feat: read own deployment configuration resource to get image pull secrets (#152)

Author: reshnm

VERSION

@@ -1 +1 @@
-v0.9.0-dev
+v0.9.0

api/crds/manifests/landscaper.services.openmcp.cloud_providerconfigs.yaml

@@ -59,6 +59,23 @@ spec:
                       image:
                         minLength: 1
                         type: string
+                      imagePullSecrets:
+                        items:
+                          description: LocalObjectReference is a reference to an object
+                            in the same namespace as the resource referencing it.
+                          properties:
+                            name:
+                              default: ""
+                              description: |-
+                                Name of the referent.
+                                This field is effectively required, but due to backwards compatibility is
+                                allowed to be empty. Instances of this type with an empty value here are
+                                almost certainly wrong.
+                                More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                              type: string
+                          type: object
+                          x-kubernetes-map-type: atomic
+                        type: array
                     required:
                     - image
                     type: object
@@ -69,6 +86,23 @@ spec:
                       image:
                         minLength: 1
                         type: string
+                      imagePullSecrets:
+                        items:
+                          description: LocalObjectReference is a reference to an object
+                            in the same namespace as the resource referencing it.
+                          properties:
+                            name:
+                              default: ""
+                              description: |-
+                                Name of the referent.
+                                This field is effectively required, but due to backwards compatibility is
+                                allowed to be empty. Instances of this type with an empty value here are
+                                almost certainly wrong.
+                                More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                              type: string
+                          type: object
+                          x-kubernetes-map-type: atomic
+                        type: array
                     required:
                     - image
                     type: object
@@ -79,6 +113,23 @@ spec:
                       image:
                         minLength: 1
                         type: string
+                      imagePullSecrets:
+                        items:
+                          description: LocalObjectReference is a reference to an object
+                            in the same namespace as the resource referencing it.
+                          properties:
+                            name:
+                              default: ""
+                              description: |-
+                                Name of the referent.
+                                This field is effectively required, but due to backwards compatibility is
+                                allowed to be empty. Instances of this type with an empty value here are
+                                almost certainly wrong.
+                                More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                              type: string
+                          type: object
+                          x-kubernetes-map-type: atomic
+                        type: array
                     required:
                     - image
                     type: object
@@ -89,6 +140,23 @@ spec:
                       image:
                         minLength: 1
                         type: string
+                      imagePullSecrets:
+                        items:
+                          description: LocalObjectReference is a reference to an object
+                            in the same namespace as the resource referencing it.
+                          properties:
+                            name:
+                              default: ""
+                              description: |-
+                                Name of the referent.
+                                This field is effectively required, but due to backwards compatibility is
+                                allowed to be empty. Instances of this type with an empty value here are
+                                almost certainly wrong.
+                                More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                              type: string
+                          type: object
+                          x-kubernetes-map-type: atomic
+                        type: array
                     required:
                     - image
                     type: object

api/v1alpha2/providerconfiguration_types.go

@@ -17,6 +17,7 @@ limitations under the License.
 package v1alpha2
 
 import (
+	"github.com/openmcp-project/openmcp-operator/api/common"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -65,7 +66,8 @@ type Deployment struct {
 type ImageConfiguration struct {
 	// +kubebuilder:validation:Required
 	// +kubebuilder:validation:MinLength=1
-	Image string `json:"image"`
+	Image            string                        `json:"image"`
+	ImagePullSecrets []common.LocalObjectReference `json:"imagePullSecrets,omitempty"`
 }
 
 // +kubebuilder:object:root=true

api/v1alpha2/zz_generated.deepcopy.go

@@ -15,6 +15,7 @@ import (
 	rbacv1 "k8s.io/api/rbac/v1"
 
 	clustersv1alpha1 "github.com/openmcp-project/openmcp-operator/api/clusters/v1alpha1"
+	deploymentv1alpha1 "github.com/openmcp-project/openmcp-operator/api/provider/v1alpha1"
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/runtime"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
@@ -89,6 +90,7 @@ func (o *RunOptions) Run(ctx context.Context) error {
 	platformScheme := runtime.NewScheme()
 	utilruntime.Must(clientgoscheme.AddToScheme(platformScheme))
 	utilruntime.Must(clustersv1alpha1.AddToScheme(platformScheme))
+	utilruntime.Must(deploymentv1alpha1.AddToScheme(platformScheme))
 	providerscheme.InstallProviderAPIs(platformScheme)
 
 	onboardingScheme := runtime.NewScheme()
@@ -146,6 +148,8 @@ func (o *RunOptions) Run(ctx context.Context) error {
 		OnboardingCluster: onboardingCluster,
 		PlatformCluster:   o.Clusters.Platform,
 		Scheme:            mgr.GetScheme(),
+		ProviderName:      o.ProviderName,
+		ProviderNamespace: providerSystemNamespace,
 	}).SetupWithManager(mgr); err != nil {
 		return fmt.Errorf("unable to create controller: %w", err)
 	}

cmd/service-provider-landscaper/app/run.go

@@ -45,6 +45,8 @@ type LandscaperReconciler struct {
 	ClusterAccessReconciler clusteraccess.Reconciler
 	Scheme                  *runtime.Scheme
 	DNSReconciler           *dns.Reconciler
+	ProviderName            string
+	ProviderNamespace       string
 
 	InstanceClusterAccess InstanceClusterAccess
 }

internal/controller/landscaper_controller.go

@@ -15,6 +15,7 @@ import (
 
 	testutils "github.com/openmcp-project/controller-utils/pkg/testing"
 	clustersv1alpha1 "github.com/openmcp-project/openmcp-operator/api/clusters/v1alpha1"
+	deploymentv1alpha1 "github.com/openmcp-project/openmcp-operator/api/provider/v1alpha1"
 	"github.com/openmcp-project/openmcp-operator/lib/clusteraccess"
 	rbacv1 "k8s.io/api/rbac/v1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -61,6 +62,23 @@ func setDeploymentReady(ctx context.Context, deployment *appsv1.Deployment, c cl
 	Expect(c.Status().Update(ctx, deployment)).To(Succeed())
 }
 
+// expectImagePullSecretsValid verifies that a deployment has the expected number of image pull secrets
+// and that each secret exists in the given namespace with the correct type and data
+func expectImagePullSecretsValid(ctx context.Context, c client.Client, deployment *appsv1.Deployment, expectedCount int, namespace string) {
+	Expect(deployment.Spec.Template.Spec.ImagePullSecrets).To(HaveLen(expectedCount))
+	for _, s := range deployment.Spec.Template.Spec.ImagePullSecrets {
+		secret := &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      s.Name,
+				Namespace: namespace,
+			},
+		}
+		Expect(c.Get(ctx, client.ObjectKeyFromObject(secret), secret)).To(Succeed())
+		Expect(secret.Type).To(Equal(corev1.SecretTypeDockerConfigJson))
+		Expect(secret.Data).To(HaveKey(".dockerconfigjson"))
+	}
+}
+
 type testInstanceClusterAccess struct {
 	mcpCluster      *clusters.Cluster
 	workloadCluster *clusters.Cluster
@@ -78,6 +96,7 @@ func buildTestEnvironmentReconcile(testdataDir string, objectsWithStatus ...clie
 	scheme := runtime.NewScheme()
 	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
 	utilruntime.Must(clustersv1alpha1.AddToScheme(scheme))
+	utilruntime.Must(deploymentv1alpha1.AddToScheme(scheme))
 	utilruntime.Must(v1alpha2.AddToScheme(scheme))
 	utilruntime.Must(gatewayv1.Install(scheme))
 	utilruntime.Must(gatewayv1alpha2.Install(scheme))
@@ -118,6 +137,8 @@ func buildTestEnvironmentReconcile(testdataDir string, objectsWithStatus ...clie
 					mcpCluster:      clusters.NewTestClusterFromClient("mcp", c),
 					workloadCluster: clusters.NewTestClusterFromClient("workload", c),
 				},
+				ProviderName:      "landscaper",
+				ProviderNamespace: "openmcp-system",
 			}
 
 			return r
@@ -372,13 +393,20 @@ var _ = Describe("Landscaper Controller", func() {
 
 			Expect(env.Client().Get(env.Ctx, client.ObjectKeyFromObject(installationNs), installationNs)).To(Succeed())
 
-			// set deployments to ready
 			Expect(env.Client().Get(env.Ctx, client.ObjectKeyFromObject(lsControllerDeployment), lsControllerDeployment)).To(Succeed())
 			Expect(env.Client().Get(env.Ctx, client.ObjectKeyFromObject(lsMainDeployment), lsMainDeployment)).To(Succeed())
 			Expect(env.Client().Get(env.Ctx, client.ObjectKeyFromObject(lsWebhooksServerDeployment), lsWebhooksServerDeployment)).To(Succeed())
 			Expect(env.Client().Get(env.Ctx, client.ObjectKeyFromObject(manifestDeployerDeployment), manifestDeployerDeployment)).To(Succeed())
 			Expect(env.Client().Get(env.Ctx, client.ObjectKeyFromObject(helmDeployerDeployment), helmDeployerDeployment)).To(Succeed())
 
+			// expect the image pull secrets to be created in the installation namespace
+			expectImagePullSecretsValid(env.Ctx, env.Client(), lsControllerDeployment, 2, installationNamespace)
+			expectImagePullSecretsValid(env.Ctx, env.Client(), lsMainDeployment, 2, installationNamespace)
+			expectImagePullSecretsValid(env.Ctx, env.Client(), lsWebhooksServerDeployment, 2, installationNamespace)
+			expectImagePullSecretsValid(env.Ctx, env.Client(), manifestDeployerDeployment, 2, installationNamespace)
+			expectImagePullSecretsValid(env.Ctx, env.Client(), helmDeployerDeployment, 1, installationNamespace)
+
+			// set deployments to ready
 			setDeploymentReady(env.Ctx, lsControllerDeployment, env.Client())
 			setDeploymentReady(env.Ctx, lsMainDeployment, env.Client())
 			setDeploymentReady(env.Ctx, lsWebhooksServerDeployment, env.Client())

internal/controller/landscaper_controller_test.go

@@ -9,6 +9,9 @@ import (
 	"time"
 
 	"github.com/openmcp-project/controller-utils/pkg/clusters"
+	"github.com/openmcp-project/openmcp-operator/api/common"
+	"github.com/openmcp-project/openmcp-operator/api/provider/v1alpha1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	"github.com/openmcp-project/service-provider-landscaper/internal/dns"
 
@@ -143,7 +146,7 @@ func (r *LandscaperReconciler) handleCreateUpdateOperation(ctx context.Context,
 		return reconcile.Result{RequeueAfter: dnsResult.RequeueAfter}, status, nil
 	}
 
-	conf, err := r.createConfig(ls, mcpCluster, workloadCluster, providerConfig, dnsResult.HostName)
+	conf, err := r.createConfig(ctx, ls, mcpCluster, workloadCluster, providerConfig, dnsResult.HostName)
 	if err != nil {
 		log.Error(err, "failed to create configuration for landscaper instance")
 		status.setInstallConfigurationError(err)
@@ -232,7 +235,7 @@ func (r *LandscaperReconciler) handleDeleteOperation(ctx context.Context, ls *v1
 		return reconcile.Result{}, status, err
 	}
 
-	conf, err := r.createConfig(ls, mcpCluster, workloadCluster, providerConfig, "")
+	conf, err := r.createConfig(ctx, ls, mcpCluster, workloadCluster, providerConfig, "")
 	if err != nil {
 		log.Error(err, "failed to create configuration to uninstall landscaper instance")
 		status.setUninstallConfigurationError(err)
@@ -380,7 +383,20 @@ func (r *LandscaperReconciler) getProviderConfigForLandscaper(ctx context.Contex
 	return providerConfig, nil
 }
 
-func (r *LandscaperReconciler) createConfig(ls *v1alpha2.Landscaper, mcpCluster, workloadCluster *clusters.Cluster, providerConfig *v1alpha2.ProviderConfig, workloadClusterDomain string) (*instance.Configuration, error) {
+func (r *LandscaperReconciler) getServiceProviderResource(ctx context.Context) (*v1alpha1.ServiceProvider, error) {
+	serviceProvider := &v1alpha1.ServiceProvider{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: r.ProviderName,
+		},
+	}
+	if err := r.PlatformCluster.Client().Get(ctx, client.ObjectKeyFromObject(serviceProvider), serviceProvider); err != nil {
+		return nil, fmt.Errorf("failed to get service provider resource %s/%s: %w", r.ProviderNamespace, r.ProviderName, err)
+	}
+
+	return serviceProvider, nil
+}
+
+func (r *LandscaperReconciler) createConfig(ctx context.Context, ls *v1alpha2.Landscaper, mcpCluster, workloadCluster *clusters.Cluster, providerConfig *v1alpha2.ProviderConfig, workloadClusterDomain string) (*instance.Configuration, error) {
 	inst := identity.Instance(identity.GetInstanceID(ls))
 
 	cpu, err := resource.ParseQuantity("10m")
@@ -397,23 +413,41 @@ func (r *LandscaperReconciler) createConfig(ls *v1alpha2.Landscaper, mcpCluster,
 			core.ResourceMemory: memory,
 		},
 	}
+
+	serviceProvider, err := r.getServiceProviderResource(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	getImagePullSecrets := func(imageConfiguration *v1alpha2.ImageConfiguration) []common.LocalObjectReference {
+		if imageConfiguration == nil {
+			return serviceProvider.Spec.ImagePullSecrets
+		}
+
+		return imageConfiguration.ImagePullSecrets
+	}
+
 	conf := &instance.Configuration{
-		Instance:              inst,
-		Version:               ls.Spec.Version,
-		MCPCluster:            mcpCluster,
-		WorkloadCluster:       workloadCluster,
-		WorkloadClusterDomain: fmt.Sprintf("https://%s:%d", workloadClusterDomain, dnsServicePort()), // 9443 is the port for TLS passthrough configured in the Gateway
+		Instance:                 inst,
+		Version:                  ls.Spec.Version,
+		PlatformCluster:          r.PlatformCluster,
+		PlatformClusterNamespace: r.ProviderNamespace,
+		MCPCluster:               mcpCluster,
+		WorkloadCluster:          workloadCluster,
+		WorkloadClusterDomain:    fmt.Sprintf("https://%s:%d", workloadClusterDomain, dnsServicePort()), // 9443 is the port for TLS passthrough configured in the Gateway
 		Landscaper: instance.LandscaperConfig{
 			Controller: instance.ControllerConfig{
 				Image: v1alpha2.ImageConfiguration{
-					Image: providerConfig.GetLandscaperControllerImageLocation(ls.Spec.Version),
+					Image:            providerConfig.GetLandscaperControllerImageLocation(ls.Spec.Version),
+					ImagePullSecrets: getImagePullSecrets(providerConfig.Spec.Deployment.LandscaperController),
 				},
 				Resources:     resources,
 				ResourcesMain: resources,
 			},
 			WebhooksServer: instance.WebhooksServerConfig{
 				Image: v1alpha2.ImageConfiguration{
-					Image: providerConfig.GetLandscaperWebhooksServerImageLocation(ls.Spec.Version),
+					Image:            providerConfig.GetLandscaperWebhooksServerImageLocation(ls.Spec.Version),
+					ImagePullSecrets: getImagePullSecrets(providerConfig.Spec.Deployment.LandscaperWebhooksServer),
 				},
 				Resources:   resources,
 				ServicePort: dnsServicePort(),
@@ -422,13 +456,15 @@ func (r *LandscaperReconciler) createConfig(ls *v1alpha2.Landscaper, mcpCluster,
 		},
 		ManifestDeployer: instance.ManifestDeployerConfig{
 			Image: v1alpha2.ImageConfiguration{
-				Image: providerConfig.GetManifestDeployerImageLocation(ls.Spec.Version),
+				Image:            providerConfig.GetManifestDeployerImageLocation(ls.Spec.Version),
+				ImagePullSecrets: getImagePullSecrets(providerConfig.Spec.Deployment.ManifestDeployer),
 			},
 			Resources: resources,
 		},
 		HelmDeployer: instance.HelmDeployerConfig{
 			Image: v1alpha2.ImageConfiguration{
-				Image: providerConfig.GetHelmDeployerImageLocation(ls.Spec.Version),
+				Image:            providerConfig.GetHelmDeployerImageLocation(ls.Spec.Version),
+				ImagePullSecrets: getImagePullSecrets(providerConfig.Spec.Deployment.HelmDeployer),
 			},
 			Resources: resources,
 		},

internal/controller/reconcile.go

@@ -13,5 +13,7 @@ spec:
 
     helmDeployer:
       image: other.registry.test/landscaper/helm-deployer/images/helm-deployer-controller
+      imagePullSecrets:
+        - name: helm-deployer-secret
 
   workloadClusterDomain: workload.cluster.local