Create new namespace pull secret based on namespace pull robot account

api/v1alpha1/imagerepository_types.go

@@ -64,6 +64,9 @@ type ImageCredentials struct {
 	// Refreshes both, push and pull tokens.
 	// The field gets cleared after the refresh.
 	RegenerateToken *bool `json:"regenerate-token,omitempty"`
+	// RegenerateNamespacePullToken defines a request to refresh namespace pull robot credentials.
+	// The field gets cleared after the refresh.
+	RegenerateNamespacePullToken *bool `json:"regenerate-namespace-pull-token,omitempty"`
 	// VerifyLinking defines a request to verify and fix
 	// secret linking in pipeline service account.
 	// The field gets cleared after fixing.

cmd/coverage_init.go

@@ -7,4 +7,3 @@ package main
 // from the running binary during E2E tests.
 
 import _ "github.com/konflux-ci/coverport/instrumentation/go" // starts coverage server via init()
-

cmd/main.go

@@ -47,11 +47,11 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 
 	"github.com/go-logr/logr"
+	compapiv1alpha1 "github.com/konflux-ci/application-api/api/v1alpha1"
 	imagerepositoryv1alpha1 "github.com/konflux-ci/image-controller/api/v1alpha1"
 	controllers "github.com/konflux-ci/image-controller/internal/controller"
 	controllermetrics "github.com/konflux-ci/image-controller/pkg/metrics"
 	"github.com/konflux-ci/image-controller/pkg/quay"
-	appstudioredhatcomv1alpha1 "github.com/redhat-appstudio/application-api/api/v1alpha1"
 	// +kubebuilder:scaffold:imports
 )
 
@@ -69,7 +69,7 @@ var (
 func init() {
 	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
 
-	utilruntime.Must(appstudioredhatcomv1alpha1.AddToScheme(scheme))
+	utilruntime.Must(compapiv1alpha1.AddToScheme(scheme))
 	utilruntime.Must(imagerepositoryv1alpha1.AddToScheme(scheme))
 	// +kubebuilder:scaffold:scheme
 }

config/crd/bases/appstudio.redhat.com_imagerepositories.yaml

@@ -49,6 +49,11 @@ spec:
               credentials:
                 description: Credentials management.
                 properties:
+                  regenerate-namespace-pull-token:
+                    description: |-
+                      RegenerateNamespacePullToken defines a request to refresh namespace pull robot credentials.
+                      The field gets cleared after the refresh.
+                    type: boolean
                   regenerate-token:
                     description: |-
                       RegenerateToken defines a request to refresh image accessing credentials.

config/rbac/role.yaml

@@ -13,6 +13,14 @@ rules:
   - list
   - update
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - ""
   resources:

go.mod

@@ -7,10 +7,11 @@ toolchain go1.24.6
 require (
 	github.com/go-logr/logr v1.4.3
 	github.com/h2non/gock v1.2.0
+	github.com/konflux-ci/application-api v0.0.0-20260205151641-c691ffebedf8
+	github.com/konflux-ci/coverport/instrumentation/go v0.0.0-20251127103713-95b5b5e04a62
 	github.com/onsi/ginkgo/v2 v2.26.0
 	github.com/onsi/gomega v1.38.2
 	github.com/prometheus/client_golang v1.19.1
-	github.com/redhat-appstudio/application-api v0.0.0-20231026192857-89515ad2504f
 	go.uber.org/zap v1.27.0
 	gotest.tools/v3 v3.5.2
 	k8s.io/api v0.31.0
@@ -30,7 +31,6 @@ require (
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
-	github.com/evanphx/json-patch v4.5.0+incompatible // indirect
 	github.com/evanphx/json-patch/v5 v5.9.11 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
@@ -56,7 +56,6 @@ require (
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/konflux-ci/coverport/instrumentation/go v0.0.0-20251127103713-95b5b5e04a62 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect

go.sum

@@ -20,8 +20,8 @@ github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g=
 github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
-github.com/evanphx/json-patch v4.5.0+incompatible h1:ouOWdg56aJriqS0huScTkVXPC5IcNrDCXZ6OoTAWu7M=
-github.com/evanphx/json-patch v4.5.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
+github.com/evanphx/json-patch v0.5.2 h1:xVCHIVMUu1wtM/VkR9jVZ45N3FhZfYMMYGorLCR8P3k=
+github.com/evanphx/json-patch v0.5.2/go.mod h1:ZWS5hhDbVDyob71nXKNL0+PWn6ToqBHMikGIFbs31qQ=
 github.com/evanphx/json-patch/v5 v5.9.11 h1:/8HVnzMq13/3x9TPvjG08wUGqBTmZBsCWzjTM0wiaDU=
 github.com/evanphx/json-patch/v5 v5.9.11/go.mod h1:3j+LviiESTElxA4p3EMKAB9HXj3/XEtnUf6OZxqIQTM=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
@@ -92,6 +92,8 @@ github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnr
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/konflux-ci/application-api v0.0.0-20260205151641-c691ffebedf8 h1:HjVmLXbIzsqOAU1gN+qhJdUIIaDiUtd2nc9YvLg8iHo=
+github.com/konflux-ci/application-api v0.0.0-20260205151641-c691ffebedf8/go.mod h1:948Z+a1IbfRT0RtoHzWWSN9YEucSbMJTHaMhz7dVICc=
 github.com/konflux-ci/coverport/instrumentation/go v0.0.0-20251127103713-95b5b5e04a62 h1:lMTed+H0EesSqsH3iQXtLoy/+SpbBT0BS1J0izeEtFM=
 github.com/konflux-ci/coverport/instrumentation/go v0.0.0-20251127103713-95b5b5e04a62/go.mod h1:WVMHU9A2464s/vjH1xOTm4LJDD4xP+VlEiU+KM0gkSU=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
@@ -135,8 +137,6 @@ github.com/prometheus/common v0.55.0 h1:KEi6DK7lXW/m7Ig5i47x0vRzuBsHuvJdi5ee6Y3G
 github.com/prometheus/common v0.55.0/go.mod h1:2SECS4xJG1kd8XF9IcM1gMX6510RAEL65zxzNImwdc8=
 github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
 github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
-github.com/redhat-appstudio/application-api v0.0.0-20231026192857-89515ad2504f h1:PoKf7gCV/g5blkzVlODkqeynmfIACcR7NqWF8eqnuec=
-github.com/redhat-appstudio/application-api v0.0.0-20231026192857-89515ad2504f/go.mod h1:YvckuKHe82eWloGk0/BpSw4YYG2owrGZAanztbOj3pQ=
 github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
 github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=

internal/controller/application_controller.go

@@ -31,13 +31,13 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 	ctrllog "sigs.k8s.io/controller-runtime/pkg/log"
 
+	compapiv1alpha1 "github.com/konflux-ci/application-api/api/v1alpha1"
 	imagerepositoryv1alpha1 "github.com/konflux-ci/image-controller/api/v1alpha1"
 	l "github.com/konflux-ci/image-controller/pkg/logs"
-	appstudioredhatcomv1alpha1 "github.com/redhat-appstudio/application-api/api/v1alpha1"
 )
 
 const (
-	IntegrationTestsServiceAccountName = "konflux-integration-runner"
+	IntegrationServiceAccountName      = "konflux-integration-runner"
 	ApplicationSecretLinkToSaFinalizer = "application-secret-link-to-integration-tests-sa.appstudio.openshift.io/finalizer"
 )
 
@@ -58,7 +58,7 @@ type ApplicationPullSecretCreator struct {
 // SetupWithManager sets up the controller with the Manager.
 func (r *ApplicationPullSecretCreator) SetupWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(mgr).
-		For(&appstudioredhatcomv1alpha1.Application{}).
+		For(&compapiv1alpha1.Application{}).
 		Complete(r)
 }
 
@@ -73,7 +73,7 @@ func (r *ApplicationPullSecretCreator) Reconcile(ctx context.Context, req ctrl.R
 	ctx = ctrllog.IntoContext(ctx, log)
 
 	// fetch the application instance
-	application := &appstudioredhatcomv1alpha1.Application{}
+	application := &compapiv1alpha1.Application{}
 	err := r.Client.Get(ctx, req.NamespacedName, application)
 	if err != nil {
 		if errors.IsNotFound(err) {
@@ -132,7 +132,7 @@ func (r *ApplicationPullSecretCreator) Reconcile(ctx context.Context, req ctrl.R
 		}
 	}
 
-	if err := r.updateServiceAccountWithApplicationPullSecret(ctx, applicationPullSecretName, application.Namespace); err != nil {
+	if err := r.updateIntegrationServiceAccountWithApplicationPullSecret(ctx, applicationPullSecretName, application.Namespace); err != nil {
 		return ctrl.Result{}, err
 	}
 
@@ -147,7 +147,7 @@ func getApplicationPullSecretName(applicationName string) string {
 // getComponentIdsForApplication returns components id for all components owned by the application
 func (r *ApplicationPullSecretCreator) getComponentIdsForApplication(ctx context.Context, applicationId types.UID, namespace string) ([]types.UID, error) {
 	log := ctrllog.FromContext(ctx)
-	componentsList := &appstudioredhatcomv1alpha1.ComponentList{}
+	componentsList := &compapiv1alpha1.ComponentList{}
 	if err := r.Client.List(ctx, componentsList, &client.ListOptions{Namespace: namespace}); err != nil {
 		log.Error(err, "failed to list components")
 		return nil, err
@@ -198,7 +198,7 @@ func (r *ApplicationPullSecretCreator) getImageRepositoryPullSecretNamesForCompo
 
 // createApplicationPullSecret creates or updates a single kubernetes.io/dockerconfigjson secret
 // by combining data from individual pull secrets.
-func (r *ApplicationPullSecretCreator) createApplicationPullSecret(ctx context.Context, applicationPullSecretName string, application *appstudioredhatcomv1alpha1.Application, individualSecretNames []string) error {
+func (r *ApplicationPullSecretCreator) createApplicationPullSecret(ctx context.Context, applicationPullSecretName string, application *compapiv1alpha1.Application, individualSecretNames []string) error {
 	log := ctrllog.FromContext(ctx)
 
 	log.Info("Creating application pull secret", "secretName", applicationPullSecretName)
@@ -282,19 +282,19 @@ func (r *ApplicationPullSecretCreator) createApplicationPullSecret(ctx context.C
 	return nil
 }
 
-// udateServiceAccountWithApplicationPullSecret updates the ServiceAccount to include
+// updateIntegrationServiceAccountWithApplicationPullSecret updates the ServiceAccount to include
 // the application pull secret as an imagePullSecret and as a Secret
-func (r *ApplicationPullSecretCreator) updateServiceAccountWithApplicationPullSecret(ctx context.Context, applicationPullSecretName string, namespace string) error {
+func (r *ApplicationPullSecretCreator) updateIntegrationServiceAccountWithApplicationPullSecret(ctx context.Context, applicationPullSecretName string, namespace string) error {
 	log := ctrllog.FromContext(ctx)
 
 	// fetch namespace SA
 	namespaceServiceAccount := &corev1.ServiceAccount{}
-	if err := r.Client.Get(ctx, types.NamespacedName{Name: IntegrationTestsServiceAccountName, Namespace: namespace}, namespaceServiceAccount); err != nil {
+	if err := r.Client.Get(ctx, types.NamespacedName{Name: IntegrationServiceAccountName, Namespace: namespace}, namespaceServiceAccount); err != nil {
 		if errors.IsNotFound(err) {
-			log.Info("Namespace ServiceAccount not found", "serviceAccountName", IntegrationTestsServiceAccountName, "namespace", namespace)
+			log.Info("Integration ServiceAccount not found", "serviceAccountName", IntegrationServiceAccountName, "namespace", namespace)
 			return nil
 		}
-		log.Error(err, "failed to read namespace ServiceAccount", "serviceAccountName", IntegrationTestsServiceAccountName, "namespace", namespace, l.Action, l.ActionView)
+		log.Error(err, "failed to read integration ServiceAccount", "serviceAccountName", IntegrationServiceAccountName, "namespace", namespace, l.Action, l.ActionView)
 		return err
 	}
 
@@ -337,7 +337,7 @@ func (r *ApplicationPullSecretCreator) updateServiceAccountWithApplicationPullSe
 	return nil
 }
 
-func (r *ApplicationPullSecretCreator) doesApplicationPullSecretExist(ctx context.Context, applicationPullSecretName string, application *appstudioredhatcomv1alpha1.Application) (bool, error) {
+func (r *ApplicationPullSecretCreator) doesApplicationPullSecretExist(ctx context.Context, applicationPullSecretName string, application *compapiv1alpha1.Application) (bool, error) {
 	log := ctrllog.FromContext(ctx)
 
 	applicationPullSecret := &corev1.Secret{}
@@ -355,15 +355,15 @@ func (r *ApplicationPullSecretCreator) doesApplicationPullSecretExist(ctx contex
 
 // unlinkApplicationSecretFromIntegrationTestsSa ensures that the given secret is not linked with the integration tests service account.
 func (r *ApplicationPullSecretCreator) unlinkApplicationSecretFromIntegrationTestsSa(ctx context.Context, secretNameToRemove, namespace string) error {
-	log := ctrllog.FromContext(ctx).WithValues("ServiceAccountName", IntegrationTestsServiceAccountName, "SecretName", secretNameToRemove)
+	log := ctrllog.FromContext(ctx).WithValues("ServiceAccountName", IntegrationServiceAccountName, "SecretName", secretNameToRemove)
 
 	serviceAccount := &corev1.ServiceAccount{}
-	err := r.Client.Get(ctx, types.NamespacedName{Name: IntegrationTestsServiceAccountName, Namespace: namespace}, serviceAccount)
+	err := r.Client.Get(ctx, types.NamespacedName{Name: IntegrationServiceAccountName, Namespace: namespace}, serviceAccount)
 	if err != nil {
 		if errors.IsNotFound(err) {
 			return nil
 		}
-		log.Error(err, "failed to read namespace service account", l.Action, l.ActionView)
+		log.Error(err, "failed to read integration service account", l.Action, l.ActionView)
 		return err
 	}