handle secret by using the secret manager

mabulgu · mabulgu · commit 1e7f1e822e0f · 2025-11-11T18:12:13.000+03:00
Signed-off-by: mabulgu &lt;mabulgu@gmail.com&gt;
diff --git a/internal/controller/metal3.io/baremetalhost_controller.go b/internal/controller/metal3.io/baremetalhost_controller.go
@@ -2250,7 +2250,7 @@ func (r *BareMetalHostReconciler) getBMCSecretAndSetOwner(ctx context.Context, r
 // getImageAuthSecret validates and extracts the OCI registry credentials for the image.
 // It returns the base64-encoded credentials in the format expected by Ironic, or an empty
 // string if no auth secret is configured.
-func (r *BareMetalHostReconciler) getImageAuthSecret(ctx context.Context, _ ctrl.Request, host *metal3api.BareMetalHost, image *metal3api.Image) (string, error) {
+func (r *BareMetalHostReconciler) getImageAuthSecret(ctx context.Context, request ctrl.Request, host *metal3api.BareMetalHost, image *metal3api.Image) (string, error) {
 	// Only process OCI images
 	if image == nil || !strings.HasPrefix(image.URL, "oci://") {
 		return "", nil
@@ -2261,9 +2261,13 @@ func (r *BareMetalHostReconciler) getImageAuthSecret(ctx context.Context, _ ctrl
 		return "", nil
 	}
 
+	// Use SecretManager following the BMC credentials pattern
+	reqLogger := r.Log.WithValues("baremetalhost", request.NamespacedName)
+	secretManager := r.secretManager(ctx, reqLogger)
+
 	// Validate and extract credentials
-	validator := secretutils.NewValidator(r.Client, r.Recorder)
-	result, err := validator.Validate(ctx, host)
+	validator := secretutils.NewValidator(r.Recorder)
+	result, err := validator.Validate(ctx, host, secretManager)
 	if err != nil {
 		return "", fmt.Errorf("failed to validate auth secret: %w", err)
 	}
diff --git a/pkg/secretutils/validator.go b/pkg/secretutils/validator.go
@@ -9,7 +9,6 @@ import (
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/tools/record"
-	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
 const (
@@ -28,19 +27,18 @@ type Result struct {
 }
 
 type Validator interface {
-	Validate(ctx context.Context, bmh *metal3api.BareMetalHost) (*Result, error)
+	Validate(ctx context.Context, bmh *metal3api.BareMetalHost, secretMgr SecretManager) (*Result, error)
 }
 
 type validator struct {
-	c        client.Client
 	recorder record.EventRecorder
 }
 
-func NewValidator(c client.Client, recorder record.EventRecorder) Validator {
-	return &validator{c: c, recorder: recorder}
+func NewValidator(recorder record.EventRecorder) Validator {
+	return &validator{recorder: recorder}
 }
 
-func (v *validator) Validate(ctx context.Context, bmh *metal3api.BareMetalHost) (*Result, error) {
+func (v *validator) Validate(_ context.Context, bmh *metal3api.BareMetalHost, secretMgr SecretManager) (*Result, error) {
 	res := &Result{Valid: false}
 
 	img := bmh.Spec.Image
@@ -62,9 +60,10 @@ func (v *validator) Validate(ctx context.Context, bmh *metal3api.BareMetalHost)
 			"authSecretName=%q is set but image URL is not oci:// (%s)", secretName, img.URL)
 	}
 
-	var sec corev1.Secret
+	// Use SecretManager to obtain and label the secret (following BMC credentials pattern)
 	key := types.NamespacedName{Namespace: bmh.Namespace, Name: secretName}
-	if err := v.c.Get(ctx, key, &sec); err != nil {
+	sec, err := secretMgr.ObtainSecret(key)
+	if err != nil {
 		if k8serrors.IsNotFound(err) {
 			return res, nil
 		}
@@ -81,7 +80,7 @@ func (v *validator) Validate(ctx context.Context, bmh *metal3api.BareMetalHost)
 
 	// For OCI images, extract the credentials from the Docker config
 	if ociRelevant {
-		credentials, err := ExtractRegistryCredentials(&sec, img.URL)
+		credentials, err := ExtractRegistryCredentials(sec, img.URL)
 		if err != nil {
 			if v.recorder != nil {
 				v.recorder.Eventf(bmh, corev1.EventTypeWarning, "ImageAuthParseError",
@@ -92,7 +91,7 @@ func (v *validator) Validate(ctx context.Context, bmh *metal3api.BareMetalHost)
 		res.Credentials = credentials
 	}
 
-	res.Secret = &sec
+	res.Secret = sec
 	res.Valid = true
 	return res, nil
 }
diff --git a/pkg/secretutils/validator_test.go b/pkg/secretutils/validator_test.go
@@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"testing"
 
+	"github.com/go-logr/logr"
 	metal3api "github.com/metal3-io/baremetal-operator/apis/metal3.io/v1alpha1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -21,7 +22,8 @@ func TestValidate_NoAuthSecret(t *testing.T) {
 
 	c := fake.NewClientBuilder().WithScheme(scheme).Build()
 	recorder := record.NewFakeRecorder(10)
-	validator := NewValidator(c, recorder)
+	secretManager := NewSecretManager(t.Context(), testLogger(t), c, c)
+	validator := NewValidator(recorder)
 
 	bmh := &metal3api.BareMetalHost{
 		ObjectMeta: metav1.ObjectMeta{
@@ -36,7 +38,7 @@ func TestValidate_NoAuthSecret(t *testing.T) {
 		},
 	}
 
-	result, err := validator.Validate(t.Context(), bmh)
+	result, err := validator.Validate(t.Context(), bmh, secretManager)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
@@ -56,7 +58,8 @@ func TestValidate_SecretNotFound(t *testing.T) {
 
 	c := fake.NewClientBuilder().WithScheme(scheme).Build()
 	recorder := record.NewFakeRecorder(10)
-	validator := NewValidator(c, recorder)
+	secretManager := NewSecretManager(t.Context(), testLogger(t), c, c)
+	validator := NewValidator(recorder)
 
 	secretName := "my-secret"
 	bmh := &metal3api.BareMetalHost{
@@ -72,7 +75,7 @@ func TestValidate_SecretNotFound(t *testing.T) {
 		},
 	}
 
-	result, err := validator.Validate(t.Context(), bmh)
+	result, err := validator.Validate(t.Context(), bmh, secretManager)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
@@ -105,7 +108,8 @@ func TestValidate_WrongSecretType(t *testing.T) {
 
 	c := fake.NewClientBuilder().WithScheme(scheme).WithObjects(secret).Build()
 	recorder := record.NewFakeRecorder(10)
-	validator := NewValidator(c, recorder)
+	secretManager := NewSecretManager(t.Context(), testLogger(t), c, c)
+	validator := NewValidator(recorder)
 
 	bmh := &metal3api.BareMetalHost{
 		ObjectMeta: metav1.ObjectMeta{
@@ -120,7 +124,7 @@ func TestValidate_WrongSecretType(t *testing.T) {
 		},
 	}
 
-	result, err := validator.Validate(t.Context(), bmh)
+	result, err := validator.Validate(t.Context(), bmh, secretManager)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
@@ -177,7 +181,8 @@ func TestValidate_ValidDockerConfigJSON(t *testing.T) {
 
 	c := fake.NewClientBuilder().WithScheme(scheme).WithObjects(secret).Build()
 	recorder := record.NewFakeRecorder(10)
-	validator := NewValidator(c, recorder)
+	secretManager := NewSecretManager(t.Context(), testLogger(t), c, c)
+	validator := NewValidator(recorder)
 
 	bmh := &metal3api.BareMetalHost{
 		ObjectMeta: metav1.ObjectMeta{
@@ -192,7 +197,7 @@ func TestValidate_ValidDockerConfigJSON(t *testing.T) {
 		},
 	}
 
-	result, err := validator.Validate(t.Context(), bmh)
+	result, err := validator.Validate(t.Context(), bmh, secretManager)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
@@ -257,7 +262,8 @@ func TestValidate_RegistryNotInSecret(t *testing.T) {
 
 	c := fake.NewClientBuilder().WithScheme(scheme).WithObjects(secret).Build()
 	recorder := record.NewFakeRecorder(10)
-	validator := NewValidator(c, recorder)
+	secretManager := NewSecretManager(t.Context(), testLogger(t), c, c)
+	validator := NewValidator(recorder)
 
 	bmh := &metal3api.BareMetalHost{
 		ObjectMeta: metav1.ObjectMeta{
@@ -272,7 +278,7 @@ func TestValidate_RegistryNotInSecret(t *testing.T) {
 		},
 	}
 
-	result, err := validator.Validate(t.Context(), bmh)
+	result, err := validator.Validate(t.Context(), bmh, secretManager)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
@@ -337,7 +343,8 @@ func TestValidate_NonOCIImageWithSecret(t *testing.T) {
 
 	c := fake.NewClientBuilder().WithScheme(scheme).WithObjects(secret).Build()
 	recorder := record.NewFakeRecorder(10)
-	validator := NewValidator(c, recorder)
+	secretManager := NewSecretManager(t.Context(), testLogger(t), c, c)
+	validator := NewValidator(recorder)
 
 	bmh := &metal3api.BareMetalHost{
 		ObjectMeta: metav1.ObjectMeta{
@@ -352,7 +359,7 @@ func TestValidate_NonOCIImageWithSecret(t *testing.T) {
 		},
 	}
 
-	result, err := validator.Validate(t.Context(), bmh)
+	result, err := validator.Validate(t.Context(), bmh, secretManager)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
@@ -382,7 +389,8 @@ func TestValidate_NilImage(t *testing.T) {
 
 	c := fake.NewClientBuilder().WithScheme(scheme).Build()
 	recorder := record.NewFakeRecorder(10)
-	validator := NewValidator(c, recorder)
+	secretManager := NewSecretManager(t.Context(), testLogger(t), c, c)
+	validator := NewValidator(recorder)
 
 	bmh := &metal3api.BareMetalHost{
 		ObjectMeta: metav1.ObjectMeta{
@@ -394,7 +402,7 @@ func TestValidate_NilImage(t *testing.T) {
 		},
 	}
 
-	result, err := validator.Validate(t.Context(), bmh)
+	result, err := validator.Validate(t.Context(), bmh, secretManager)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
@@ -512,9 +520,10 @@ func TestIntegration_ValidateAndExtractCredentials(t *testing.T) {
 	)
 
 	recorder := record.NewFakeRecorder(10)
-	validator := NewValidator(c, recorder)
+	secretManager := NewSecretManager(t.Context(), testLogger(t), c, c)
+	validator := NewValidator(recorder)
 
-	result, err := validator.Validate(t.Context(), bmh)
+	result, err := validator.Validate(t.Context(), bmh, secretManager)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
@@ -537,3 +546,9 @@ func TestIntegration_ValidateAndExtractCredentials(t *testing.T) {
 		t.Errorf("expected decoded credentials to be 'myuser:mypassword', got '%s'", string(decoded))
 	}
 }
+
+// Helper function to create a test logger.
+func testLogger(t *testing.T) logr.Logger {
+	t.Helper()
+	return logr.Discard()
+}
