feat(openbao): add imagePullSecrets + use mirrored bank vaults operator#545
Open
Jcing95 wants to merge 2 commits into
Open
feat(openbao): add imagePullSecrets + use mirrored bank vaults operator#545Jcing95 wants to merge 2 commits into
Jcing95 wants to merge 2 commits into
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR makes the oms install openbao installer configurable for mirrored/private OCI registries by adding image/chart override options, wiring an optional registry pull secret into both the OpenBao ServiceAccount and the operator chart, and authenticating Helm against the operator chart registry before pulling.
Changes:
- Added installer support for
OMS_REGISTRY_USER/OMS_REGISTRY_PASSWORDto create/update adockerconfigjsonpull secret and wire it into the OpenBao ServiceAccount and operator Helm values. - Added CLI flags to override OpenBao/bank-vaults/operator images and the operator chart repo, with default backfill in config validation.
- Updated the default vault-operator chart repo/image to the Codesphere mirror and bumped the chart/operator version to
1.24.0, plus updated docs/tests.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| internal/installer/openbao.go | Adds registry credential handling, pull-secret creation, Helm OCI login for chart pulls, configurable image/chart refs, and operator chart value overrides. |
| internal/installer/openbao_test.go | Adds/updates tests for mirrored overrides, pull-secret behavior, host de-duplication, and config default backfill. |
| internal/installer/manifests/openbao/vault-cr.yaml | Wires imagePullSecrets into the openbao ServiceAccount template conditionally. |
| docs/oms_install_openbao.md | Documents new flags and registry credential env vars, with mirrored-registry example. |
| cli/cmd/install_openbao.go | Adds new CLI flags and passes env-based registry credentials + override fields into installer config. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+788
to
+793
| // Update existing secret — preserve metadata, refresh type and data. | ||
| existing.Type = corev1.SecretTypeDockerConfigJson | ||
| existing.Data = map[string][]byte{corev1.DockerConfigJsonKey: dockerConfig} | ||
| if _, err := secretsClient.Update(o.ctx, existing, metav1.UpdateOptions{}); err != nil { | ||
| return fmt.Errorf("updating image pull secret: %w", err) | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Makes the
oms install openbaoimage and chart sources configurable for mirrored OCI registries, and adds an image pull secret so the OpenBao, bank-vaults, and operator images can be pulled from a private registry.Why
The OpenBao server, bank-vaults configurer, and operator images already ship from the Codesphere GHCR mirror, but there was no way to authenticate pulls against a private registry, and the operator Helm chart was still pulled from public
ghcr.io/bank-vaults. This lets a cluster (or a customer using their own mirror) pull every artifact from a single private registry.Changes
--openbao-image,--bank-vaults-image,--operator-image,--operator-chart-repo. Empty values are backfilled from theDefault*constants invalidateConfig, so programmatic callers and the default install are unaffected.OMS_REGISTRY_USERandOMS_REGISTRY_PASSWORDare both set, the installer creates/updates adockerconfigjsonsecret (openbao-registry) with oneauthsentry per distinct registry host derived from the configured image refs. It is:openbaoServiceAccount (via the Vault CR template), andimage.imagePullSecretsvalues.pc_apps.gopattern, so the chart can be pulled from a private OCI repo.1.22.5→1.24.0, default operator imagevault-operator:1.24.0. Default operator chart repo now points at the Codesphere mirror (oci://ghcr.io/codesphere-cloud/docker/ghcr.io/bank-vaults/helm-charts).docs/oms_install_openbao.mdwith the new flags, the env vars, and a mirrored-registry example.Notes for reviewers
OMS_REGISTRY_USER/OMS_REGISTRY_PASSWORDunless the mirror packages are public-read. Node-level registry creds do not help the client-side chart pull.image.repository/image.tag/image.imagePullSecretsper the vault-operator chart schema; a chart version bump could move these keys (wrong keys are silently ignored and fall back to chart defaults). Verify withhelm show values oci://ghcr.io/bank-vaults/helm-charts/vault-operator --version 1.24.0.Testing
go build ./...,go test ./internal/installer/...pass;gofmtclean.validateConfigdefault backfill, and ServiceAccountimagePullSecretstemplate rendering (set and unset).