feat: add ExternalSecrets structure to bootstrapper config to allow specification of repository and image pull secrets

On-behalf-of: Radek Schekalla (SAP) <[email protected]>
Signed-off-by: Radek Schekalla (SAP) <[email protected]>

Author: rdksap

go.mod

@@ -6,6 +6,7 @@ require (
 	github.com/Masterminds/sprig/v3 v3.3.0
 	github.com/fluxcd/helm-controller/api v1.4.2
 	github.com/fluxcd/kustomize-controller/api v1.7.1
+	github.com/fluxcd/pkg/apis/meta v1.22.0
 	github.com/fluxcd/source-controller/api v1.7.2
 	github.com/go-git/go-billy/v5 v5.6.2
 	github.com/go-git/go-git/v5 v5.16.3
@@ -41,7 +42,6 @@ require (
 	github.com/evanphx/json-patch/v5 v5.9.11 // indirect
 	github.com/fluxcd/pkg/apis/acl v0.9.0 // indirect
 	github.com/fluxcd/pkg/apis/kustomize v1.13.0 // indirect
-	github.com/fluxcd/pkg/apis/meta v1.22.0 // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
 	github.com/go-errors/errors v1.4.2 // indirect

internal/config/config.go

@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"os"
 
+	"github.com/fluxcd/pkg/apis/meta"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"sigs.k8s.io/yaml"
 )
@@ -16,6 +17,7 @@ type BootstrapperConfig struct {
 	OpenMCPOperator      OpenMCPOperator        `json:"openmcpOperator"`
 	Environment          string                 `json:"environment"`
 	TemplateInput        map[string]interface{} `json:"templateInput"`
+	ExternalSecrets      ExternalSecrets        `json:"externalSecrets"`
 }
 
 type Component struct {
@@ -56,6 +58,11 @@ type Manifest struct {
 	ManifestParsed map[string]interface{}
 }
 
+type ExternalSecrets struct {
+	RepositorySecretRef meta.LocalObjectReference   `json:"repositorySecretRef"`
+	ImagePullSecrets    []meta.LocalObjectReference `json:"imagePullSecrets"`
+}
+
 func (c *BootstrapperConfig) ReadFromFile(path string) error {
 	data, err := os.ReadFile(path)
 	if err != nil {

internal/eso-deployer/constants.go

@@ -1,7 +1,7 @@
 package eso_deployer
 
 const (
-	esoNamespace       = "external-secrets-system"
+	esoNamespace       = "external-secrets"
 	esoImageRepoName   = "external-secrets-image"
 	esoChartRepoName   = "external-secrets-chart"
 	esoHelmReleaseName = "external-secrets-operator"

internal/eso-deployer/deployer.go

@@ -10,17 +10,14 @@ import (
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 	"github.com/openmcp-project/controller-utils/pkg/clusters"
 	"github.com/sirupsen/logrus"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	ocmcli "github.com/openmcp-project/bootstrapper/internal/ocm-cli"
-
 	"github.com/openmcp-project/bootstrapper/internal/component"
 	cfg "github.com/openmcp-project/bootstrapper/internal/config"
-
 	"github.com/openmcp-project/bootstrapper/internal/flux_deployer"
+	ocmcli "github.com/openmcp-project/bootstrapper/internal/ocm-cli"
 	"github.com/openmcp-project/bootstrapper/internal/util"
-
-	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 )
 
 type EsoDeployer struct {
@@ -63,7 +60,7 @@ func (d *EsoDeployer) DeployWithComponentManager(ctx context.Context, componentM
 		return fmt.Errorf("failed to get external-secrets-operator-chart resource: %w", err)
 	}
 	d.log.Info("Deploying OCIRepo for ESO chart.")
-	if err = deployRepo(ctx, d, esoChartRes, esoChartRepoName); err != nil {
+	if err = d.deployRepo(ctx, esoChartRes, esoChartRepoName); err != nil {
 		return fmt.Errorf("failed to create helm chart repo: %w", err)
 	}
 
@@ -72,28 +69,33 @@ func (d *EsoDeployer) DeployWithComponentManager(ctx context.Context, componentM
 		return fmt.Errorf("failed to get external-secrets-operator-image resource: %w", err)
 	}
 	d.log.Info("Deploying OCIRepo for ESO image.")
-	if err = deployRepo(ctx, d, esoImageRes, esoImageRepoName); err != nil {
+	if err = d.deployRepo(ctx, esoImageRes, esoImageRepoName); err != nil {
 		return fmt.Errorf("failed to create helm image repo: %w", err)
 	}
 
 	d.log.Info("Deploying HelmRelease for ESO.")
-	if err = deployHelmRelease(ctx, d, esoImageRes); err != nil {
+	if err = d.deployHelmRelease(ctx, esoImageRes); err != nil {
 		return fmt.Errorf("failed to deploy helm release: %w", err)
 	}
 
 	d.log.Info("Done.")
 	return nil
 }
 
-func deployHelmRelease(ctx context.Context, d *EsoDeployer, res *ocmcli.Resource) error {
-	name, _, _, err := util.ParseImageVersionAndTag(*res.Access.ImageReference)
+func (d *EsoDeployer) deployHelmRelease(ctx context.Context, res *ocmcli.Resource) error {
+	name, tag, _, err := util.ParseImageVersionAndTag(*res.Access.ImageReference)
 	if err != nil {
 		return fmt.Errorf("failed to parse image resource: %w", err)
 	}
 
 	values := map[string]any{
-		"image": map[string]any{"repository": name},
+		"image": map[string]any{
+			"repository": name,
+			"tag":        tag,
+		},
 	}
+	values["imagePullSecrets"] = d.Config.ExternalSecrets.ImagePullSecrets
+
 	encoded, err := json.Marshal(values)
 	if err != nil {
 		return fmt.Errorf("failed to marshal ESO Helm values: %w", err)
@@ -122,8 +124,8 @@ func deployHelmRelease(ctx context.Context, d *EsoDeployer, res *ocmcli.Resource
 	return util.CreateOrUpdate(ctx, d.platformCluster, helmRelease)
 }
 
-func deployRepo(ctx context.Context, d *EsoDeployer, res *ocmcli.Resource, repoName string) error {
-	imageName, tag, digest, err := util.ParseImageVersionAndTag(*res.Access.ImageReference)
+func (d *EsoDeployer) deployRepo(ctx context.Context, res *ocmcli.Resource, repoName string) error {
+	name, tag, digest, err := util.ParseImageVersionAndTag(*res.Access.ImageReference)
 	if err != nil {
 		return err
 	}
@@ -134,12 +136,13 @@ func deployRepo(ctx context.Context, d *EsoDeployer, res *ocmcli.Resource, repoN
 			Namespace: flux_deployer.FluxSystemNamespace,
 		},
 		Spec: sourcev1.OCIRepositorySpec{
-			URL: fmt.Sprintf("oci://%s", imageName),
+			URL: fmt.Sprintf("oci://%s", name),
 			Reference: &sourcev1.OCIRepositoryRef{
 				Tag:    tag,
 				Digest: digest,
 			},
-			Timeout: &metav1.Duration{Duration: 1 * time.Minute},
+			Timeout:   &metav1.Duration{Duration: 1 * time.Minute},
+			SecretRef: &d.Config.ExternalSecrets.RepositorySecretRef,
 		},
 	}
 	return util.CreateOrUpdate(ctx, d.platformCluster, ociRepo)