feat: Copy ImagePullSecrets from ProviderConfig to ManagedControlPlane (#45)

* feat: add ImagePullSecrets to ProviderConfig, use Juggler to reconcile them on MCP, add to values for helm

* fix: pass a list of imagePullSecret names to helm values instead of a map, as expected by the chart template for service account. Adjust tests accordingly.

* fix: use pointer receiver

* fix: reorder func params and align param names

On-behalf-of: Radek Schekalla (SAP) <[email protected]>
Signed-off-by: Radek Schekalla (SAP) <[email protected]>

Author: rdksap

api/crds/manifests/crossplane.services.openmcp.cloud_providerconfigs.yaml

@@ -95,6 +95,24 @@ spec:
                 description: ImageMapping holds the information about exchangable
                   image locations in the Helm chart.
                 type: object
+              imagePullSecrets:
+                description: Image pull secrets for Crossplane pods
+                items:
+                  description: LocalObjectReference is a reference to an object in
+                    the same namespace as the resource referencing it.
+                  properties:
+                    name:
+                      default: ""
+                      description: |-
+                        Name of the referent.
+                        This field is effectively required, but due to backwards compatibility is
+                        allowed to be empty. Instances of this type with an empty value here are
+                        almost certainly wrong.
+                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                      type: string
+                  type: object
+                  x-kubernetes-map-type: atomic
+                type: array
             required:
             - availableProviders
             - chart

api/v1alpha1/providerconfig_types.go

@@ -64,6 +64,10 @@ type ProviderConfigSpec struct {
 	// AvailableProviders holds the list of providers that can be configured with the Service Provider Crossplane.
 	// +kubebuilder:validation:Required
 	AvailableProviders []AvailableCrossplaneProvider `json:"availableProviders"`
+
+	// Image pull secrets for Crossplane pods
+	// +kubebuilder:validation:Optional
+	ImagePullSecrets []commonapi.LocalObjectReference `json:"imagePullSecrets,omitempty"`
 }
 
 // ProviderConfigStatus defines the observed state of ProviderConfig.

api/v1alpha1/zz_generated.deepcopy.go

@@ -13,4 +13,6 @@ spec:
     - name: provider-kubernetes
       package: xpkg.upbound.io/upbound/provider-kubernetes
       versions:
-        - v0.16.0
+        - v0.16.0
+  imagePullSecrets:
+    - name: registry-secret

config/samples/v1alpha1_providerconfig.yaml

@@ -20,11 +20,13 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"os"
 	"time"
 
 	"github.com/go-logr/logr"
 	"github.com/openmcp-project/controller-utils/pkg/clusters"
 	"github.com/openmcp-project/controller-utils/pkg/controller/smartrequeue"
+	openmcpconsts "github.com/openmcp-project/openmcp-operator/api/constants"
 	corev1 "k8s.io/api/core/v1"
 	rbac "k8s.io/api/rbac/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
@@ -100,8 +102,14 @@ func (r *CrossplaneReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 
 	log.Info("Reconciling Crossplane", "name", crossplane.Name, "namespace", crossplane.Namespace)
 
+	// Get ProviderConfig from Platform cluster
+	pc := &v1alpha1.ProviderConfig{}
+	if err := r.PlatformCluster.Client().Get(ctx, types.NamespacedName{Name: "default"}, pc); err != nil {
+		return requeueEntry.Error(err)
+	}
+
 	// Setup reconciliation context
-	ctx, err := r.setupReconciliationContext(ctx, req)
+	ctx, err := r.setupReconciliationContext(ctx, req, pc)
 	if err != nil {
 		return requeueEntry.Error(err)
 	}
@@ -126,7 +134,7 @@ func (r *CrossplaneReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 		return requeueEntry.Error(err)
 	}
 
-	return r.reconcileCrossplaneInstance(ctx, crossplane, mcpCluster.Client())
+	return r.reconcileCrossplaneInstance(ctx, mcpCluster.Client(), crossplane, pc)
 }
 
 func (r *CrossplaneReconciler) updateStatus(ctx context.Context, crossplane *v1alpha1.Crossplane, newConditions *[]metav1.Condition) {
@@ -140,13 +148,7 @@ func (r *CrossplaneReconciler) updateStatus(ctx context.Context, crossplane *v1a
 	}
 }
 
-func (r *CrossplaneReconciler) setupReconciliationContext(ctx context.Context, req ctrl.Request) (context.Context, error) {
-	// Get ProviderConfig from Platform cluster
-	providerConfig := &v1alpha1.ProviderConfig{}
-	if err := r.PlatformCluster.Client().Get(ctx, types.NamespacedName{Name: "default"}, providerConfig); err != nil {
-		return ctx, fmt.Errorf("unable to fetch ProviderConfig 'default': %w", err)
-	}
-
+func (r *CrossplaneReconciler) setupReconciliationContext(ctx context.Context, req ctrl.Request, providerConfig *v1alpha1.ProviderConfig) (context.Context, error) {
 	// Handle ProviderConfig as ReleaseChannel
 	resolverFn := r.GetResolverFunc(providerConfig)
 	ctx = rcontext.WithVersionResolver(ctx, resolverFn)
@@ -210,16 +212,16 @@ func (r *CrossplaneReconciler) setupFluxKubeconfig(ctx context.Context, req ctrl
 	return ctx, nil
 }
 
-func (r *CrossplaneReconciler) reconcileCrossplaneInstance(ctx context.Context, crossplane *v1alpha1.Crossplane, mcpClient client.Client) (ctrl.Result, error) {
+func (r *CrossplaneReconciler) reconcileCrossplaneInstance(ctx context.Context, mcpClient client.Client, xp *v1alpha1.Crossplane, pc *v1alpha1.ProviderConfig) (ctrl.Result, error) {
 	log := log.FromContext(ctx)
 	requeueEntry := smartrequeue.FromContext(ctx)
 
 	// Handle deletion
-	if !crossplane.DeletionTimestamp.IsZero() {
-		return r.deleteCrossplaneInstance(ctx, crossplane, mcpClient)
+	if !xp.DeletionTimestamp.IsZero() {
+		return r.deleteCrossplaneInstance(ctx, mcpClient, xp, pc)
 	}
 
-	conditions, err := r.createOrUpdateCrossplaneInstance(ctx, crossplane, mcpClient)
+	conditions, err := r.createOrUpdateCrossplaneInstance(ctx, mcpClient, xp, pc)
 	if err != nil {
 		log.Error(err, "failed to create or update Crossplane instance")
 		return requeueEntry.Error(err)
@@ -231,13 +233,13 @@ func (r *CrossplaneReconciler) reconcileCrossplaneInstance(ctx context.Context,
 		condApi.SetStatusCondition(&newConditions, c)
 	}
 
-	r.updateStatus(ctx, crossplane, &newConditions)
+	r.updateStatus(ctx, xp, &newConditions)
 
 	// Successfully reconciled - reset the requeue backoff
 	return requeueEntry.Reset()
 }
 
-func (r *CrossplaneReconciler) deleteCrossplaneInstance(ctx context.Context, xp *v1alpha1.Crossplane, mcpClient client.Client) (ctrl.Result, error) {
+func (r *CrossplaneReconciler) deleteCrossplaneInstance(ctx context.Context, mcpClient client.Client, xp *v1alpha1.Crossplane, pc *v1alpha1.ProviderConfig) (ctrl.Result, error) {
 	requeueEntry := smartrequeue.FromContext(ctx)
 
 	if !r.hasFinalizer(xp) {
@@ -247,7 +249,7 @@ func (r *CrossplaneReconciler) deleteCrossplaneInstance(ctx context.Context, xp
 
 	log := log.FromContext(ctx)
 
-	conditions, err := r.deleteControlPlaneComponents(ctx, xp, mcpClient)
+	conditions, err := r.deleteControlPlaneComponents(ctx, mcpClient, xp, pc)
 
 	// Update status with current conditions
 	newConditions := []metav1.Condition{}
@@ -272,12 +274,15 @@ func (r *CrossplaneReconciler) deleteCrossplaneInstance(ctx context.Context, xp
 	return requeueEntry.Never()
 }
 
-func (r *CrossplaneReconciler) deleteControlPlaneComponents(ctx context.Context, xp *v1alpha1.Crossplane, mcpClient client.Client) ([]metav1.Condition, error) {
+func (r *CrossplaneReconciler) deleteControlPlaneComponents(ctx context.Context, mcpClient client.Client, xp *v1alpha1.Crossplane, pc *v1alpha1.ProviderConfig) ([]metav1.Condition, error) {
 	// disable all components
 	xpCopy := xp.DeepCopy()
 	xpCopy.Spec = v1alpha1.CrossplaneSpec{}
+	// disable imagePullSecrets from ProviderConfig
+	pcCopy := pc.DeepCopy()
+	pcCopy.Spec = v1alpha1.ProviderConfigSpec{}
 
-	j, err := r.newJuggler(ctx, xpCopy, mcpClient)
+	j, err := r.newJuggler(ctx, mcpClient, xpCopy, pcCopy)
 	if err != nil {
 		return nil, err
 	}
@@ -307,8 +312,8 @@ func (r *CrossplaneReconciler) deleteControlPlaneComponents(ctx context.Context,
 	return conditions, nil
 }
 
-func (r *CrossplaneReconciler) createOrUpdateCrossplaneInstance(ctx context.Context, crossplane *v1alpha1.Crossplane, mcpClient client.Client) ([]metav1.Condition, error) {
-	j, err := r.newJuggler(ctx, crossplane, mcpClient)
+func (r *CrossplaneReconciler) createOrUpdateCrossplaneInstance(ctx context.Context, mcpClient client.Client, xp *v1alpha1.Crossplane, pc *v1alpha1.ProviderConfig) ([]metav1.Condition, error) {
+	j, err := r.newJuggler(ctx, mcpClient, xp, pc)
 	if err != nil {
 		return nil, err
 	}
@@ -327,15 +332,45 @@ func (r *CrossplaneReconciler) createOrUpdateCrossplaneInstance(ctx context.Cont
 	return conditions, nil
 }
 
-func (r *CrossplaneReconciler) newJuggler(ctx context.Context, xp *v1alpha1.Crossplane, mcpClient client.Client) (*juggler.Juggler, error) {
+func (r *CrossplaneReconciler) newJuggler(ctx context.Context, mcpClient client.Client, xp *v1alpha1.Crossplane, pc *v1alpha1.ProviderConfig) (*juggler.Juggler, error) {
 	logger := log.FromContext(ctx)
-	comps := []juggler.Component{}
+	var comps []juggler.Component
 	jug := juggler.NewJuggler(logger, juggler.NewEventRecorder(r.Recorder, xp))
 
 	xpComp := &component.Crossplane{
 		Config: &xp.Spec,
 	}
 	comps = append(comps, xpComp)
+
+	// Add image pull secrets as components to be managed by the juggler.
+	// Target secret namespace is crossplane-system
+	if pc.Spec.ImagePullSecrets != nil {
+		podNs := os.Getenv(openmcpconsts.EnvVariablePodNamespace)
+		if podNs == "" {
+			return nil, errors.New("environment variable POD_NAMESPACE not set")
+		}
+		for _, ps := range pc.Spec.ImagePullSecrets {
+			if ps.Name == "" {
+				continue
+			}
+			sec := &component.Secret{
+				SourceClient: r.PlatformCluster.Client(),
+				Source: types.NamespacedName{
+					Name:      ps.Name,
+					Namespace: podNs,
+				},
+				Target: types.NamespacedName{
+					Name:      ps.Name,
+					Namespace: component.CrossplaneNamespace,
+				},
+				Enabled: xpComp.IsEnabled(),
+			}
+			comps = append(comps, sec)
+			// Set image pull secret reference in Crossplane component so it can be added to the PodSpec
+			xpComp.ImagePullSecretNames = append(xpComp.ImagePullSecretNames, sec.Target.Name)
+		}
+	}
+
 	if xp.Spec.Providers != nil {
 		for _, provider := range xp.Spec.Providers {
 			xpp := &component.CrossplaneProvider{
@@ -366,6 +401,7 @@ func (r *CrossplaneReconciler) registerReconcilers(juggler *juggler.Juggler, log
 
 	or := object.NewReconciler(logger, mcpClient, sputils.LabelComponentName)
 	or.RegisterType(
+		&component.Secret{},
 		&component.CrossplaneProvider{},
 	)
 	juggler.RegisterReconciler(or)

internal/controller/crossplane_controller.go

@@ -39,9 +39,10 @@ var _ components.TargetComponent = &Crossplane{}
 
 // Crossplane represents the Crossplane component configuration.
 type Crossplane struct {
-	Config    *v1alpha1.CrossplaneSpec
-	ChartSpec *v1beta1.ChartSpec
-	Values    *apiextensionsv1.JSON `json:"values,omitempty"`
+	Config               *v1alpha1.CrossplaneSpec
+	ChartSpec            *v1beta1.ChartSpec
+	Values               *apiextensionsv1.JSON `json:"values,omitempty"`
+	ImagePullSecretNames []string
 }
 
 // GetNamespace implements TargetComponent.
@@ -161,6 +162,9 @@ func (c *Crossplane) applyDefaultValues() error {
 		}
 	}
 
+	// Add imagePullSecrets if provided in ProviderConfig spec
+	values["imagePullSecrets"] = c.ImagePullSecretNames
+
 	// Write updated values
 	encoded, err := json.Marshal(values)
 	c.Values = &apiextensionsv1.JSON{Raw: encoded}

pkg/component/crossplane_component.go

@@ -13,11 +13,12 @@ import (
 
 func Test_Crossplane(t *testing.T) {
 	testCases := []struct {
-		desc            string
-		config          *v1alpha1.CrossplaneSpec
-		configValues    *apiextensionsv1.JSON
-		versionResolver v1beta1.VersionResolverFn
-		validationFuncs []validationFunc
+		desc                 string
+		config               *v1alpha1.CrossplaneSpec
+		configValues         *apiextensionsv1.JSON
+		imagePullSecretNames []string
+		versionResolver      v1beta1.VersionResolverFn
+		validationFuncs      []validationFunc
 	}{
 		{
 			desc: "should be disabled",
@@ -43,22 +44,25 @@ func Test_Crossplane(t *testing.T) {
 			config: &v1alpha1.CrossplaneSpec{
 				Version: "1.2.3",
 			},
-			configValues:    &apiextensionsv1.JSON{Raw: []byte(`{"replicas":2}`)},
-			versionResolver: fakeVersionResolver(false),
+			configValues:         &apiextensionsv1.JSON{Raw: []byte(`{"replicas":2}`)},
+			imagePullSecretNames: []string{"secret-1", "secret-2"},
+			versionResolver:      fakeVersionResolver(false),
 			validationFuncs: []validationFunc{
 				hasName("Crossplane"),
 				isEnabled(true),
 				isAllowed(true),
 				hasPreUninstallHook(),
 				hasDependencies(0),
 				isTargetComponent(
-					hasNamespace("crossplane-system"),
+					hasNamespace(CrossplaneNamespace),
 				),
 				isFluxComponent(
 					returnsHelmRepo(),
 					returnsHelmRelease(
 						hasKubeconfigRef(),
 						hasHelmValue(2, "replicas"), // custom value
+						hasHelmValue("secret-1", "imagePullSecrets", "0"),
+						hasHelmValue("secret-2", "imagePullSecrets", "1"),
 					),
 				),
 			},
@@ -68,8 +72,9 @@ func Test_Crossplane(t *testing.T) {
 		t.Run(tC.desc, func(t *testing.T) {
 			ctx := newContext(tC.versionResolver)
 			c := &Crossplane{
-				Config: tC.config,
-				Values: tC.configValues,
+				Config:               tC.config,
+				Values:               tC.configValues,
+				ImagePullSecretNames: tC.imagePullSecretNames,
 			}
 			for _, vfn := range tC.validationFuncs {
 				vfn(t, ctx, c)