Generate image pull secret at bootstrap

Add an optional flag called `--registry-creds` to the bootstrap command for generating an image pull secret for container images stored in private registries. Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
2026-02-06 10:55:56 +00:00 · 2024-04-05 16:27:12 +03:00
parent afa648933b
commit 05903e2171
11 changed files with 59 additions and 6 deletions
--- a/pkg/bootstrap/bootstrap.go
+++ b/pkg/bootstrap/bootstrap.go
@@ -173,6 +173,26 @@ func reconcileSecret(ctx context.Context, kube client.Client, secret corev1.Secr
 	return kube.Update(ctx, &existing)
 }

+func reconcileImagePullSecret(ctx context.Context, kube client.Client, installOpts install.Options) error {
+	credentials := strings.SplitN(installOpts.RegistryCredential, ":", 2)
+	dcj, err := sourcesecret.GenerateDockerConfigJson(installOpts.Registry, credentials[0], credentials[1])
+	if err != nil {
+		return fmt.Errorf("failed to generate docker config json: %w", err)
+	}
+
+	secret := corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: installOpts.Namespace,
+			Name:      installOpts.ImagePullSecret,
+		},
+		StringData: map[string]string{
+			corev1.DockerConfigJsonKey: string(dcj),
+		},
+		Type: corev1.SecretTypeDockerConfigJson,
+	}
+	return reconcileSecret(ctx, kube, secret)
+}
+
 func kustomizationPathDiffers(ctx context.Context, kube client.Client, objKey client.ObjectKey, path string) (string, error) {
 	var k kustomizev1.Kustomization
 	if err := kube.Get(ctx, objKey, &k); err != nil {
--- a/pkg/bootstrap/bootstrap_plain_git.go
+++ b/pkg/bootstrap/bootstrap_plain_git.go
@@ -207,6 +207,14 @@ func (b *PlainGitBootstrapper) ReconcileComponents(ctx context.Context, manifest
 		b.logger.Successf("installed components")
 	}

+	// Reconcile image pull secret if needed
+	if options.ImagePullSecret != "" && options.RegistryCredential != "" {
+		if err := reconcileImagePullSecret(ctx, b.kube, options); err != nil {
+			return fmt.Errorf("failed to reconcile image pull secret: %w", err)
+		}
+		b.logger.Successf("reconciled image pull secret %s", options.ImagePullSecret)
+	}
+
 	b.logger.Successf("reconciled components")
 	return nil
 }
--- a/pkg/manifestgen/install/options.go
+++ b/pkg/manifestgen/install/options.go
@@ -26,6 +26,7 @@ type Options struct {
 	ComponentsExtra        []string
 	EventsAddr             string
 	Registry               string
+	RegistryCredential     string
 	ImagePullSecret        string
 	WatchAllNamespaces     bool
 	NetworkPolicy          bool
@@ -46,6 +47,7 @@ func MakeDefaultOptions() Options {
 		ComponentsExtra:        []string{"image-reflector-controller", "image-automation-controller"},
 		EventsAddr:             "",
 		Registry:               "ghcr.io/fluxcd",
+		RegistryCredential:     "",
 		ImagePullSecret:        "",
 		WatchAllNamespaces:     true,
 		NetworkPolicy:          true,
--- a/pkg/manifestgen/sourcesecret/sourcesecret.go
+++ b/pkg/manifestgen/sourcesecret/sourcesecret.go
@@ -83,7 +83,7 @@ func Generate(options Options) (*manifestgen.Manifest, error) {

 	var dockerCfgJson []byte
 	if options.Registry != "" {
-		dockerCfgJson, err = generateDockerConfigJson(options.Registry, options.Username, options.Password)
+		dockerCfgJson, err = GenerateDockerConfigJson(options.Registry, options.Username, options.Password)
 		if err != nil {
 			return nil, fmt.Errorf("failed to generate json for docker config: %w", err)
 		}
@@ -223,7 +223,7 @@ func resourceToString(data []byte) string {
 	return string(data)
 }

-func generateDockerConfigJson(url, username, password string) ([]byte, error) {
+func GenerateDockerConfigJson(url, username, password string) ([]byte, error) {
 	cred := fmt.Sprintf("%s:%s", username, password)
 	auth := base64.StdEncoding.EncodeToString([]byte(cred))
 	cfg := DockerConfigJSON{