feat: Support configuring OCI Pull Secret

ThomasVitale · ThomasVitale · commit 7b4e6af49ac3 · 2025-08-14T19:16:24.000+02:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -18,6 +18,6 @@ jobs:
       registry-server: ghcr.io
       registry-username: ${{ github.actor }}
       image: ${{ github.repository }}
-      version: 0.3.0
+      version: 0.4.0
     secrets:
       pull-request-token: ${{ secrets.GH_ORG_PAT }}
diff --git a/README.md b/README.md
@@ -82,8 +82,8 @@ The Workspace Provisioner package can be customized via a `values.yml` file.
   - name: qa
   - name: staging
 
-  oci_registry:
-    secret:
+  oci:
+    pull_secret:
       name: supply-chain-registry-credentials
       namespace: kadras-system
   ```
@@ -108,8 +108,8 @@ The Workspace Provisioner package has the following configurable properties.
 |-------|-------------------|-------------|
 | `namespaces` | `[]` | Configuration for the namespaces the platform will provision and manage. |
 | `service_account` | `supply-chain` | The `ServiceAccount` to be configured with credentials and roles in each workspace. |
-| `oci_registry.secret.name` | `""` | The name of the Secret holding the credentials to access the OCI registry. |
-| `oci_registry.secret.namespace` | `""` | The namespace of the Secret holding the credentials to access the OCI registry. |
+| `oci.pull_secret.name` | `""` | The name of the Secret holding the credentials to pull images from the OCI registry. |
+| `oci.pull_secret.namespace` | `""` | The namespace of the Secret holding the credentials to pull images from the OCI registry. |
 | `cosign.secret.name` | `""` | The name of the Secret holding the Cosign key pair. |
 | `cosign.secret.namespace` | `""` | The namespace of the Secret holding the Cosign key pair. |
 | `git.server` | `https://github.com` | The Git server hosting the Git repositories used by the platform. |
diff --git a/package/config/setup-namespaces.yml b/package/config/setup-namespaces.yml
@@ -2,8 +2,8 @@
 
 #@ image_pull_secret_name = "canonical-registry-credentials"
 
-#@ def is_oci_registry_secret_available():
-#@   return data.values.oci_registry.secret.name != "" and data.values.oci_registry.secret.namespace != ""
+#@ def is_oci_pull_secret_available():
+#@   return data.values.oci.pull_secret.name != "" and data.values.oci.pull_secret.namespace != ""
 #@ end
 
 #@ def is_cosign_secret_available():
@@ -16,16 +16,15 @@
 
 #! SECRET EXPORTS
 
-#@ if/end is_oci_registry_secret_available():
+#@ if/end is_oci_pull_secret_available():
 ---
 apiVersion: secretgen.carvel.dev/v1alpha1
 kind: SecretExport
 metadata:
-  name: #@ data.values.oci_registry.secret.name
-  namespace: #@ data.values.oci_registry.secret.namespace
+  name: #@ data.values.oci.pull_secret.name
+  namespace: #@ data.values.oci.pull_secret.namespace
 spec:
   toNamespaces:
-    - kpack #! Used by kpack to publish Buildpacks artifacts. 
     #@ for namespace in data.values.namespaces:
     - #@ namespace.name
     #@ end
@@ -83,20 +82,6 @@ type: kubernetes.io/dockerconfigjson
 data:
   .dockerconfigjson: e30K
 
-#! OCI Registry
-
-#@ if/end is_oci_registry_secret_available():
----
-apiVersion: secretgen.carvel.dev/v1alpha1
-kind: SecretImport
-metadata:
-  name: #@ data.values.oci_registry.secret.name
-  namespace: #@ namespace.name
-  annotations:
-    kapp.k14s.io/create-strategy: fallback-on-update
-spec:
-  fromNamespace: #@ data.values.oci_registry.secret.namespace
-
 #! Cosign
 
 #@ if/end is_cosign_secret_available():
@@ -137,16 +122,12 @@ metadata:
   annotations:
     kapp.k14s.io/create-strategy: fallback-on-update
 secrets:
-  #@ if/end is_oci_registry_secret_available():
-  - name: #@ data.values.oci_registry.secret.name
   #@ if/end is_cosign_secret_available():
   - name: #@ data.values.cosign.secret.name
   #@ if/end is_git_secret_available():
   - name: #@ data.values.git.secret.name
 imagePullSecrets:
   - name: #@ image_pull_secret_name
-  #@ if/end is_oci_registry_secret_available():
-  - name: #@ data.values.oci_registry.secret.name
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1
diff --git a/package/config/values-schema.yml b/package/config/values-schema.yml
@@ -9,13 +9,13 @@ namespaces:
 #@schema/desc "The `ServiceAccount` to be configured with credentials and roles in each workspace."
 service_account: supply-chain
 
-#@schema/desc "Settings for the OCI registry that the workspace will use."
-oci_registry:
-  #@schema/desc "Configuration for the Secret holding the credentials to access the OCI registry."
-  secret:
-    #@schema/desc "The name of the Secret holding the credentials to access the OCI registry."
+#@schema/desc "Settings for accessing the OCI registry that the workspace will use."
+oci:
+  #@schema/desc "Configuration for the Secret holding the credentials to pull images from the OCI registry."
+  pull_secret:
+    #@schema/desc "The name of the Secret holding the credentials to pull images from the OCI registry."
     name: ""
-    #@schema/desc "The namespace of the Secret holding the credentials to access the OCI registry."
+    #@schema/desc "The namespace of the Secret holding the credentials to pull images from the OCI registry."
     namespace: ""
 
 #@schema/desc "Settings for Cosign, used for signing and verifying OCI artifacts."
diff --git a/test/integration/default/01-assert.yaml b/test/integration/default/01-assert.yaml
@@ -19,17 +19,6 @@ metadata:
     kapp.k14s.io/create-strategy: fallback-on-update
 type: kubernetes.io/dockerconfigjson
 
-#! OCI Registry
-
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: supply-chain-registry-credentials
-  namespace: test-default
-  annotations:
-    kapp.k14s.io/create-strategy: fallback-on-update
-
 #! Cosign
 
 ---
@@ -63,12 +52,10 @@ metadata:
   annotations:
     kapp.k14s.io/create-strategy: fallback-on-update
 secrets:
-  - name: supply-chain-registry-credentials
   - name: supply-chain-cosign-key-pair
   - name: supply-chain-git-credentials
 imagePullSecrets:
   - name: canonical-registry-credentials
-  - name: supply-chain-registry-credentials
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1
diff --git a/test/integration/default/config/values.yml b/test/integration/default/config/values.yml
@@ -9,8 +9,8 @@ stringData:
     namespaces:
       - name: test-default
  
-    oci_registry:
-      secret:
+    oci:
+      pull_secret:
         name: supply-chain-registry-credentials
         namespace: kadras-system
 
diff --git a/test/unit/config/values.yml b/test/unit/config/values.yml
@@ -4,8 +4,8 @@ namespaces:
   - name: quo
   - name: qua
 
-oci_registry:
-  secret:
+oci:
+  pull_secret:
     name: supply-chain-registry-credentials
     namespace: kadras-system
 
