Use namespace auth pull secret

Allda · Allda · commit f0830437f803 · 2025-12-04T10:51:28.000+01:00
Instead of using global secret for a whole cluster the controller search
for namespace specific secret and use it if available. If not found it
fallback to the global secret.

Signed-off-by: Ales Raszka &lt;araszka@redhat.com&gt;
diff --git a/apis/controller/v1alpha1/devworkspaceoperatorconfig_types.go b/apis/controller/v1alpha1/devworkspaceoperatorconfig_types.go
@@ -79,7 +79,9 @@ type RegistryConfig struct {
 	Path string `json:"path,omitempty"`
 	// AuthSecret is the name of a Kubernetes secret of
 	// type kubernetes.io/dockerconfigjson.
-	// The secret is expected to be in the same namespace
+	// The secret is expected to be in the same namespace the workspace is running in.
+	// If secret is not found in the workspace namespace, the operator will look for the secret
+	// in the namespace where the operator is running in.
 	// as the DevWorkspaceOperatorCongfig.
 	// +kubebuilder:validation:Optional
 	AuthSecret string `json:"authSecret,omitempty"`
diff --git a/controllers/backupcronjob/backupcronjob_controller.go b/controllers/backupcronjob/backupcronjob_controller.go
@@ -210,13 +210,8 @@ func (r *BackupCronJobReconciler) stopCron(log logr.Logger) {
 func (r *BackupCronJobReconciler) executeBackupSync(ctx context.Context, dwOperatorConfig *controllerv1alpha1.DevWorkspaceOperatorConfig, log logr.Logger) error {
 	log.Info("Executing backup sync for all DevWorkspaces")
 
-	registryAuthSecret, err := r.getRegistryAuthSecret(ctx, dwOperatorConfig, log)
-	if err != nil {
-		log.Error(err, "Failed to get registry auth secret for backup job")
-		return err
-	}
 	devWorkspaces := &dw.DevWorkspaceList{}
-	err = r.List(ctx, devWorkspaces)
+	err := r.List(ctx, devWorkspaces)
 	if err != nil {
 		log.Error(err, "Failed to list DevWorkspaces")
 		return err
@@ -239,7 +234,7 @@ func (r *BackupCronJobReconciler) executeBackupSync(ctx context.Context, dwOpera
 			continue
 		}
 
-		if err := r.createBackupJob(&dw, ctx, dwOperatorConfig, registryAuthSecret, log); err != nil {
+		if err = r.createBackupJob(&dw, ctx, dwOperatorConfig, log); err != nil {
 			log.Error(err, "Failed to create backup Job for DevWorkspace", "id", dwID)
 			continue
 		}
@@ -260,23 +255,6 @@ func (r *BackupCronJobReconciler) executeBackupSync(ctx context.Context, dwOpera
 	return nil
 }
 
-func (r *BackupCronJobReconciler) getRegistryAuthSecret(ctx context.Context, dwOperatorConfig *controllerv1alpha1.DevWorkspaceOperatorConfig, log logr.Logger) (*corev1.Secret, error) {
-	registryAuthSecret := &corev1.Secret{}
-	if dwOperatorConfig.Config.Workspace.BackupCronJob.Registry.AuthSecret != "" {
-		err := r.NonCachingClient.Get(ctx, client.ObjectKey{
-			Name:      dwOperatorConfig.Config.Workspace.BackupCronJob.Registry.AuthSecret,
-			Namespace: dwOperatorConfig.Namespace,
-		}, registryAuthSecret)
-		if err != nil {
-			log.Error(err, "Failed to get registry auth secret for backup job", "secretName", dwOperatorConfig.Config.Workspace.BackupCronJob.Registry.AuthSecret)
-			return nil, err
-		}
-		log.Info("Successfully retrieved registry auth secret for backup job", "secretName", dwOperatorConfig.Config.Workspace.BackupCronJob.Registry.AuthSecret)
-		return registryAuthSecret, nil
-	}
-	return nil, nil
-}
-
 // wasStoppedSinceLastBackup checks if the DevWorkspace was stopped since the last backup time.
 func (r *BackupCronJobReconciler) wasStoppedSinceLastBackup(workspace *dw.DevWorkspace, lastBackupTime *metav1.Time, log logr.Logger) bool {
 	if workspace.Status.Phase != dw.DevWorkspaceStatusStopped {
@@ -310,12 +288,17 @@ func (r *BackupCronJobReconciler) createBackupJob(
 	workspace *dw.DevWorkspace,
 	ctx context.Context,
 	dwOperatorConfig *controllerv1alpha1.DevWorkspaceOperatorConfig,
-	registryAuthSecret *corev1.Secret,
 	log logr.Logger,
 ) error {
 	dwID := workspace.Status.DevWorkspaceId
 	backUpConfig := dwOperatorConfig.Config.Workspace.BackupCronJob
 
+	registryAuthSecret, err := r.handleRegistryAuthSecret(workspace, ctx, dwOperatorConfig, log)
+	if err != nil {
+		log.Error(err, "Failed to handle registry auth secret for DevWorkspace", "devworkspace", workspace.Name)
+		return err
+	}
+
 	// Find a PVC with the name "claim-devworkspace" or based on the name from the operator config
 	pvcName, workspacePath, err := r.getWorkspacePVCName(workspace, dwOperatorConfig, ctx, log)
 	if err != nil {
@@ -413,15 +396,11 @@ func (r *BackupCronJobReconciler) createBackupJob(
 		},
 	}
 	if registryAuthSecret != nil {
-		secret, err := r.copySecret(workspace, ctx, registryAuthSecret, log)
-		if err != nil {
-			return err
-		}
 		job.Spec.Template.Spec.Volumes = append(job.Spec.Template.Spec.Volumes, corev1.Volume{
 			Name: "registry-auth-secret",
 			VolumeSource: corev1.VolumeSource{
 				Secret: &corev1.SecretVolumeSource{
-					SecretName: secret.Name,
+					SecretName: registryAuthSecret.Name,
 				},
 			},
 		})
@@ -474,6 +453,47 @@ func (r *BackupCronJobReconciler) getWorkspacePVCName(workspace *dw.DevWorkspace
 	return "", "", nil
 }
 
+func (r *BackupCronJobReconciler) handleRegistryAuthSecret(workspace *dw.DevWorkspace,
+	ctx context.Context,
+	dwOperatorConfig *controllerv1alpha1.DevWorkspaceOperatorConfig, log logr.Logger,
+) (*corev1.Secret, error) {
+	if dwOperatorConfig.Config.Workspace.BackupCronJob.Registry.AuthSecret == "" {
+		// No auth secret configured - anonymous access to registry
+		return nil, nil
+	}
+	secretName := dwOperatorConfig.Config.Workspace.BackupCronJob.Registry.AuthSecret
+
+	// First check the workspace namespace for the secret
+	registryAuthSecret := &corev1.Secret{}
+	err := r.NonCachingClient.Get(ctx, client.ObjectKey{
+		Name:      secretName,
+		Namespace: workspace.Namespace}, registryAuthSecret)
+	if err == nil {
+		log.Info("Successfully retrieved registry auth secret for backup from workspace namespace", "secretName", secretName)
+		return registryAuthSecret, nil
+	}
+	if client.IgnoreNotFound(err) != nil {
+		return nil, err
+	}
+
+	log.Info("Registry auth secret not found in workspace namespace, checking operator namespace", "secretName", secretName)
+
+	// If the secret is not found in the workspace namespace, check the operator namespace as fallback
+	if dwOperatorConfig.Config.Workspace.BackupCronJob.Registry.AuthSecret != "" {
+		err := r.NonCachingClient.Get(ctx, client.ObjectKey{
+			Name:      dwOperatorConfig.Config.Workspace.BackupCronJob.Registry.AuthSecret,
+			Namespace: dwOperatorConfig.Namespace,
+		}, registryAuthSecret)
+		if err != nil {
+			log.Error(err, "Failed to get registry auth secret for backup job", "secretName", dwOperatorConfig.Config.Workspace.BackupCronJob.Registry.AuthSecret)
+			return nil, err
+		}
+		log.Info("Successfully retrieved registry auth secret for backup job", "secretName", dwOperatorConfig.Config.Workspace.BackupCronJob.Registry.AuthSecret)
+		return r.copySecret(workspace, ctx, registryAuthSecret, log)
+	}
+	return nil, nil
+}
+
 func (r *BackupCronJobReconciler) copySecret(workspace *dw.DevWorkspace, ctx context.Context, sourceSecret *corev1.Secret, log logr.Logger) (namespaceSecret *corev1.Secret, err error) {
 	existingNamespaceSecret := &corev1.Secret{}
 	err = r.NonCachingClient.Get(ctx, client.ObjectKey{
@@ -484,12 +504,10 @@ func (r *BackupCronJobReconciler) copySecret(workspace *dw.DevWorkspace, ctx con
 		return nil, err
 	}
 	if err == nil {
-		log.Info("Deleting existing registry auth secret in workspace namespace", "namespace", workspace.Namespace)
 		err = r.Delete(ctx, existingNamespaceSecret)
 		if err != nil {
 			return nil, err
 		}
-		log.Info("Successfully deleted existing registry auth secret in workspace namespace", "namespace", workspace.Namespace)
 	}
 	namespaceSecret = &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
@@ -507,5 +525,8 @@ func (r *BackupCronJobReconciler) copySecret(workspace *dw.DevWorkspace, ctx con
 		return nil, err
 	}
 	err = r.Create(ctx, namespaceSecret)
+	if err == nil {
+		log.Info("Sucesfully created secret", "name", namespaceSecret.Name, "namespace", workspace.Namespace)
+	}
 	return namespaceSecret, err
 }
diff --git a/controllers/backupcronjob/backupcronjob_controller_test.go b/controllers/backupcronjob/backupcronjob_controller_test.go
@@ -306,7 +306,12 @@ var _ = Describe("BackupCronJobReconciler", func() {
 			dw.Status.DevWorkspaceId = "id-recent"
 			Expect(fakeClient.Create(ctx, dw)).To(Succeed())
 
-			Expect(reconciler.executeBackupSync(ctx, dwoc, log)).To(HaveOccurred())
+			err := reconciler.executeBackupSync(ctx, dwoc, log)
+			Expect(err).ToNot(HaveOccurred())
+
+			jobList := &batchv1.JobList{}
+			Expect(fakeClient.List(ctx, jobList, &client.ListOptions{Namespace: dw.Namespace})).To(Succeed())
+			Expect(jobList.Items).To(HaveLen(0))
 		})
 
 		It("creates a Job for a DevWorkspace stopped with no previous backup", func() {
@@ -429,7 +434,7 @@ var _ = Describe("BackupCronJobReconciler", func() {
 			Expect(jobList.Items).To(HaveLen(0))
 		})
 
-		It("creates a Job for a DevWorkspace stopped with no previous backup and auth registry", func() {
+		It("creates a Job for a DevWorkspace stopped with no previous backup and global auth registry", func() {
 			enabled := true
 			schedule := "* * * * *"
 			dwoc := &controllerv1alpha1.DevWorkspaceOperatorConfig{
@@ -460,6 +465,41 @@ var _ = Describe("BackupCronJobReconciler", func() {
 
 			Expect(reconciler.executeBackupSync(ctx, dwoc, log)).To(Succeed())
 
+			jobList := &batchv1.JobList{}
+			Expect(fakeClient.List(ctx, jobList, &client.ListOptions{Namespace: dw.Namespace})).To(Succeed())
+			Expect(jobList.Items).To(HaveLen(1))
+		})
+		It("creates a Job for a DevWorkspace stopped with no previous backup and local auth registry", func() {
+			enabled := true
+			schedule := "* * * * *"
+			dwoc := &controllerv1alpha1.DevWorkspaceOperatorConfig{
+				ObjectMeta: metav1.ObjectMeta{Name: nameNamespace.Name, Namespace: nameNamespace.Namespace},
+				Config: &controllerv1alpha1.OperatorConfiguration{
+					Workspace: &controllerv1alpha1.WorkspaceConfig{
+						BackupCronJob: &controllerv1alpha1.BackupCronJobConfig{
+							Enable:   &enabled,
+							Schedule: schedule,
+							Registry: &controllerv1alpha1.RegistryConfig{
+								Path:       "my-registry:5000",
+								AuthSecret: "my-secret",
+							},
+						},
+					},
+				},
+			}
+			dw := createDevWorkspace("dw-recent", "ns-a", false, metav1.NewTime(time.Now().Add(-10*time.Minute)))
+			dw.Status.Phase = dwv2.DevWorkspaceStatusStopped
+			dw.Status.DevWorkspaceId = "id-recent"
+			Expect(fakeClient.Create(ctx, dw)).To(Succeed())
+
+			pvc := &corev1.PersistentVolumeClaim{ObjectMeta: metav1.ObjectMeta{Name: "claim-devworkspace", Namespace: dw.Namespace}}
+			Expect(fakeClient.Create(ctx, pvc)).To(Succeed())
+
+			authSecret := createAuthSecret("my-secret", "ns-a", map[string][]byte{})
+			Expect(fakeClient.Create(ctx, authSecret)).To(Succeed())
+
+			Expect(reconciler.executeBackupSync(ctx, dwoc, log)).To(Succeed())
+
 			jobList := &batchv1.JobList{}
 			Expect(fakeClient.List(ctx, jobList, &client.ListOptions{Namespace: dw.Namespace})).To(Succeed())
 			Expect(jobList.Items).To(HaveLen(1))
diff --git a/deploy/templates/crd/bases/controller.devfile.io_devworkspaceoperatorconfigs.yaml b/deploy/templates/crd/bases/controller.devfile.io_devworkspaceoperatorconfigs.yaml
