✨ Add PullSecret controller to save pull secret data locally

[anik120]

RFC: https://docs.google.com/document/d/1BXD6kj5zXHcGiqvJOikU2xs8kV26TPnzEKp6n7TKD4M/edit#heading=h.x3tfh25grvnv

Description

Reviewer Checklist

• API Go Documentation
• Tests: Unit Tests (and E2E Tests, if appropriate)
• Comprehensive Commit Messages
• Links to related GitHub Issue(s)

[netlify]

✅ Deploy Preview for olmv1 ready!

Name	Link
🔨 Latest commit	018510e
🔍 Latest deploy log	https://app.netlify.com/sites/olmv1/deploys/6705361773e3d00008a5194e
😎 Deploy Preview	https://deploy-preview-1322--olmv1.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[codecov]

Codecov Report

Attention: Patch coverage is 44.85981% with 59 lines in your changes missing coverage. Please review.

Project coverage is 74.99%. Comparing base (dd1730a) to head (018510e).
Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
cmd/manager/main.go	40.74%	26 Missing and 6 partials ⚠️
internal/controllers/pull_secret_controller.go	41.86%	21 Missing and 4 partials ⚠️
internal/rukpak/source/containers_image.go	80.00%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1322      +/-   ##
==========================================
- Coverage   76.42%   74.99%   -1.44%     
==========================================
  Files          41       42       +1     
  Lines        2431     2507      +76     
==========================================
+ Hits         1858     1880      +22     
- Misses        400      443      +43     
- Partials      173      184      +11     

Flag	Coverage Δ
e2e	56.84% <27.10%> (-1.62%)	⬇️
unit	52.85% <24.29%> (-0.88%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[anik120]

Where the PR stands so far:

• On start up:

.
.
I1001 16:50:17.917567       1 controller.go:217] "Starting workers" controller="secret" controllerGroup="" controllerKind="Secret" worker count=1
.
.

• On creation of a secret, the namespace/name for which is passed via the flag:

I1001 16:51:08.001691       1 secret_syncer_controller.go:103] "Saved Secret data locally" controller="secret" controllerGroup="" controllerKind="Secret" Secret="olmv1-system/pull-secret" namespace="olmv1-system" name="pull-secret" reconcileID="fe0d20fe-17dd-4af7-9a76-d433de66ed3a"

• The data in the file system:

$ cat /tmp/operator-controller/auth.json
{".dockerconfigjson":"{\n  \"auths\": {\n    \"registry.build09.ci.openshift.org\": {\n      \"auth\": \"dXNlcjp..

More details about this file here

• On deletion of the Secret:

I1001 17:03:31.719907       1 secret_syncer_controller.go:54] "Secret" controller="secret" controllerGroup="" controllerKind="Secret" Secret="olmv1-system/pull-secret" namespace="olmv1-system" name="pull-secret" reconcileID="ea3490a2-fa78-46d4-a396-a10cad77dddc" pull-secret="in namespace" olmv1-system="deleted."
I1001 17:03:31.720283       1 secret_syncer_controller.go:109] "Emptying local auth file." controller="secret" controllerGroup="" controllerKind="Secret" Secret="olmv1-system/pull-secret" namespace="olmv1-system" name="pull-secret" reconcileID="ea3490a2-fa78-46d4-a396-a10cad77dddc"
I1001 17:03:31.720629       1 secret_syncer_controller.go:116] "Auth file emptied successfully" controller="secret" controllerGroup="" controllerKind="Secret" Secret="olmv1-system/pull-secret" namespace="olmv1-system" name="pull-secret" reconcileID="ea3490a2-fa78-46d4-a396-a10cad77dddc" file="/tmp/operator-controller/auth.json"

• Content in the file

$ cat /tmp/operator-controller/auth.json
$

[skattoju]

fixes #1015

[everettraven]

Just as a thing to note, there is a flag.Var() method that would allow us to implement a custom flag value with custom logic for handling how it is set, including validations.

I did something similar to this in kapp back when we were contributing preflight checks: https://github.com/carvel-dev/kapp/blob/ca6887d26d782636fe62a2b3f3bbbf5c91a965f3/pkg/kapp/preflight/registry.go#L64-L97

Might be overkill for this particular case, but this may be a good way to handle any custom flag validations we want in the future

[everettraven]

Does this also override the configuration for secrets in the systemNamespace? IIUC we want to make sure we have access to all the release secrets that get created by the secret driver we use for partitioning helm release secrets for larger bundles.

[everettraven]

Approved pending an answer to this

[joelanford]

Dirty secret: iirc, the release secret driver is still a live client. So checking whether that is working won't actually tell you anything.

[anik120]

Also I don't actually see any configuration for secretes in the systemNamespace. There's configuration for &ocv1alpha1.ClusterExtension{} and &catalogd.ClusterCatalog{}, but nothing for Secrets.

Dismissing because I had a question I forgot about that should be verified

[LalatenduMohanty]

Nitpick: If you can add some comments around what the below code doing it will add a lot to the readability of the code.

[anik120]

I'm not convinced any further documentation is necessary. The crcache.Options struct is pretty well documented. Once the reader understands what the controller-runtime cache does and what Options can be used to configure, the code reads "configuring caching options for the objects we own + additional object Secret in a specific namespace".