fix: patch session with fresh image secret (#851)

andre-code · web-flow · commit f221168f90dd · 2025-05-20T09:49:54.000+02:00
* Ensure the secret is created in the cluster
diff --git a/components/renku_data_services/notebooks/core_sessions.py b/components/renku_data_services/notebooks/core_sessions.py
@@ -546,10 +546,12 @@ async def patch_session(
     if extra_containers:
         patch.spec.extraContainers = extra_containers
 
+    # Patching the image pull secret
     if isinstance(user, AuthenticatedAPIUser) and internal_gitlab_user.access_token is not None:
         image = session.spec.session.image
         server_name = session.metadata.name
         needs_pull_secret = await requires_image_pull_secret(nb_config, image, internal_gitlab_user)
+        logger.info(f"Session with ID {session_id} needs pull secret for image {image}: {needs_pull_secret}")
 
         if needs_pull_secret:
             image_pull_secret_name = f"{server_name}-image-secret"
@@ -558,14 +560,22 @@ async def patch_session(
             image_secret = get_gitlab_image_pull_secret(
                 nb_config, user, image_pull_secret_name, internal_gitlab_user.access_token
             )
-            if image_secret:
-                updated_secrets = [
-                    secret
-                    for secret in (session.spec.imagePullSecrets or [])
-                    if not secret.name.endswith("-image-secret")
-                ]
-                updated_secrets.append(ImagePullSecret(name=image_pull_secret_name, adopt=True))
-                patch.spec.imagePullSecrets = updated_secrets
+
+            if not image_secret:
+                logger.error(f"Failed to create image pull secret for session ID {session_id} with image {image}")
+                raise errors.ProgrammingError(
+                    message=f"We cannot retrive credentials for your private image {image}. "
+                    "In order to resolve this problem, you can try to log out and back in "
+                    "and/or check that you still have permissions for the image repository."
+                )
+            # Ensure the secret is created in the cluster
+            await nb_config.k8s_v2_client.create_secret(image_secret.secret)
+
+            updated_secrets = [
+                secret for secret in (session.spec.imagePullSecrets or []) if not secret.name.endswith("-image-secret")
+            ]
+            updated_secrets.append(ImagePullSecret(name=image_pull_secret_name, adopt=True))
+            patch.spec.imagePullSecrets = updated_secrets
 
     patch_serialized = patch.to_rfc7386()
     if len(patch_serialized) == 0:
