string
 	Manifest      string
 
+	NoSecret          bool
+	SecretName        string
 	GcrTokenPath      string
 	DockerHubUsername string
 }
 
 func (o *NamespaceInitOptions) secretType() secretType {
 	switch {
+	case o.NoSecret:
+		return secretTypeNone
 	case o.DockerHubUsername != "":
 		return secretTypeDockerHub
 	case o.GcrTokenPath != "":
@@ -95,26 +99,16 @@ func (c *kubectlClient) NamespaceInit(manifests map[string]*Manifest, options Na
 		return err
 	}
 
-	secretName := options.SecretName
-
-	_, err = c.kubeClient.CoreV1().Secrets(options.NamespaceName).Get(secretName, v1.GetOptions{})
-	if errors.IsNotFound(err) {
-		if options.secretType() == secretTypeUserProvided {
-			return err
-		}
-	} else if err != nil {
-		return err
-	} else {
-		if options.secretType() != secretTypeUserProvided {
-			c.kubeClient.CoreV1().Secrets(options.NamespaceName).Delete(secretName, &v1.DeleteOptions{})
-		}
-	}
-	if options.GcrTokenPath != "" {
-		if err := c.createGcrSecret(options); err != nil {
-			return err
-		}
-	} else if options.DockerHubUsername != "" {
-		if err := c.createDockerHubSecret(options); err != nil {
+	if options.secretType() != secretTypeNone {
+		if options.GcrTokenPath != "" {
+			if err := c.createGcrSecret(options); err != nil {
+				return err
+			}
+		} else if options.DockerHubUsername != "" {
+			if err := c.createDockerHubSecret(options); err != nil {
+				return err
+			}
+		} else if err = c.checkSecretExists(options); err != nil {
 			return err
 		}
 	}
@@ -123,15 +117,21 @@ func (c *kubectlClient) NamespaceInit(manifests map[string]*Manifest, options Na
 	if errors.IsNotFound(err) {
 		sa = &corev1.ServiceAccount{}
 		sa.Name = serviceAccountName
-		sa.Secrets = append(sa.Secrets, corev1.ObjectReference{Name: secretName})
-		fmt.Printf("Creating serviceaccount %q using secret %q in namespace %q\n", sa.Name, secretName, ns)
+		if options.secretType() != secretTypeNone {
+			secretName := options.SecretName
+			sa.Secrets = append(sa.Secrets, corev1.ObjectReference{Name: secretName})
+			fmt.Printf("Creating serviceaccount %q using secret %q in namespace %q\n", sa.Name, secretName, ns)
+		} else {
+			fmt.Printf("Creating unauthenticated serviceaccount %q in namespace %q\n", sa.Name, ns)
+		}
 		_, err = c.kubeClient.CoreV1().ServiceAccounts(ns).Create(sa)
 		if err != nil {
 			return err
 		}
 	} else if err != nil {
 		return err
-	} else {
+	} else if options.secretType() != secretTypeNone {
+		secretName := options.SecretName
 		secretAlreadyPresent := false
 		for _, s := range sa.Secrets {
 			if s.Name == secretName {
@@ -176,7 +176,14 @@ func (c *kubectlClient) NamespaceInit(manifests map[string]*Manifest, options Na
 	return nil
 }
 
+func (c *kubectlClient) checkSecretExists(options NamespaceInitOptions) error {
+	_, err := c.kubeClient.CoreV1().Secrets(options.NamespaceName).Get(options.SecretName, v1.GetOptions{})
+	return err
+}
+
 func (c *kubectlClient) createDockerHubSecret(options NamespaceInitOptions) error {
+	c.kubeClient.CoreV1().Secrets(options.NamespaceName).Delete(options.SecretName, &v1.DeleteOptions{})
+
 	password, err := readPassword(fmt.Sprintf("Enter dockerhub password for user %q", options.DockerHubUsername))
 	if err != nil {
 		return err
@@ -198,6 +205,8 @@ func (c *kubectlClient) createDockerHubSecret(options NamespaceInitOptions) erro
 }
 
 func (c *kubectlClient) createGcrSecret(options NamespaceInitOptions) error {
+	c.kubeClient.CoreV1().Secrets(options.NamespaceName).Delete(options.SecretName, &v1.DeleteOptions{})
+
 	token, err := ioutil.ReadFile(options.GcrTokenPath)
 	if err != nil {
 		return err

diff --git a/pkg/core/namespace_test.go b/pkg/core/namespace_test.go
@@ -107,7 +107,7 @@ var _ = Describe("The NamespaceInit function", func() {
 		mockServiceAccounts.On("Get", serviceAccountName, mock.Anything).Return(serviceAccount, nil)
 
 		secret := &v1.Secret{}
-		mockSecrets.On("Get", "push-credentials", meta_v1.GetOptions{}).Return(nil, notFound())
+		mockSecrets.On("Delete", "push-credentials", &meta_v1.DeleteOptions{}).Return(nil)
 		mockSecrets.On("Create", mock.Anything).Run(func(args mock.Arguments) {
 			s := args[0].(*v1.Secret)
 			Expect(s.StringData).To(HaveKeyWithValue("username", "_json_key"))
@@ -155,7 +155,7 @@ var _ = Describe("The NamespaceInit function", func() {
 			mockServiceAccounts.On("Get", serviceAccountName, mock.Anything).Return(serviceAccount, nil)
 
 			secret := &v1.Secret{}
-			mockSecrets.On("Get", "push-credentials", meta_v1.GetOptions{}).Return(nil, notFound())
+			mockSecrets.On("Delete", "push-credentials", &meta_v1.DeleteOptions{}).Return(nil)
 			mockSecrets.On("Create", mock.Anything).Run(func(args mock.Arguments) {
 				s := args[0].(*v1.Secret)
 				Expect(s.StringData).To(HaveKeyWithValue("username", "roger"))
@@ -173,6 +173,25 @@ var _ = Describe("The NamespaceInit function", func() {
 			Expect(err).To(Not(HaveOccurred()))
 		})
 	})
+
+	It("should run unauthenticated and still create a service account", func() {
+		options := NamespaceInitOptions{
+			Manifest:      "fixtures/empty.yaml",
+			NamespaceName: "foo",
+			NoSecret:      true,
+		}
+
+		namespace := &v1.Namespace{ObjectMeta: meta_v1.ObjectMeta{Name: "foo"}}
+		mockNamespaces.On("Get", "foo", mock.Anything).Return(namespace, nil)
+
+		serviceAccount := &v1.ServiceAccount{}
+		mockServiceAccounts.On("Get", serviceAccountName, mock.Anything).Return(nil, notFound())
+		mockServiceAccounts.On("Create", mock.MatchedBy(named(serviceAccountName))).Return(serviceAccount, nil)
+
+		err := kubectlClient.NamespaceInit(manifests, options)
+		Expect(err).To(Not(HaveOccurred()))
+	})
+
 })
 
 func notFound() *errors.StatusError {