Create new namespace pull secret based on namespace pull robot account

which is granted read permisssions for all ImageRepositories in the namespace,
namespace pull secret is also linked to component build SA and integration SA,
new annotation 'image-controller.appstudio.redhat.com/ensure-namespace-pull-secret' is
introduced as well, which is set to 'false' after namespace pull secret is created,
when set to 'true' it will force to create namespace pull robot account and namespace secret,
component linking check is based now only on component label, as new model won't have anymore application

STONEBLD-4018

Signed-off-by: Robert Cerven <rcerven@redhat.com>

Author: rcerven

api/v1alpha1/imagerepository_types.go

@@ -64,6 +64,9 @@ type ImageCredentials struct {
 	// Refreshes both, push and pull tokens.
 	// The field gets cleared after the refresh.
 	RegenerateToken *bool `json:"regenerate-token,omitempty"`
+	// RegenerateNamespacePullToken defines a request to refresh namespace pull robot credentials.
+	// The field gets cleared after the refresh.
+	RegenerateNamespacePullToken *bool `json:"regenerate-namespace-pull-token,omitempty"`
 	// VerifyLinking defines a request to verify and fix
 	// secret linking in pipeline service account.
 	// The field gets cleared after fixing.

api/v1alpha1/zz_generated.deepcopy.go

@@ -7,4 +7,3 @@ package main
 // from the running binary during E2E tests.
 
 import _ "github.com/konflux-ci/coverport/instrumentation/go" // starts coverage server via init()
-

cmd/coverage_init.go

@@ -47,11 +47,12 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 
 	"github.com/go-logr/logr"
+	applicationapiv1alpha1 "github.com/konflux-ci/application-api/api/v1alpha1"
 	imagerepositoryv1alpha1 "github.com/konflux-ci/image-controller/api/v1alpha1"
 	controllers "github.com/konflux-ci/image-controller/internal/controller"
 	controllermetrics "github.com/konflux-ci/image-controller/pkg/metrics"
 	"github.com/konflux-ci/image-controller/pkg/quay"
-	appstudioredhatcomv1alpha1 "github.com/redhat-appstudio/application-api/api/v1alpha1"
+	routev1 "github.com/openshift/api/route/v1"
 	// +kubebuilder:scaffold:imports
 )
 
@@ -69,7 +70,8 @@ var (
 func init() {
 	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
 
-	utilruntime.Must(appstudioredhatcomv1alpha1.AddToScheme(scheme))
+	utilruntime.Must(routev1.AddToScheme(scheme))
+	utilruntime.Must(applicationapiv1alpha1.AddToScheme(scheme))
 	utilruntime.Must(imagerepositoryv1alpha1.AddToScheme(scheme))
 	// +kubebuilder:scaffold:scheme
 }

cmd/main.go

@@ -49,6 +49,11 @@ spec:
               credentials:
                 description: Credentials management.
                 properties:
+                  regenerate-namespace-pull-token:
+                    description: |-
+                      RegenerateNamespacePullToken defines a request to refresh namespace pull robot credentials.
+                      The field gets cleared after the refresh.
+                    type: boolean
                   regenerate-token:
                     description: |-
                       RegenerateToken defines a request to refresh image accessing credentials.

config/crd/bases/appstudio.redhat.com_imagerepositories.yaml

@@ -82,3 +82,11 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - route.openshift.io
+  resources:
+  - routes
+  verbs:
+  - get
+  - list
+  - watch

config/rbac/role.yaml

@@ -7,10 +7,11 @@ toolchain go1.24.6
 require (
 	github.com/go-logr/logr v1.4.3
 	github.com/h2non/gock v1.2.0
+	github.com/konflux-ci/application-api v0.0.0-20251126155256-d24742e8b026
 	github.com/onsi/ginkgo/v2 v2.26.0
 	github.com/onsi/gomega v1.38.2
+	github.com/openshift/api v0.0.0-20221013123534-96eec44e1979
 	github.com/prometheus/client_golang v1.19.1
-	github.com/redhat-appstudio/application-api v0.0.0-20231026192857-89515ad2504f
 	go.uber.org/zap v1.27.0
 	gotest.tools/v3 v3.5.2
 	k8s.io/api v0.31.0

go.mod

@@ -94,6 +94,8 @@ github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/konflux-ci/coverport/instrumentation/go v0.0.0-20251127103713-95b5b5e04a62 h1:lMTed+H0EesSqsH3iQXtLoy/+SpbBT0BS1J0izeEtFM=
 github.com/konflux-ci/coverport/instrumentation/go v0.0.0-20251127103713-95b5b5e04a62/go.mod h1:WVMHU9A2464s/vjH1xOTm4LJDD4xP+VlEiU+KM0gkSU=
+github.com/konflux-ci/application-api v0.0.0-20251126155256-d24742e8b026 h1:Y6oKDSxmDY7JiNsrPm0ZRUcW+9cv20B71DuitI3sl28=
+github.com/konflux-ci/application-api v0.0.0-20251126155256-d24742e8b026/go.mod h1:948Z+a1IbfRT0RtoHzWWSN9YEucSbMJTHaMhz7dVICc=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
@@ -120,6 +122,8 @@ github.com/onsi/ginkgo/v2 v2.26.0 h1:1J4Wut1IlYZNEAWIV3ALrT9NfiaGW2cDCJQSFQMs/gE
 github.com/onsi/ginkgo/v2 v2.26.0/go.mod h1:qhEywmzWTBUY88kfO0BRvX4py7scov9yR+Az2oavUzw=
 github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A=
 github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k=
+github.com/openshift/api v0.0.0-20221013123534-96eec44e1979 h1:NkfbwN34Q/UtfKUFEO9pxmdY06A/jBk80YBua+mxwUc=
+github.com/openshift/api v0.0.0-20221013123534-96eec44e1979/go.mod h1:LEnw1IVscIxyDnltE3Wi7bQb/QzIM8BfPNKoGA1Qlxw=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
@@ -135,8 +139,6 @@ github.com/prometheus/common v0.55.0 h1:KEi6DK7lXW/m7Ig5i47x0vRzuBsHuvJdi5ee6Y3G
 github.com/prometheus/common v0.55.0/go.mod h1:2SECS4xJG1kd8XF9IcM1gMX6510RAEL65zxzNImwdc8=
 github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
 github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
-github.com/redhat-appstudio/application-api v0.0.0-20231026192857-89515ad2504f h1:PoKf7gCV/g5blkzVlODkqeynmfIACcR7NqWF8eqnuec=
-github.com/redhat-appstudio/application-api v0.0.0-20231026192857-89515ad2504f/go.mod h1:YvckuKHe82eWloGk0/BpSw4YYG2owrGZAanztbOj3pQ=
 github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
 github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=