feat: create secrets

Author: robertgraeff

internal/controllers/cluster/controller.go

@@ -231,7 +231,6 @@ func (r *ClusterReconciler) buildGatewayManager(ctx context.Context, req reconci
 		DNSConfig:      r.Config.Spec.DNS,
 		PlatformClient: r.PlatformCluster.Client(),
 		ClusterClient:  access.Client(),
-		PullSecrets:    []corev1.LocalObjectReference{}, // TODO
 		FluxKubeconfig: &fluxmeta.KubeConfigReference{
 			SecretRef: &fluxmeta.SecretKeyReference{
 				Name: ar.Status.SecretRef.Name,

pkg/envoy/config.go

@@ -6,7 +6,6 @@ import (
 	"fmt"
 	"time"
 
-	"github.com/openmcp-project/platform-service-gateway/pkg/utils"
 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -16,6 +15,8 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 	gatewayv1 "sigs.k8s.io/gateway-api/apis/v1"
+
+	"github.com/openmcp-project/platform-service-gateway/pkg/utils"
 )
 
 var (
@@ -163,7 +164,7 @@ func (g *Gateway) reconcileEnvoyProxyFunc(obj *unstructured.Unstructured) func()
 					"envoyDeployment": map[string]any{
 						"container": container,
 						"pod": map[string]any{
-							"imagePullSecrets": g.PullSecrets,
+							"imagePullSecrets": g.EnvoyConfig.Images.ImagePullSecrets,
 						},
 					},
 				},

pkg/envoy/deployment.go

@@ -11,6 +11,7 @@ import (
 	fluxmeta "github.com/fluxcd/pkg/apis/meta"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 	clustersv1alpha1 "github.com/openmcp-project/openmcp-operator/api/clusters/v1alpha1"
+	corev1 "k8s.io/api/core/v1"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -32,25 +33,32 @@ type Gateway struct {
 	DNSConfig      v1alpha1.DNSConfig
 	PlatformClient client.Client
 	ClusterClient  client.Client
-	//PullSecrets    []corev1.LocalObjectReference
 	FluxKubeconfig *fluxmeta.KubeConfigReference
 }
 
 func (g *Gateway) InstallOrUpdate(ctx context.Context) error {
 	repo := g.getRepo()
 	helmRelease := g.getHelmRelease()
 
+	imagePullSecretOps, err := g.ensureSecrets(ctx, g.Cluster.Namespace, deploymentNamespace)
+	if err != nil {
+		return fmt.Errorf("failed to ensure image pull secrets: %w", err)
+	}
+
 	ops := []applyOperation{
 		ensureNamespace(deploymentNamespace, g.ClusterClient),
-		{
+	}
+	ops = append(ops, imagePullSecretOps...)
+	ops = append(ops,
+		applyOperation{
 			obj: repo,
 			f:   g.reconcileOCIRepositoryFunc(repo),
 		},
-		{
+		applyOperation{
 			obj: helmRelease,
 			f:   g.reconcileHelmReleaseFunc(repo.Name, helmRelease),
 		},
-	}
+	)
 
 	return createOrUpdate(ctx, g.PlatformClient, ops...)
 }
@@ -131,6 +139,36 @@ func (g *Gateway) reconcileHelmReleaseFunc(repoName string, obj *helmv2.HelmRele
 	}
 }
 
+// ----- Secrets -----
+
+func (g *Gateway) ensureSecrets(ctx context.Context, sourceNamespace, targetNamespace string) ([]applyOperation, error) {
+	secretList := &corev1.SecretList{}
+	if err := g.PlatformClient.List(ctx, secretList, client.InNamespace(sourceNamespace)); err != nil {
+		return nil, fmt.Errorf("failed to list secrets in namespace %s: %w", sourceNamespace, err)
+	}
+
+	ops := make([]applyOperation, 0, len(secretList.Items))
+	for _, imagePullSecret := range g.EnvoyConfig.Images.ImagePullSecrets {
+		for _, secret := range secretList.Items {
+			if imagePullSecret.Name == secret.Name {
+				ops = append(ops, applyOperation{
+					obj: &corev1.Secret{
+						ObjectMeta: metav1.ObjectMeta{
+							Name:      secret.Name,
+							Namespace: targetNamespace,
+						},
+						Data: secret.Data,
+						Type: secret.Type,
+					},
+					c: g.ClusterClient,
+				})
+			}
+		}
+	}
+
+	return ops, nil
+}
+
 func (g *Gateway) generateHelmValuesJSON() (*apiextensionsv1.JSON, error) {
 	values := g.generateHelmValues()
 	raw, err := json.Marshal(values)