ensure image pull secrets

Author: sgalsaleh

api/controllers/app/install.go

@@ -117,7 +117,7 @@ func (c *AppController) InstallApp(ctx context.Context, opts InstallAppOptions)
 		}
 
 		// Install the app with installable charts and KOTS CLI
-		err = c.appInstallManager.Install(ctx, installableCharts, kotsConfigValues)
+		err = c.appInstallManager.Install(ctx, installableCharts, kotsConfigValues, opts.RegistrySettings)
 		if err != nil {
 			return fmt.Errorf("install app: %w", err)
 		}

api/internal/managers/app/install/install.go

@@ -6,27 +6,25 @@ import (
 	"os"
 	"runtime/debug"
 
-	"github.com/replicatedhq/embedded-cluster/api/internal/utils"
 	"github.com/replicatedhq/embedded-cluster/api/types"
-	kotscli "github.com/replicatedhq/embedded-cluster/cmd/installer/kotscli"
 	"github.com/replicatedhq/embedded-cluster/pkg/helm"
-	"github.com/replicatedhq/embedded-cluster/pkg/netutils"
 	"github.com/replicatedhq/embedded-cluster/pkg/runtimeconfig"
 	kotsv1beta1 "github.com/replicatedhq/kotskinds/apis/kots/v1beta1"
-	kyaml "sigs.k8s.io/yaml"
 )
 
 // Install installs the app with the provided config values
-func (m *appInstallManager) Install(ctx context.Context, installableCharts []types.InstallableHelmChart, configValues kotsv1beta1.ConfigValues) error {
-	license := &kotsv1beta1.License{}
-	if err := kyaml.Unmarshal(m.license, license); err != nil {
-		return fmt.Errorf("parse license: %w", err)
-	}
-
+func (m *appInstallManager) Install(ctx context.Context, installableCharts []types.InstallableHelmChart, configValues kotsv1beta1.ConfigValues, registrySettings *types.RegistrySettings) error {
 	if err := m.initKubeClient(); err != nil {
 		return fmt.Errorf("init kube client: %w", err)
 	}
 
+	// Start the namespace reconciler to ensure image pull secrets and other required resources in app namespaces
+	nsReconciler, err := runNamespaceReconciler(ctx, m.kcli, registrySettings, m.logger)
+	if err != nil {
+		return fmt.Errorf("start namespace reconciler: %w", err)
+	}
+	defer nsReconciler.Stop()
+
 	kotsadmNamespace, err := runtimeconfig.KotsadmNamespace(ctx, m.kcli)
 	if err != nil {
 		return fmt.Errorf("get kotsadm namespace: %w", err)
@@ -37,49 +35,14 @@ func (m *appInstallManager) Install(ctx context.Context, installableCharts []typ
 		return fmt.Errorf("initialize components: %w", err)
 	}
 
-	// Install Helm charts first
+	// Install Helm charts
 	if err := m.installHelmCharts(ctx, installableCharts, kotsadmNamespace); err != nil {
 		return fmt.Errorf("install helm charts: %w", err)
 	}
 
-	// Then install the app using KOTS CLI
-	if err := m.installWithKotsCLI(license, kotsadmNamespace, configValues); err != nil {
-		return fmt.Errorf("install with kots cli: %w", err)
-	}
-
 	return nil
 }
 
-func (m *appInstallManager) installWithKotsCLI(license *kotsv1beta1.License, kotsadmNamespace string, configValues kotsv1beta1.ConfigValues) error {
-	ecDomains := utils.GetDomains(m.releaseData)
-
-	installOpts := kotscli.InstallOptions{
-		AppSlug:      license.Spec.AppSlug,
-		License:      m.license,
-		Namespace:    kotsadmNamespace,
-		ClusterID:    m.clusterID,
-		AirgapBundle: m.airgapBundle,
-		// Skip running the KOTS app preflights in the Admin Console; they run in the manager experience installer when ENABLE_V3 is enabled
-		SkipPreflights: true,
-		// Skip pushing images to the registry since we do it separately earlier in the install process
-		DisableImagePush:      true,
-		ReplicatedAppEndpoint: netutils.MaybeAddHTTPS(ecDomains.ReplicatedAppDomain),
-		Stdout:                m.newLogWriter(),
-	}
-
-	configValuesFile, err := m.createConfigValuesFile(configValues)
-	if err != nil {
-		return fmt.Errorf("creating config values file: %w", err)
-	}
-	installOpts.ConfigValuesFile = configValuesFile
-
-	if m.kotsCLI != nil {
-		return m.kotsCLI.Install(installOpts)
-	}
-
-	return kotscli.Install(installOpts)
-}
-
 func (m *appInstallManager) installHelmCharts(ctx context.Context, installableCharts []types.InstallableHelmChart, kotsadmNamespace string) error {
 	logFn := m.logFn("app")
 

api/internal/managers/app/install/install_test.go

@@ -216,7 +216,7 @@ func TestAppInstallManager_Install(t *testing.T) {
 		require.NoError(t, err)
 
 		// Run installation with InstallableHelmCharts
-		err = manager.Install(context.Background(), installableCharts, configValues)
+		err = manager.Install(context.Background(), installableCharts, configValues, nil)
 		require.NoError(t, err)
 
 		mockHelmClient.AssertExpectations(t)
@@ -260,7 +260,7 @@ func TestAppInstallManager_Install(t *testing.T) {
 		assert.Equal(t, types.StatePending, appInstall.Status.State)
 
 		// Run installation
-		err = manager.Install(t.Context(), installableCharts, kotsv1beta1.ConfigValues{})
+		err = manager.Install(t.Context(), installableCharts, kotsv1beta1.ConfigValues{}, nil)
 		require.NoError(t, err)
 
 		// Verify components status
@@ -299,7 +299,7 @@ func TestAppInstallManager_Install(t *testing.T) {
 		require.NoError(t, err)
 
 		// Run installation (should fail)
-		err = manager.Install(t.Context(), installableCharts, kotsv1beta1.ConfigValues{})
+		err = manager.Install(t.Context(), installableCharts, kotsv1beta1.ConfigValues{}, nil)
 		assert.Error(t, err)
 
 		mockHelmClient.AssertExpectations(t)
@@ -465,7 +465,7 @@ func TestComponentStatusTracking(t *testing.T) {
 		require.NoError(t, err)
 
 		// Install the charts
-		err = manager.Install(t.Context(), installableCharts, kotsv1beta1.ConfigValues{})
+		err = manager.Install(t.Context(), installableCharts, kotsv1beta1.ConfigValues{}, nil)
 		require.NoError(t, err)
 
 		// Verify that components were registered and have correct status
@@ -513,7 +513,7 @@ func TestComponentStatusTracking(t *testing.T) {
 		require.NoError(t, err)
 
 		// Install the charts (should fail)
-		err = manager.Install(t.Context(), installableCharts, kotsv1beta1.ConfigValues{})
+		err = manager.Install(t.Context(), installableCharts, kotsv1beta1.ConfigValues{}, nil)
 		require.Error(t, err)
 
 		// Verify that component failure is tracked

api/internal/managers/app/install/manager.go

@@ -20,7 +20,7 @@ var _ AppInstallManager = &appInstallManager{}
 // AppInstallManager provides methods for managing app installation
 type AppInstallManager interface {
 	// Install installs the app with the provided config values
-	Install(ctx context.Context, installableCharts []types.InstallableHelmChart, configValues kotsv1beta1.ConfigValues) error
+	Install(ctx context.Context, installableCharts []types.InstallableHelmChart, configValues kotsv1beta1.ConfigValues, registrySettings *types.RegistrySettings) error
 }
 
 // appInstallManager is an implementation of the AppInstallManager interface

api/internal/managers/app/install/mock.go

@@ -14,8 +14,8 @@ type MockAppInstallManager struct {
 }
 
 // Install mocks the Install method
-func (m *MockAppInstallManager) Install(ctx context.Context, installableCharts []types.InstallableHelmChart, configValues kotsv1beta1.ConfigValues) error {
-	args := m.Called(ctx, installableCharts, configValues)
+func (m *MockAppInstallManager) Install(ctx context.Context, installableCharts []types.InstallableHelmChart, configValues kotsv1beta1.ConfigValues, registrySettings *types.RegistrySettings) error {
+	args := m.Called(ctx, installableCharts, configValues, registrySettings)
 	return args.Error(0)
 }
 

api/internal/managers/app/install/namespaces_reconciler.go

@@ -0,0 +1,210 @@
+package install
+
+import (
+	"context"
+	"encoding/base64"
+	"fmt"
+	"time"
+
+	"github.com/replicatedhq/embedded-cluster/api/types"
+	"github.com/replicatedhq/embedded-cluster/pkg/release"
+	"github.com/replicatedhq/embedded-cluster/pkg/runtimeconfig"
+	"github.com/sirupsen/logrus"
+	corev1 "k8s.io/api/core/v1"
+	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+const (
+	reconcileInterval = 5 * time.Second
+)
+
+// NamespaceReconciler handles ensuring image pull secrets in app namespaces.
+// It reads additionalNamespaces from the Application CR, ensures secrets exist
+// in those namespaces plus the kotsadm namespace, and polls for new namespace
+// creation to deploy secrets to them.
+type NamespaceReconciler struct {
+	kcli             client.Client
+	registrySettings *types.RegistrySettings
+	logger           logrus.FieldLogger
+
+	watchedNamespaces []string
+	cancel            context.CancelFunc
+}
+
+// runNamespaceReconciler creates and starts a reconciler that:
+// 1. Reads additionalNamespaces from release.GetApplication()
+// 2. Immediately ensures image pull secrets and other resources in all watched namespaces
+// 3. Starts background polling to reconcile namespaces periodically
+// Returns nil if registry settings are not provided (nothing to reconcile).
+func runNamespaceReconciler(
+	ctx context.Context,
+	kcli client.Client,
+	registrySettings *types.RegistrySettings,
+	logger logrus.FieldLogger,
+) (*NamespaceReconciler, error) {
+	// If no registry settings, nothing to do
+	if registrySettings == nil || registrySettings.ImagePullSecretName == "" || registrySettings.ImagePullSecretValue == "" {
+		return nil, fmt.Errorf("registry settings are nil or empty")
+	}
+
+	// Get kotsadm namespace
+	kotsadmNamespace, err := runtimeconfig.KotsadmNamespace(ctx, kcli)
+	if err != nil {
+		return nil, fmt.Errorf("get kotsadm namespace: %w", err)
+	}
+
+	// Get watched namespaces from Application CR
+	watchedNamespaces := []string{kotsadmNamespace}
+	if app := release.GetApplication(); app != nil {
+		watchedNamespaces = append(watchedNamespaces, app.Spec.AdditionalNamespaces...)
+	}
+
+	ctx, cancel := context.WithCancel(ctx)
+
+	r := &NamespaceReconciler{
+		kcli:              kcli,
+		registrySettings:  registrySettings,
+		logger:            logger,
+		watchedNamespaces: watchedNamespaces,
+		cancel:            cancel,
+	}
+
+	// Immediately reconcile all namespaces
+	r.reconcile(ctx)
+
+	// Start background polling
+	go r.run(ctx)
+
+	return r, nil
+}
+
+// Stop stops the background reconciler
+func (r *NamespaceReconciler) Stop() {
+	if r.cancel != nil {
+		r.cancel()
+	}
+}
+
+// run polls periodically to reconcile namespaces
+func (r *NamespaceReconciler) run(ctx context.Context) {
+	ticker := time.NewTicker(reconcileInterval)
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-ctx.Done():
+			return
+		case <-ticker.C:
+			r.reconcile(ctx)
+		}
+	}
+}
+
+// reconcile ensures all watched namespaces have the required resources
+func (r *NamespaceReconciler) reconcile(ctx context.Context) {
+	namespaces := r.watchedNamespaces
+
+	// If watching all namespaces, list them
+	if r.watchesAllNamespaces() {
+		nsList := &corev1.NamespaceList{}
+		if err := r.kcli.List(ctx, nsList); err != nil {
+			r.logger.WithError(err).Warn("failed to list namespaces")
+			return
+		}
+		namespaces = make([]string, 0, len(nsList.Items))
+		for _, ns := range nsList.Items {
+			namespaces = append(namespaces, ns.Name)
+		}
+	}
+
+	for _, ns := range namespaces {
+		if err := r.reconcileNamespace(ctx, ns); err != nil {
+			r.logger.WithError(err).Warnf("failed to reconcile namespace %s", ns)
+		}
+	}
+}
+
+// watchesAllNamespaces returns true if "*" is in the watched namespaces list
+func (r *NamespaceReconciler) watchesAllNamespaces() bool {
+	for _, ns := range r.watchedNamespaces {
+		if ns == "*" {
+			return true
+		}
+	}
+	return false
+}
+
+// reconcileNamespace creates namespace if needed and ensures required resources exist
+func (r *NamespaceReconciler) reconcileNamespace(ctx context.Context, namespace string) error {
+	// Skip wildcard entry
+	if namespace == "*" {
+		return nil
+	}
+
+	// Create namespace if it doesn't exist
+	ns := &corev1.Namespace{}
+	err := r.kcli.Get(ctx, client.ObjectKey{Name: namespace}, ns)
+	if k8serrors.IsNotFound(err) {
+		ns = &corev1.Namespace{
+			ObjectMeta: metav1.ObjectMeta{Name: namespace},
+		}
+		if err := r.kcli.Create(ctx, ns); err != nil && !k8serrors.IsAlreadyExists(err) {
+			return fmt.Errorf("create namespace: %w", err)
+		}
+		r.logger.Infof("created namespace %s", namespace)
+	} else if err != nil {
+		return fmt.Errorf("get namespace: %w", err)
+	}
+
+	if err := r.ensureImagePullSecret(ctx, namespace); err != nil {
+		return fmt.Errorf("ensure image pull secret: %w", err)
+	}
+
+	return nil
+}
+
+// ensureImagePullSecret creates or updates the image pull secret in a namespace
+func (r *NamespaceReconciler) ensureImagePullSecret(ctx context.Context, namespace string) error {
+	secretData, err := base64.StdEncoding.DecodeString(r.registrySettings.ImagePullSecretValue)
+	if err != nil {
+		return fmt.Errorf("decode secret value: %w", err)
+	}
+
+	secret := &corev1.Secret{}
+	key := client.ObjectKey{Namespace: namespace, Name: r.registrySettings.ImagePullSecretName}
+	err = r.kcli.Get(ctx, key, secret)
+
+	if k8serrors.IsNotFound(err) {
+		secret = &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      r.registrySettings.ImagePullSecretName,
+				Namespace: namespace,
+			},
+			Type: corev1.SecretTypeDockerConfigJson,
+			Data: map[string][]byte{
+				".dockerconfigjson": secretData,
+			},
+		}
+		if err := r.kcli.Create(ctx, secret); err != nil {
+			return fmt.Errorf("create secret: %w", err)
+		}
+		r.logger.Infof("created image pull secret %s in namespace %s", r.registrySettings.ImagePullSecretName, namespace)
+		return nil
+	}
+	if err != nil {
+		return fmt.Errorf("get secret: %w", err)
+	}
+
+	// Update existing secret if data differs
+	if string(secret.Data[".dockerconfigjson"]) != string(secretData) {
+		secret.Data[".dockerconfigjson"] = secretData
+		if err := r.kcli.Update(ctx, secret); err != nil {
+			return fmt.Errorf("update secret: %w", err)
+		}
+		r.logger.Infof("updated image pull secret %s in namespace %s", r.registrySettings.ImagePullSecretName, namespace)
+	}
+
+	return nil
+}