zarf icon indicating copy to clipboard operation
zarf copied to clipboard

Published 20 hours ago verified publisher icon defenseunicorns

Pods running in namespaces managed by Flux cannot pull images (401 Unauthorized)

Open kevinvalk opened this issue 1 year ago • 2 comments

Is your feature request related to a problem? Please describe. We went fully GitOps through Flux and Flux creates numerous namespaces. However, Zarf does not know about these namespaces and will not add the private-registry secrets (and others). This prevents any containers within these namespaces to pull images from the registry (401 Unauthorized).

Describe the solution you'd like I do not fully grasp the limits from K8S here, but it would be best if pods can pull images from the zarf-registry regardless where or how they run. Even if they run within namespaces that are "invisible" to Zarf. Zarf could check (through hooks or periodically) which namespaces are new and ensures that the private-registry and other secrets exist.

Describe alternatives you've considered A workaround you can use is to add Namespace blocks to the zarf.yaml manifests so that Zarf knows which namespaces exists. Then it will nicely inject the private-registry secrets into that namespace.

apiVersion: v1
kind: Namespace
metadata:
  name: infrastructure

Additional context The mutating webhook does add the imagePullSecrets to pods running in ANY namespaces. But obviously they cannot use the secret as it is not created in those namespaces through the post-renderer: https://github.com/defenseunicorns/zarf/blob/c74e2e9626da0400e0a41e78319b3054c53a5d4e/src/internal/helm/post-render.go#L143

kevinvalk avatar Sep 12 '22 16:09 kevinvalk

Thanks @kevinvalk this is something we've talked about before and there's a couple patterns we've seen used I'll list below. There is a robust way we could solve this in zarf (by generating secrets via the webhook) but it has it's own set of drawbacks.

  1. The thing your orchestrating can generate it's own secret using the variables, here's an example in the Big Bang helm charts:
registryCredentials:
  registry: "###ZARF_REGISTRY###"
  username: "zarf-pull"
  password: "###ZARF_REGISTRY_AUTH_PULL###"
  1. If you have zarf create the namespaces, it will then create the expected secrets.

jeff-mccoy avatar Sep 12 '22 17:09 jeff-mccoy

Relating to #394 since this related to that theme.

JasonvanBrackel avatar Sep 15 '22 15:09 JasonvanBrackel

Linking in Pepr as well now that it is out - it might be a more dynamic way to do this, and we will be looking to refactor the Zarf agent to use it in the future: https://github.com/defenseunicorns/pepr

Racer159 avatar Apr 19 '23 00:04 Racer159