[edgefunc] Support for OCI creds via Secrets

Author: dilyevsky

api/core/v1alpha/shared_types.go

@@ -0,0 +1,55 @@
+package v1alpha
+
+// Group refers to an API Group. It must either be an empty string or a
+// RFC 1123 subdomain.
+//
+// This validation is based off of the corresponding Kubernetes validation:
+// https://github.com/kubernetes/apimachinery/blob/02cfb53916346d085a6c6c7c66f882e3c6b0eca6/pkg/util/validation/validation.go#L208
+//
+// Valid values include:
+//
+// * "" - empty string implies core Kubernetes API group
+// * "gateway.networking.k8s.io"
+// * "controllers.apoxy.dev"
+//
+// Invalid values include:
+//
+// * "example.com/bar" - "/" is an invalid character
+//
+// +kubebuilder:validation:MaxLength=253
+// +kubebuilder:validation:Pattern=`^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$`
+type Group string
+
+// Kind refers to an API Kind. It must be a valid Kubernetes kind.
+//
+// Valid values include:
+//
+// * "Service"
+// * "HTTPRoute"
+// * "Proxy"
+//
+// Invalid values include:
+//
+// * "invalid/kind" - "/" is an invalid character
+//
+// +kubebuilder:validation:MinLength=1
+// +kubebuilder:validation:MaxLength=63
+// +kubebuilder:validation:Pattern=`^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$`
+type Kind string
+
+// ObjectName refers to the name of an API object. It must be a valid Kubernetes
+// name.
+//
+// Object names can have a variety of forms, including RFC 1123 subdomains,
+// RFC 1123 labels, or RFC 1035 labels.
+//
+// +kubebuilder:validation:MinLength=1
+// +kubebuilder:validation:MaxLength=253
+type ObjectName string
+
+// Namespace refers to a Kubernetes namespace. It must be a RFC 1123 label.
+//
+// +kubebuilder:validation:Pattern=`^[a-z0-9]([-a-z0-9]*[a-z0-9])?$`
+// +kubebuilder:validation:MinLength=1
+// +kubebuilder:validation:MaxLength=63
+type Namespace string

api/extensions/v1alpha1/edgefunction_types.go

@@ -7,7 +7,7 @@ import (
 "k8s.io/apiserver/pkg/registry/rest"
 "sigs.k8s.io/apiserver-runtime/pkg/builder/resource"
 
-gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
+corev1alpha "github.com/apoxy-dev/apoxy-cli/api/core/v1alpha"
 )
 
 type SourceFile struct {
@@ -73,15 +73,17 @@ type WasmSource struct {
 
 type OCICredentialsObjectReference struct {
 // Group is the group of the target resource.
-// Currently only controllers.apoxy.dev/v1alpha1 is supported.
-Group gwapiv1.Group `json:"group"`
+Group corev1alpha.Group `json:"group"`
 
 // Kind is kind of the target resource.
-// Supports Secret with on-prem deploys and
-Kind gwapiv1.Kind `json:"kind"`
+// Supports Secret with on-prem deploys.
+Kind corev1alpha.Kind `json:"kind"`
 
 // Name is the name of the target resource.
-Name gwapiv1.ObjectName `json:"name"`
+Name corev1alpha.ObjectName `json:"name"`
+
+// Namespace is the namespace of the target resource.
+Namespace corev1alpha.Namespace `json:"namespace"`
 }
 
 type OCICredentials struct {
@@ -197,19 +199,6 @@ type EdgeFunctionRuntime struct {
 Port *int32 `json:"port,omitempty"`
 }
 
-type EdgeFunctionTargetReference struct {
-// Group is the group of the target resource.
-// Currently only controllers.apoxy.dev/v1alpha1 is supported.
-Group gwapiv1.Group `json:"group"`
-
-// Kind is kind of the target resource.
-// Currently only Proxy is supported.
-Kind gwapiv1.Kind `json:"kind"`
-
-// Name is the name of the target resource.
-Name gwapiv1.ObjectName `json:"name"`
-}
-
 type EdgeFunctionMode string
 
 const (

api/extensions/v1alpha1/zz_generated.deepcopy.go

@@ -91,13 +91,15 @@ func main() {
 }
 }()
 
+var kc *rest.Config
 rC := apiserver.NewClientConfig()
 if *inCluster {
 rC, err = rest.InClusterConfig()
 if err != nil {
 log.Errorf("failed to create in-cluster k8s config: %v", err)
 ctxCancel(&startErr{Err: err})
 }
+kc = rC
 }
 m := apiserver.New()
 go func() {
@@ -140,7 +142,7 @@ func main() {
 }
 w := tworker.New(tc, ingest.EdgeFunctionIngestQueue, wOpts)
 ingest.RegisterWorkflows(w)
-ww := ingest.NewWorker(a3y, *ingestStoreDir)
+ww := ingest.NewWorker(kc, a3y, *ingestStoreDir)
 ww.RegisterActivities(w)
 go func() {
 if err = ww.ListenAndServeEdgeFuncs("" /* host */, *ingestStorePort); err != nil {

api/generated/zz_generated.openapi.go

@@ -22,7 +22,10 @@ import (
 "go.temporal.io/sdk/temporal"
 tworker "go.temporal.io/sdk/worker"
 "go.temporal.io/sdk/workflow"
+k8scorev1 "k8s.io/api/core/v1"
 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+"k8s.io/client-go/kubernetes"
+"k8s.io/client-go/rest"
 "k8s.io/client-go/util/retry"
 "oras.land/oras-go/v2"
 "oras.land/oras-go/v2/content"
@@ -185,16 +188,19 @@ Finalize:
 
 // Worker implements Temporal Activities for Edge Functions Ingest queue.
 type worker struct {
+k8s kubernetes.Interface
 a3y versioned.Interface
 baseDir string
 }
 
 // NewWorker returns a new worker for Edge Functions Ingest queue.
-func NewWorker(c versioned.Interface, baseDir string) *worker {
-return &worker{
+func NewWorker(kc *rest.Config, c versioned.Interface, baseDir string) *worker {
+w := &worker{
 a3y: c,
 baseDir: baseDir,
 }
+w.k8s = kubernetes.NewForConfigOrDie(kc)
+return w
 }
 
 // RegisterActivities registers Edge Functions Ingest activities with
@@ -405,8 +411,35 @@ func (w *worker) pullOCIImage(
 Password: string(pwd),
 },
 )
-} else if ociRef.CredentialsRef != nil {
-// TODO(dsky): Implement credentials ref.
+} else if secretRef := ociRef.CredentialsRef; secretRef != nil {
+if secretRef.Group == "" && secretRef.Kind == "Secret" {
+// Secret refs are only valid in k8s environment.
+if w.k8s == nil {
+return nil, errors.New("k8s environment is not set")
+}
+
+secret, err := w.k8s.CoreV1().Secrets(string(secretRef.Namespace)).Get(ctx, string(secretRef.Name), metav1.GetOptions{})
+if err != nil {
+return nil, fmt.Errorf("failed to get secret: %w", err)
+}
+if secret.Type != k8scorev1.SecretTypeDockerConfigJson {
+return nil, fmt.Errorf("invalid secret type %q, expected %q", secret.Type, "kubernetes.io/dockerconfigjson")
+}
+encodedToken := secret.Data[".dockerconfigjson"]
+var dockerConfig struct {
+Auths map[string]auth.Credential `json:"auths"`
+}
+if err := json.Unmarshal(encodedToken, &dockerConfig); err != nil {
+return nil, fmt.Errorf("failed to parse dockerconfigjson: %w", err)
+}
+
+credsFunc = func(_ context.Context, _ string) (auth.Credential, error) {
+return dockerConfig.Auths[repo.Reference.Registry], nil
+}
+} else {
+// TODO(dilyevsky): Support other kinds of secrets for non-k8s environments.
+return nil, fmt.Errorf("invalid secret kind %q, expected %q", secretRef.Kind, "Secret")
+}
 } else {
 log.Debug("No credentials provided for OCI registry")
 }

cmd/apiserver/main.go

@@ -271,7 +271,7 @@ allowing you to test and develop your proxy infrastructure.`,
 }
 w := tworker.New(tc, ingest.EdgeFunctionIngestQueue, wOpts)
 ingest.RegisterWorkflows(w)
-ww := ingest.NewWorker(c, os.Getenv("TMPDIR"))
+ww := ingest.NewWorker(nil /* no k8s client in local mode */, c, os.Getenv("TMPDIR"))
 ww.RegisterActivities(w)
 go func() {
 if err = ww.ListenAndServeEdgeFuncs("localhost", 8081); err != nil {