From 2c2068fbeb3607c866cb80653f6221d9dd1dfd89 Mon Sep 17 00:00:00 2001
From: Moritz Clasmeier <mclasmeier@redhat.com>
Date: Tue, 12 May 2026 11:42:18 +0200
Subject: [PATCH] Add pull secrets for operator

---
 internal/deployer/deploy_via_operator.go | 16 +++++++++-----
 internal/deployer/deployer.go            |  1 +
 internal/deployer/operator.go            | 28 ++++++++----------------
 internal/deployer/operator_olm.go        |  2 +-
 internal/dockerauth/dockerauth.go        |  2 +-
 internal/dockerauth/dockerauth_test.go   |  2 +-
 6 files changed, 23 insertions(+), 28 deletions(-)

diff --git a/internal/deployer/deploy_via_operator.go b/internal/deployer/deploy_via_operator.go
index 6365a870..99d4755a 100644
--- a/internal/deployer/deploy_via_operator.go
+++ b/internal/deployer/deploy_via_operator.go
@@ -117,7 +117,8 @@ func (d *Deployer) ensureOperatorDeployed(ctx context.Context) error {
 func (d *Deployer) deployCentralOperator(ctx context.Context, resources, exposure string) error {
 	d.logger.Info("🚀 Deploying Central via Operator...")
 
-	if err := d.prepareNamespace(ctx, d.centralNamespace); err != nil {
+	needPullSecrets := env.GetCurrentClusterType() != env.InfraOpenShift4
+	if err := d.prepareNamespace(ctx, d.centralNamespace, needPullSecrets); err != nil {
 		return fmt.Errorf("failed to prepare namespace: %w", err)
 	}
 
@@ -185,14 +186,14 @@ func (d *Deployer) getDeployedOperatorImage(ctx context.Context) (string, error)
 }
 
 // prepareNamespace creates pull secrets in the namespace if needed
-func (d *Deployer) prepareNamespace(ctx context.Context, namespace string) error {
+func (d *Deployer) prepareNamespace(ctx context.Context, namespace string, needPullSecrets bool) error {
 	d.logger.Infof("Preparing namespace %s", namespace)
 
 	if err := d.ensureNamespaceExists(namespace); err != nil {
 		return err
 	}
 
-	if env.GetCurrentClusterType() != env.InfraOpenShift4 {
+	if needPullSecrets {
 		if err := d.ensurePullSecretExists(ctx, namespace); err != nil {
 			return fmt.Errorf("ensuring image pull secret exists: %w", err)
 		}
@@ -202,9 +203,11 @@ func (d *Deployer) prepareNamespace(ctx context.Context, namespace string) error
 }
 
 func (d *Deployer) ensurePullSecretExists(ctx context.Context, namespace string) error {
-	// Assemble pull secret YAML from pre-verified credentials
-	pullSecretYAML := d.dockerAuth.CreatePullSecretYAMLFromCredentials(d.dockerCreds, namespace)
+	if d.dockerCreds == nil {
+		return errors.New("no pull secrets available to set up on the cluster")
+	}
 
+	pullSecretYAML := d.dockerAuth.CreatePullSecretYAMLFromCredentials(*d.dockerCreds, namespace)
 	_, err := d.runKubectl(ctx, k8s.KubectlOptions{
 		Args:  []string{"apply", "-f", "-"},
 		Stdin: strings.NewReader(pullSecretYAML),
@@ -647,7 +650,8 @@ func (d *Deployer) configureCentralEndpoint(ctx context.Context, exposure string
 func (d *Deployer) deploySecuredClusterOperator(ctx context.Context, resources string) error {
 	d.logger.Info("🚀 Deploying SecuredCluster via Operator...")
 
-	if err := d.prepareNamespace(ctx, d.sensorNamespace); err != nil {
+	needPullSecrets := env.GetCurrentClusterType() != env.InfraOpenShift4
+	if err := d.prepareNamespace(ctx, d.sensorNamespace, needPullSecrets); err != nil {
 		return fmt.Errorf("failed to prepare namespace: %w", err)
 	}
 
diff --git a/internal/deployer/deployer.go b/internal/deployer/deployer.go
index a30372a0..722709c7 100644
--- a/internal/deployer/deployer.go
+++ b/internal/deployer/deployer.go
@@ -77,6 +77,7 @@ type Deployer struct {
 	dockerCreds               *dockerauth.Credentials
 	clusterResourceKinds      map[string]struct{}
 	tempDir                   string
+	useOperatorPullSecrets    bool
 }
 
 type ResourceToDelete struct {
diff --git a/internal/deployer/operator.go b/internal/deployer/operator.go
index 10fa5f8b..e14a7e5e 100644
--- a/internal/deployer/operator.go
+++ b/internal/deployer/operator.go
@@ -319,12 +319,14 @@ func (d *Deployer) deployOperatorFromCSV(ctx context.Context, bundleDir string)
 	}
 
 	serviceAccountName := deploymentSpec["service_account"].(string)
+	d.useOperatorPullSecrets = d.useKonflux && env.GetCurrentClusterType() != env.InfraOpenShift4
 
 	d.logger.Info("📋 Operator deployment plan:")
 	d.logger.Dim(fmt.Sprintf("  • Namespace: %s", operatorNamespace))
 	d.logger.Dim(fmt.Sprintf("  • ServiceAccount: %s", serviceAccountName))
+	d.logger.Dim(fmt.Sprintf("  • Setting up pull secrets: %v", d.useOperatorPullSecrets))
 
-	if err := d.createOperatorNamespace(ctx); err != nil {
+	if err := d.prepareNamespace(ctx, operatorNamespace, d.useOperatorPullSecrets); err != nil {
 		return err
 	}
 
@@ -392,24 +394,6 @@ func (d *Deployer) parseCSVDeploymentSpec(csvFile string) (map[string]interface{
 	return deploymentSpec, nil
 }
 
-// createOperatorNamespace creates the operator namespace
-func (d *Deployer) createOperatorNamespace(ctx context.Context) error {
-	nsYAML := fmt.Sprintf(`apiVersion: v1
-kind: Namespace
-metadata:
-  name: %s
-  labels:
-    name: %s
-    app.kubernetes.io/managed-by: roxie
-`, operatorNamespace, operatorNamespace)
-
-	_, err := d.runKubectl(ctx, k8s.KubectlOptions{
-		Args:  []string{"apply", "-f", "-"},
-		Stdin: strings.NewReader(nsYAML),
-	})
-	return err
-}
-
 // createServiceAccount creates a service account
 func (d *Deployer) createServiceAccount(ctx context.Context, namespace, name string) error {
 	sa := map[string]interface{}{
@@ -422,6 +406,12 @@ func (d *Deployer) createServiceAccount(ctx context.Context, namespace, name str
 		},
 	}
 
+	if d.useOperatorPullSecrets {
+		sa["imagePullSecrets"] = []map[string]string{
+			{"name": "stackrox"},
+		}
+	}
+
 	yamlData, err := yaml.Marshal(sa)
 	if err != nil {
 		return fmt.Errorf("failed to marshal ServiceAccount '%s/%s': %w", namespace, name, err)
diff --git a/internal/deployer/operator_olm.go b/internal/deployer/operator_olm.go
index aaac14b1..df2686ed 100644
--- a/internal/deployer/operator_olm.go
+++ b/internal/deployer/operator_olm.go
@@ -40,7 +40,7 @@ func (d *Deployer) deployOperatorViaOLM(ctx context.Context) error {
 	indexImage := d.getOperatorIndexImage()
 	d.logger.Infof("Index image: %s", indexImage)
 
-	if err := d.createOperatorNamespace(ctx); err != nil {
+	if err := d.prepareNamespace(ctx, operatorNamespace, false); err != nil {
 		return err
 	}
 
diff --git a/internal/dockerauth/dockerauth.go b/internal/dockerauth/dockerauth.go
index 76782452..f6f0284d 100644
--- a/internal/dockerauth/dockerauth.go
+++ b/internal/dockerauth/dockerauth.go
@@ -216,7 +216,7 @@ func (d *DockerAuth) VerifyCredentials(username, password string) error {
 }
 
 // CreatePullSecretYAMLFromCredentials creates Kubernetes pull secret YAML from verified credentials.
-func (d *DockerAuth) CreatePullSecretYAMLFromCredentials(creds *Credentials, namespace string) string {
+func (d *DockerAuth) CreatePullSecretYAMLFromCredentials(creds Credentials, namespace string) string {
 	// Create auth string
 	authString := fmt.Sprintf("%s:%s", creds.Username, creds.Password)
 	encodedAuth := base64.StdEncoding.EncodeToString([]byte(authString))
diff --git a/internal/dockerauth/dockerauth_test.go b/internal/dockerauth/dockerauth_test.go
index 492400bb..597acc23 100644
--- a/internal/dockerauth/dockerauth_test.go
+++ b/internal/dockerauth/dockerauth_test.go
@@ -31,7 +31,7 @@ func TestGetAndVerifyCredentialsFromEnv(t *testing.T) {
 	}
 
 	// Test creating YAML from credentials
-	yamlText := da.CreatePullSecretYAMLFromCredentials(creds, "ns")
+	yamlText := da.CreatePullSecretYAMLFromCredentials(*creds, "ns")
 
 	// Verify YAML structure
 	if !strings.Contains(yamlText, "apiVersion: v1") {