Dynatrace · aorcholski · Jul 10, 2024 · Jun 26, 2024 · Jul 4, 2024 · Jul 5, 2024
@@ -211,14 +211,27 @@ func (dk *DynaKube) PullSecretName() string {
 	return dk.Name + PullSecretSuffix
 }
 
-// PullSecretWithoutData returns a secret which can be used to query the actual secrets data from the cluster.
-func (dk *DynaKube) PullSecretWithoutData() corev1.Secret {
-	return corev1.Secret{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      dk.PullSecretName(),
-			Namespace: dk.Namespace,
-		},
+// PullSecretNames returns the names of the pull secrets to be used for immutable images.
+func (dk *DynaKube) PullSecretNames() []string {
+	names := []string{
+		dk.Name + PullSecretSuffix,
 	}
+	if dk.Spec.CustomPullSecret != "" {
+		names = append(names, dk.Spec.CustomPullSecret)
+	}
+
+	return names
+}
+
+func (dk *DynaKube) ImagePullSecretReferences() []corev1.LocalObjectReference {
+	imagePullSecrets := make([]corev1.LocalObjectReference, 0)
+	for _, pullSecretName := range dk.PullSecretNames() {
+		imagePullSecrets = append(imagePullSecrets, corev1.LocalObjectReference{
+			Name: pullSecretName,
+		})
+	}
+
+	return imagePullSecrets
 }
 
 func (dk *DynaKube) NeedsReadOnlyOneAgents() bool {

@@ -211,14 +211,27 @@ func (dk *DynaKube) PullSecretName() string {
 	return dk.Name + PullSecretSuffix
 }
 
-// PullSecretWithoutData returns a secret which can be used to query the actual secrets data from the cluster.
-func (dk *DynaKube) PullSecretWithoutData() corev1.Secret {
-	return corev1.Secret{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      dk.PullSecretName(),
-			Namespace: dk.Namespace,
-		},
+// PullSecretsNames returns the names of the pull secrets to be used for immutable images.
+func (dk *DynaKube) PullSecretNames() []string {
+	names := []string{
+		dk.Name + PullSecretSuffix,
 	}
+	if dk.Spec.CustomPullSecret != "" {
+		names = append(names, dk.Spec.CustomPullSecret)
+	}
+
+	return names
+}
+
+func (dk *DynaKube) ImagePullSecretReferences() []corev1.LocalObjectReference {
+	imagePullSecrets := make([]corev1.LocalObjectReference, 0)
+	for _, pullSecretName := range dk.PullSecretNames() {
+		imagePullSecrets = append(imagePullSecrets, corev1.LocalObjectReference{
+			Name: pullSecretName,
+		})
+	}
+
+	return imagePullSecrets
 }
 
 func (dk *DynaKube) NeedsReadOnlyOneAgents() bool {

@@ -32,7 +32,6 @@ import (
 	"github.com/Dynatrace/dynatrace-operator/pkg/injection/codemodule/installer"
 	"github.com/Dynatrace/dynatrace-operator/pkg/injection/codemodule/installer/image"
 	"github.com/Dynatrace/dynatrace-operator/pkg/injection/codemodule/installer/url"
-	"github.com/Dynatrace/dynatrace-operator/pkg/oci/registry"
 	"github.com/Dynatrace/dynatrace-operator/pkg/util/dtotel"
 	"github.com/pkg/errors"
 	"github.com/spf13/afero"
@@ -61,7 +60,6 @@ type OneAgentProvisioner struct {
 	dynatraceClientBuilder dynatraceclient.Builder
 	urlInstallerBuilder    urlInstallerBuilder
 	imageInstallerBuilder  imageInstallerBuilder
-	registryClientBuilder  registry.ClientBuilder
 	opts                   dtcsi.CSIOptions
 	path                   metadata.PathResolver
 }
@@ -80,7 +78,6 @@ func NewOneAgentProvisioner(mgr manager.Manager, opts dtcsi.CSIOptions, db metad
 		dynatraceClientBuilder: dynatraceclient.NewBuilder(mgr.GetAPIReader()),
 		urlInstallerBuilder:    url.NewUrlInstaller,
 		imageInstallerBuilder:  image.NewImageInstaller,
-		registryClientBuilder:  registry.NewClient,
 	}
 }
 

@@ -3,7 +3,7 @@ package statefulset
 import (
 	"strconv"
 
-	dynatracev1beta2 "github.com/Dynatrace/dynatrace-operator/pkg/api/v1beta2/dynakube"
+	"github.com/Dynatrace/dynatrace-operator/pkg/api/v1beta2/dynakube"
 	"github.com/Dynatrace/dynatrace-operator/pkg/controllers/dynakube/activegate/capability"
 	"github.com/Dynatrace/dynatrace-operator/pkg/controllers/dynakube/activegate/consts"
 	"github.com/Dynatrace/dynatrace-operator/pkg/controllers/dynakube/activegate/internal/statefulset/builder"
@@ -31,14 +31,14 @@ type Builder struct {
 	envMap     *prioritymap.Map
 	kubeUID    types.UID
 	configHash string
-	dynakube   dynatracev1beta2.DynaKube
+	dynakube   dynakube.DynaKube
 }
 
-func NewStatefulSetBuilder(kubeUID types.UID, configHash string, dynakube dynatracev1beta2.DynaKube, capability capability.Capability) Builder {
+func NewStatefulSetBuilder(kubeUID types.UID, configHash string, dk dynakube.DynaKube, capability capability.Capability) Builder {
 	return Builder{
 		kubeUID:    kubeUID,
 		configHash: configHash,
-		dynakube:   dynakube,
+		dynakube:   dk,
 		capability: capability,
 		envMap:     prioritymap.New(prioritymap.WithPriority(defaultEnvPriority)),
 	}
@@ -129,9 +129,7 @@ func (statefulSetBuilder Builder) addTemplateSpec(sts *appsv1.StatefulSet) {
 				Type: corev1.SeccompProfileTypeRuntimeDefault,
 			},
 		},
-		ImagePullSecrets: []corev1.LocalObjectReference{
-			{Name: statefulSetBuilder.dynakube.PullSecretName()},
-		},
+		ImagePullSecrets:  statefulSetBuilder.dynakube.ImagePullSecretReferences(),
 		PriorityClassName: statefulSetBuilder.dynakube.Spec.ActiveGate.PriorityClassName,
 		DNSPolicy:         statefulSetBuilder.dynakube.Spec.ActiveGate.DNSPolicy,
 

@@ -189,7 +189,8 @@ func TestAddTemplateSpec(t *testing.T) {
 
 		assert.NotEmpty(t, spec.Containers)
 		assert.NotEmpty(t, spec.Affinity)
-		assert.Equal(t, dynakube.PullSecretName(), spec.ImagePullSecrets[0].Name)
+		assert.Equal(t, len(dynakube.PullSecretNames()), len(spec.ImagePullSecrets))
+		assert.Equal(t, dynakube.PullSecretNames()[0], spec.ImagePullSecrets[0].Name)
 	})
 
 	t.Run("adds capability specific stuff", func(t *testing.T) {

@@ -23,7 +23,6 @@ import (
 	"github.com/Dynatrace/dynatrace-operator/pkg/controllers/dynakube/proxy"
 	"github.com/Dynatrace/dynatrace-operator/pkg/controllers/dynakube/token"
 	"github.com/Dynatrace/dynatrace-operator/pkg/injection/namespace/mapper"
-	"github.com/Dynatrace/dynatrace-operator/pkg/oci/registry"
 	"github.com/Dynatrace/dynatrace-operator/pkg/util/hasher"
 	"github.com/Dynatrace/dynatrace-operator/pkg/util/kubeobjects/env"
 	"github.com/Dynatrace/dynatrace-operator/pkg/util/kubesystem"
@@ -69,7 +68,6 @@ func NewDynaKubeController(kubeClient client.Client, apiReader client.Reader, co
 		clusterID:              clusterID,
 		dynatraceClientBuilder: dynatraceclient.NewBuilder(apiReader),
 		istioClientBuilder:     istio.NewClient,
-		registryClientBuilder:  registry.NewClient,
 
 		deploymentMetadataReconcilerBuilder: deploymentmetadata.NewReconciler,
 		activeGateReconcilerBuilder:         activegate.NewReconciler,
@@ -102,7 +100,6 @@ type Controller struct {
 	dynatraceClientBuilder dynatraceclient.Builder
 	config                 *rest.Config
 	istioClientBuilder     istio.ClientBuilder
-	registryClientBuilder  registry.ClientBuilder
 
 	deploymentMetadataReconcilerBuilder deploymentmetadata.ReconcilerBuilder
 	activeGateReconcilerBuilder         activegate.ReconcilerBuilder

@@ -408,7 +408,6 @@ func createFakeClientAndReconciler(t *testing.T, mockClient dtclient.Client, ins
 	controller := &Controller{
 		client:                              fakeClient,
 		apiReader:                           fakeClient,
-		registryClientBuilder:               createFakeRegistryClientBuilder(t),
 		dynatraceClientBuilder:              mockDtcBuilder,
 		fs:                                  afero.Afero{Fs: afero.NewMemMapFs()},
 		deploymentMetadataReconcilerBuilder: deploymentmetadata.NewReconciler,

@@ -19,15 +19,11 @@ import (
 	"github.com/Dynatrace/dynatrace-operator/pkg/controllers/dynakube/istio"
 	"github.com/Dynatrace/dynatrace-operator/pkg/controllers/dynakube/oneagent"
 	"github.com/Dynatrace/dynatrace-operator/pkg/controllers/dynakube/token"
-	"github.com/Dynatrace/dynatrace-operator/pkg/oci/registry"
 	dtwebhook "github.com/Dynatrace/dynatrace-operator/pkg/webhook"
 	dtclientmock "github.com/Dynatrace/dynatrace-operator/test/mocks/pkg/clients/dynatrace"
 	controllermock "github.com/Dynatrace/dynatrace-operator/test/mocks/pkg/controllers"
 	dtbuildermock "github.com/Dynatrace/dynatrace-operator/test/mocks/pkg/controllers/dynakube/dynatraceclient"
 	injectionmock "github.com/Dynatrace/dynatrace-operator/test/mocks/pkg/controllers/dynakube/injection"
-	registrymock "github.com/Dynatrace/dynatrace-operator/test/mocks/pkg/oci/registry"
-	containerv1 "github.com/google/go-containerregistry/pkg/v1"
-	fakecontainer "github.com/google/go-containerregistry/pkg/v1/fake"
 	"github.com/pkg/errors"
 	"github.com/spf13/afero"
 	"github.com/stretchr/testify/assert"
@@ -343,10 +339,9 @@ func TestReconcileComponents(t *testing.T) {
 		mockInjectionReconciler.On("Reconcile", mock.Anything).Return(errors.New("BOOM"))
 
 		controller := &Controller{
-			client:                fakeClient,
-			apiReader:             fakeClient,
-			fs:                    afero.Afero{Fs: afero.NewMemMapFs()},
-			registryClientBuilder: createFakeRegistryClientBuilder(t),
+			client:    fakeClient,
+			apiReader: fakeClient,
+			fs:        afero.Afero{Fs: afero.NewMemMapFs()},
 
 			activeGateReconcilerBuilder: createActivegateReconcilerBuilder(mockActiveGateReconciler),
 			injectionReconcilerBuilder:  createInjectionReconcilerBuilder(mockInjectionReconciler),
@@ -374,7 +369,6 @@ func TestReconcileComponents(t *testing.T) {
 			client:                      fakeClient,
 			apiReader:                   fakeClient,
 			fs:                          afero.Afero{Fs: afero.NewMemMapFs()},
-			registryClientBuilder:       createFakeRegistryClientBuilder(t),
 			activeGateReconcilerBuilder: createActivegateReconcilerBuilder(mockActiveGateReconciler),
 			injectionReconcilerBuilder:  createInjectionReconcilerBuilder(mockInjectionReconciler),
 		}
@@ -405,23 +399,6 @@ func createInjectionReconcilerBuilder(reconciler *injectionmock.Reconciler) inje
 	}
 }
 
-func createFakeRegistryClientBuilder(t *testing.T) func(options ...func(*registry.Client)) (registry.ImageGetter, error) {
-	fakeRegistryClient := registrymock.NewImageGetter(t)
-	fakeImage := &fakecontainer.FakeImage{}
-	fakeImage.ConfigFileStub = func() (*containerv1.ConfigFile, error) {
-		return &containerv1.ConfigFile{}, nil
-	}
-	_, _ = fakeImage.ConfigFile()
-	image := containerv1.Image(fakeImage)
-
-	fakeRegistryClient.On("GetImageVersion", mock.Anything, mock.Anything).Return(registry.ImageVersion{Version: "1.2.3.4-5"}, nil).Maybe()
-	fakeRegistryClient.On("PullImageInfo", mock.Anything, mock.Anything).Return(&image, nil).Maybe()
-
-	return func(options ...func(*registry.Client)) (registry.ImageGetter, error) {
-		return fakeRegistryClient, nil
-	}
-}
-
 type errorClient struct {
 	client.Client
 }
@@ -537,7 +514,6 @@ func TestTokenConditions(t *testing.T) {
 			client:                 fakeClient,
 			apiReader:              fakeClient,
 			dynatraceClientBuilder: mockDtcBuilder,
-			registryClientBuilder:  createFakeRegistryClientBuilder(t),
 		}
 
 		_, err := controller.setupTokensAndClient(ctx, dynakube)

@@ -39,10 +39,6 @@ func NewReconciler(clt client.Client, apiReader client.Reader, dynakube *dynatra
 }
 
 func (r *Reconciler) Reconcile(ctx context.Context) error {
-	if r.dynakube.Spec.CustomPullSecret != "" {
-		return nil
-	}
-
 	if !(r.dynakube.NeedsOneAgent() || r.dynakube.NeedsActiveGate()) {
 		if meta.FindStatusCondition(*r.dynakube.Conditions(), PullSecretConditionType) == nil {
 			return nil // no condition == nothing is there to clean up

@@ -16,9 +16,10 @@ const (
 	testKey   = "test-key"
 	testValue = "test-value"
 
-	testClusterID = "test-cluster-id"
-	testURL       = "https://testing.dev.dynatracelabs.com/api"
-	testName      = "test-name"
+	testClusterID    = "test-cluster-id"
+	testURL          = "https://testing.dev.dynatracelabs.com/api"
+	testDynakubeName = "test-dynakube-name"
+	testName         = "test-name"
 
 	testNewHostGroupName     = "newhostgroup"
 	testOldHostGroupArgument = "--set-host-group=oldhostgroup"

@@ -307,7 +307,7 @@ func (b *builder) imagePullSecrets() []corev1.LocalObjectReference {
 		return []corev1.LocalObjectReference{}
 	}
 
-	return []corev1.LocalObjectReference{{Name: b.dk.PullSecretName()}}
+	return b.dk.ImagePullSecretReferences()
 }
 
 func (b *builder) securityContext() *corev1.SecurityContext {

@@ -130,6 +130,9 @@ func TestLabels(t *testing.T) {
 
 func TestCustomPullSecret(t *testing.T) {
 	instance := dynakube.DynaKube{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: testDynakubeName,
+		},
 		Spec: dynakube.DynaKubeSpec{
 			APIURL: testURL,
 			OneAgent: dynakube.OneAgentSpec{
@@ -144,8 +147,9 @@ func TestCustomPullSecret(t *testing.T) {
 
 	podSpecs := ds.Spec.Template.Spec
 	assert.NotNil(t, podSpecs)
-	assert.NotEmpty(t, podSpecs.ImagePullSecrets)
-	assert.Equal(t, testName, podSpecs.ImagePullSecrets[0].Name)
+	assert.Len(t, podSpecs.ImagePullSecrets, 2)
+	assert.Equal(t, testDynakubeName+dynakube.PullSecretSuffix, podSpecs.ImagePullSecrets[0].Name)
+	assert.Equal(t, testName, podSpecs.ImagePullSecrets[1].Name)
 }
 
 func TestResources(t *testing.T) {

@@ -30,15 +30,14 @@ type Properties struct {
 }
 
 func NewImageInstaller(ctx context.Context, fs afero.Fs, props *Properties) (installer.Installer, error) {
-	pullSecret := props.Dynakube.PullSecretWithoutData()
 	defaultTransport := http.DefaultTransport.(*http.Transport).Clone()
 
 	transport, err := registry.PrepareTransportForDynaKube(ctx, props.ApiReader, defaultTransport, props.Dynakube)
 	if err != nil {
 		return nil, err
 	}
 
-	keychain, err := dockerkeychain.NewDockerKeychain(ctx, props.ApiReader, pullSecret)
+	keychain, err := dockerkeychain.NewDockerKeychains(ctx, props.ApiReader, props.Dynakube.Namespace, props.Dynakube.PullSecretNames())
 	if err != nil {
 		return nil, err
 	}

@@ -69,7 +69,12 @@ func TestNewImageInstaller(t *testing.T) {
 		},
 		Spec: dynatracev1beta2.DynaKubeSpec{},
 	}
-	pullSecret := dynakube.PullSecretWithoutData()
+	pullSecret := corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      dynakube.PullSecretName(),
+			Namespace: dynakube.Namespace,
+		},
+	}
 	pullSecret.Data = map[string][]byte{
 		corev1.DockerConfigJsonKey: []byte(emptyDockerConfig),
 	}