Skip to content

feat(artifactories): label dockerhub registry secret with secret-copier=yes#556

Open
AbhisHub-12 wants to merge 1 commit into
masterfrom
dockerhub-secret-copier-label
Open

feat(artifactories): label dockerhub registry secret with secret-copier=yes#556
AbhisHub-12 wants to merge 1 commit into
masterfrom
dockerhub-secret-copier-label

Conversation

@AbhisHub-12

@AbhisHub-12 AbhisHub-12 commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

What

Adds the secret-copier=yes label to the DockerHub dockerconfigjson secret created by artifactories/default/0.1.

-    labels    = lookup(local.metadata, "labels", {})
+    labels    = merge(lookup(local.metadata, "labels", {}), { "secret-copier" = "yes" })

Why

On containerd 2.x nodes (k8s 1.34+/1.35), node-level /etc/containerd/config.toml DockerHub login is silently ignored, so private DockerHub pulls fail. The fix is the k8s imagePullSecret path:

  1. artifactories creates + labels the dockerconfigjson secret (this PR)
  2. secret-copier (shell-operator, watches secret-copier=yes in default) replicates it to every namespace — real-time on new-namespace + secret change, plus a daily reconcile
  3. image-pull-secret-injector (mutating webhook, all namespaces) injects the reference into every pod

Pod-level injection = SA-agnostic; no service-account patching needed. This is the same label the redesigned artifactories/standard/1.0 module already sets.

Scope

  • Only the DockerHub secret resource (for_each = local.artifactories_dockerhub) — ECR path untouched.
  • Requires the secret to reside in the default namespace (secret-copier's source) and secret-copier + image_pull_secret_injector to be deployed in the cluster.

Test plan

  • Dev 1.35/containerd-2.x env: labeled secret in default → confirm secret-copier replicates it to a fresh namespace
  • New pod using a private DockerHub image gets imagePullSecrets injected and pulls successfully
  • Existing (non-DockerHub / ECR) behavior unchanged

Summary by CodeRabbit

  • Bug Fixes
    • Generated registry secrets now include an additional label alongside existing metadata labels, improving consistency and making them easier to identify and manage.

Labels the dockerconfigjson secret so secret-copier replicates it across
all namespaces, allowing image-pull-secret-injector to inject a valid
imagePullSecret into every pod. Resolves the containerd 2.x DockerHub auth
gap on k8s 1.34+/1.35 nodes where node-level config.toml login is ignored.
@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 50af68b0-ee20-4765-9637-7d2c306c1248

📥 Commits

Reviewing files that changed from the base of the PR and between c6a285c and 7ab7201.

📒 Files selected for processing (1)
  • modules/artifactories/default/0.1/registry_secret.tf

Walkthrough

The kubernetes_secret_v1.registry_secret resource's metadata labels now merge existing labels from local.metadata with an additional fixed label { "secret-copier" = "yes" }, instead of using only the existing labels.

Changes

Registry Secret Label Update

Layer / File(s) Summary
Merge fixed label into secret metadata
modules/artifactories/default/0.1/registry_secret.tf
Changed metadata.labels to merge lookup(local.metadata, "labels", {}) with { "secret-copier" = "yes" }, adding a constant label to every generated secret.
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and concisely describes the main change: adding the secret-copier label to the DockerHub registry secret.
Description check ✅ Passed The description covers what, why, scope, and testing, so it is mostly complete despite missing some template sections like related issues.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dockerhub-secret-copier-label

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 Trivy (0.69.3)

Trivy execution timed out


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant