Skip to content

feat(openbao): add imagePullSecrets + use mirrored bank vaults operator#545

Open
Jcing95 wants to merge 2 commits into
mainfrom
fix/openbao-image-pull-secret
Open

feat(openbao): add imagePullSecrets + use mirrored bank vaults operator#545
Jcing95 wants to merge 2 commits into
mainfrom
fix/openbao-image-pull-secret

Conversation

@Jcing95

@Jcing95 Jcing95 commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

What

Makes the oms install openbao image and chart sources configurable for mirrored OCI registries, and adds an image pull secret so the OpenBao, bank-vaults, and operator images can be pulled from a private registry.

Why

The OpenBao server, bank-vaults configurer, and operator images already ship from the Codesphere GHCR mirror, but there was no way to authenticate pulls against a private registry, and the operator Helm chart was still pulled from public ghcr.io/bank-vaults. This lets a cluster (or a customer using their own mirror) pull every artifact from a single private registry.

Changes

  • New CLI flags (with defaults pointing at the Codesphere mirror): --openbao-image, --bank-vaults-image, --operator-image, --operator-chart-repo. Empty values are backfilled from the Default* constants in validateConfig, so programmatic callers and the default install are unaffected.
  • Image pull secret: when OMS_REGISTRY_USER and OMS_REGISTRY_PASSWORD are both set, the installer creates/updates a dockerconfigjson secret (openbao-registry) with one auths entry per distinct registry host derived from the configured image refs. It is:
    • attached to the openbao ServiceAccount (via the Vault CR template), and
    • passed to the operator pod through the chart's image.imagePullSecrets values.
    • Setting only one of the two credentials is a hard error; setting neither is a no-op (unchanged behavior).
    • Creation is idempotent and refreshes credentials on re-run, with create/update conflict handling.
  • Helm OCI login: before installing/upgrading the operator chart, the installer authenticates to the chart registry host (when credentials are present), mirroring the pc_apps.go pattern, so the chart can be pulled from a private OCI repo.
  • Operator chart/image bump: vault-operator chart 1.22.51.24.0, default operator image vault-operator:1.24.0. Default operator chart repo now points at the Codesphere mirror (oci://ghcr.io/codesphere-cloud/docker/ghcr.io/bank-vaults/helm-charts).
  • Docs: regenerated docs/oms_install_openbao.md with the new flags, the env vars, and a mirrored-registry example.

Notes for reviewers

  • Because the default operator chart repo now points at the mirror, the Helm chart pull (client-side) requires OMS_REGISTRY_USER/OMS_REGISTRY_PASSWORD unless the mirror packages are public-read. Node-level registry creds do not help the client-side chart pull.
  • The operator chart values use image.repository / image.tag / image.imagePullSecrets per the vault-operator chart schema; a chart version bump could move these keys (wrong keys are silently ignored and fall back to chart defaults). Verify with helm show values oci://ghcr.io/bank-vaults/helm-charts/vault-operator --version 1.24.0.

Testing

  • go build ./..., go test ./internal/installer/... pass; gofmt clean.
  • New tests cover: mirror overrides + pull secret wiring, secret creation/no-op/partial-cred error/idempotency, host deduplication, validateConfig default backfill, and ServiceAccount imagePullSecrets template rendering (set and unset).

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR makes the oms install openbao installer configurable for mirrored/private OCI registries by adding image/chart override options, wiring an optional registry pull secret into both the OpenBao ServiceAccount and the operator chart, and authenticating Helm against the operator chart registry before pulling.

Changes:

  • Added installer support for OMS_REGISTRY_USER/OMS_REGISTRY_PASSWORD to create/update a dockerconfigjson pull secret and wire it into the OpenBao ServiceAccount and operator Helm values.
  • Added CLI flags to override OpenBao/bank-vaults/operator images and the operator chart repo, with default backfill in config validation.
  • Updated the default vault-operator chart repo/image to the Codesphere mirror and bumped the chart/operator version to 1.24.0, plus updated docs/tests.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
internal/installer/openbao.go Adds registry credential handling, pull-secret creation, Helm OCI login for chart pulls, configurable image/chart refs, and operator chart value overrides.
internal/installer/openbao_test.go Adds/updates tests for mirrored overrides, pull-secret behavior, host de-duplication, and config default backfill.
internal/installer/manifests/openbao/vault-cr.yaml Wires imagePullSecrets into the openbao ServiceAccount template conditionally.
docs/oms_install_openbao.md Documents new flags and registry credential env vars, with mirrored-registry example.
cli/cmd/install_openbao.go Adds new CLI flags and passes env-based registry credentials + override fields into installer config.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread internal/installer/openbao.go Outdated
Comment on lines +788 to +793
// Update existing secret — preserve metadata, refresh type and data.
existing.Type = corev1.SecretTypeDockerConfigJson
existing.Data = map[string][]byte{corev1.DockerConfigJsonKey: dockerConfig}
if _, err := secretsClient.Update(o.ctx, existing, metav1.UpdateOptions{}); err != nil {
return fmt.Errorf("updating image pull secret: %w", err)
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants