From c392c7978737ab6011de1f1305add25c3e7f0b35 Mon Sep 17 00:00:00 2001
From: Tanvir Tatla <tatlat@amazon.com>
Date: Fri, 9 Feb 2024 00:15:03 +0000
Subject: [PATCH] create registry credentials secret (#7530)

---
 pkg/clustermanager/cluster_manager.go        | 21 ++++++++++++++
 pkg/clustermanager/cluster_manager_test.go   | 24 ++++++++++++++++
 pkg/workflows/interfaces/interfaces.go       |  1 +
 pkg/workflows/interfaces/mocks/clients.go    | 14 ++++++++++
 pkg/workflows/management/create_bootstrap.go |  2 +-
 pkg/workflows/management/create_test.go      | 22 +++++++++++++++
 pkg/workflows/management/secrets.go          | 29 ++++++++++++++++++++
 7 files changed, 112 insertions(+), 1 deletion(-)

diff --git a/pkg/clustermanager/cluster_manager.go b/pkg/clustermanager/cluster_manager.go
index 8b9cbddbd794..bc2b43db1c00 100644
--- a/pkg/clustermanager/cluster_manager.go
+++ b/pkg/clustermanager/cluster_manager.go
@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"io"
 	"math"
+	"os"
 	"reflect"
 	"regexp"
 	"strings"
@@ -738,6 +739,26 @@ func compareEKSAClusterSpec(ctx context.Context, currentClusterSpec, newClusterS
 	return false, nil
 }
 
+// CreateRegistryCredSecret creates the registry-credentials secret on a managment cluster.
+func (c *ClusterManager) CreateRegistryCredSecret(ctx context.Context, mgmt *types.Cluster) error {
+	secret := &corev1.Secret{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "Secret",
+			APIVersion: corev1.SchemeGroupVersion.Version,
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: constants.EksaSystemNamespace,
+			Name:      "registry-credentials",
+		},
+		StringData: map[string]string{
+			"username": os.Getenv("REGISTRY_USERNAME"),
+			"password": os.Getenv("REGISTRY_PASSWORD"),
+		},
+	}
+
+	return c.clusterClient.Apply(ctx, mgmt.KubeconfigFile, secret)
+}
+
 // InstallCAPI installs the cluster-api components in a cluster.
 func (c *ClusterManager) InstallCAPI(ctx context.Context, managementComponents *cluster.ManagementComponents, clusterSpec *cluster.Spec, cluster *types.Cluster, provider providers.Provider) error {
 	err := c.clusterClient.InitInfrastructure(ctx, managementComponents, clusterSpec, cluster, provider)
diff --git a/pkg/clustermanager/cluster_manager_test.go b/pkg/clustermanager/cluster_manager_test.go
index 839754323055..adcaa18cea6a 100644
--- a/pkg/clustermanager/cluster_manager_test.go
+++ b/pkg/clustermanager/cluster_manager_test.go
@@ -2934,6 +2934,30 @@ func TestCreateAwsIamAuthCaSecretSuccess(t *testing.T) {
 	tt.Expect(err).To(BeNil())
 }
 
+func TestCreateRegistryCredSecretSuccess(t *testing.T) {
+	tt := newTest(t)
+
+	secret := &corev1.Secret{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "Secret",
+			APIVersion: corev1.SchemeGroupVersion.Version,
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: constants.EksaSystemNamespace,
+			Name:      "registry-credentials",
+		},
+		StringData: map[string]string{
+			"username": "",
+			"password": "",
+		},
+	}
+
+	tt.mocks.client.EXPECT().Apply(tt.ctx, tt.cluster.KubeconfigFile, secret).Return(nil)
+
+	err := tt.clusterManager.CreateRegistryCredSecret(tt.ctx, tt.cluster)
+	tt.Expect(err).To(BeNil())
+}
+
 func TestClusterManagerDeleteClusterSelfManagedCluster(t *testing.T) {
 	tt := newTest(t)
 	managementCluster := &types.Cluster{
diff --git a/pkg/workflows/interfaces/interfaces.go b/pkg/workflows/interfaces/interfaces.go
index efd0d4dbf544..cb3488311c02 100644
--- a/pkg/workflows/interfaces/interfaces.go
+++ b/pkg/workflows/interfaces/interfaces.go
@@ -55,6 +55,7 @@ type ClusterManager interface {
 	InstallAwsIamAuth(ctx context.Context, managementCluster, workloadCluster *types.Cluster, clusterSpec *cluster.Spec) error
 	CreateAwsIamAuthCaSecret(ctx context.Context, bootstrapCluster *types.Cluster, workloadClusterName string) error
 	DeletePackageResources(ctx context.Context, managementCluster *types.Cluster, clusterName string) error
+	CreateRegistryCredSecret(ctx context.Context, mgmt *types.Cluster) error
 }
 
 type GitOpsManager interface {
diff --git a/pkg/workflows/interfaces/mocks/clients.go b/pkg/workflows/interfaces/mocks/clients.go
index ae148d8c3f62..b5e0617bb343 100644
--- a/pkg/workflows/interfaces/mocks/clients.go
+++ b/pkg/workflows/interfaces/mocks/clients.go
@@ -197,6 +197,20 @@ func (mr *MockClusterManagerMockRecorder) CreateEKSAResources(arg0, arg1, arg2,
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateEKSAResources", reflect.TypeOf((*MockClusterManager)(nil).CreateEKSAResources), arg0, arg1, arg2, arg3, arg4)
 }
 
+// CreateRegistryCredSecret mocks base method.
+func (m *MockClusterManager) CreateRegistryCredSecret(arg0 context.Context, arg1 *types.Cluster) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "CreateRegistryCredSecret", arg0, arg1)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// CreateRegistryCredSecret indicates an expected call of CreateRegistryCredSecret.
+func (mr *MockClusterManagerMockRecorder) CreateRegistryCredSecret(arg0, arg1 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateRegistryCredSecret", reflect.TypeOf((*MockClusterManager)(nil).CreateRegistryCredSecret), arg0, arg1)
+}
+
 // CreateWorkloadCluster mocks base method.
 func (m *MockClusterManager) CreateWorkloadCluster(arg0 context.Context, arg1 *types.Cluster, arg2 *cluster.Spec, arg3 providers.Provider) (*types.Cluster, error) {
 	m.ctrl.T.Helper()
diff --git a/pkg/workflows/management/create_bootstrap.go b/pkg/workflows/management/create_bootstrap.go
index 139ad9e7746d..7df80d29c60d 100644
--- a/pkg/workflows/management/create_bootstrap.go
+++ b/pkg/workflows/management/create_bootstrap.go
@@ -25,7 +25,7 @@ func (s *createBootStrapClusterTask) Run(ctx context.Context, commandContext *ta
 	}
 	commandContext.BootstrapCluster = bootstrapCluster
 
-	return &installCAPIComponentsTask{}
+	return &updateSecretsCreate{}
 }
 
 func (s *createBootStrapClusterTask) Name() string {
diff --git a/pkg/workflows/management/create_test.go b/pkg/workflows/management/create_test.go
index 45d27df5047f..c301288da3d8 100644
--- a/pkg/workflows/management/create_test.go
+++ b/pkg/workflows/management/create_test.go
@@ -136,6 +136,10 @@ func (c *createTestSetup) expectCreateBootstrap() {
 	)
 }
 
+func (c *createTestSetup) expectCreateRegistrySecret(err error) {
+	c.clusterManager.EXPECT().CreateRegistryCredSecret(c.ctx, c.bootstrapCluster).Return(err)
+}
+
 func (c *createTestSetup) expectCAPIInstall(err1, err2, err3 error) {
 	gomock.InOrder(
 		c.provider.EXPECT().PreCAPIInstallOnBootstrap(
@@ -316,6 +320,24 @@ func TestCreateBootstrapFailure(t *testing.T) {
 	}
 }
 
+func TestCreateRegistrySecretFailure(t *testing.T) {
+	c := newCreateTest(t)
+	c.clusterSpec.Cluster.Spec.RegistryMirrorConfiguration = &v1alpha1.RegistryMirrorConfiguration{Authenticate: true}
+	c.expectSetup()
+	c.expectCreateBootstrap()
+	c.expectPreflightValidationsToPass()
+
+	c.expectCreateRegistrySecret(fmt.Errorf(""))
+
+	c.clusterManager.EXPECT().SaveLogsManagementCluster(c.ctx, c.clusterSpec, c.bootstrapCluster)
+	c.writer.EXPECT().Write(fmt.Sprintf("%s-checkpoint.yaml", c.clusterSpec.Cluster.Name), gomock.Any())
+
+	err := c.run()
+	if err == nil {
+		t.Fatalf("Create.Run() expected to return an error %v", err)
+	}
+}
+
 func TestCreatePreCAPIFailure(t *testing.T) {
 	c := newCreateTest(t)
 	c.expectSetup()
diff --git a/pkg/workflows/management/secrets.go b/pkg/workflows/management/secrets.go
index bd0c1777aa53..493c4f0182c9 100644
--- a/pkg/workflows/management/secrets.go
+++ b/pkg/workflows/management/secrets.go
@@ -8,6 +8,7 @@ import (
 )
 
 type updateSecrets struct{}
+type updateSecretsCreate struct{}
 
 // Run updateSecrets updates management cluster's secrets.
 func (s *updateSecrets) Run(ctx context.Context, commandContext *task.CommandContext) task.Task {
@@ -32,3 +33,31 @@ func (s *updateSecrets) Checkpoint() *task.CompletedTask {
 func (s *updateSecrets) Restore(ctx context.Context, commandContext *task.CommandContext, completedTask *task.CompletedTask) (task.Task, error) {
 	return &ensureEtcdCAPIComponentsExist{}, nil
 }
+
+// Run updateSecrets updates management cluster's secrets.
+func (s *updateSecretsCreate) Run(ctx context.Context, commandContext *task.CommandContext) task.Task {
+	if !commandContext.ClusterSpec.Cluster.RegistryAuth() {
+		return &installCAPIComponentsTask{}
+	}
+
+	err := commandContext.ClusterManager.CreateRegistryCredSecret(ctx, commandContext.BootstrapCluster)
+	if err != nil {
+		commandContext.SetError(err)
+		return &workflows.CollectMgmtClusterDiagnosticsTask{}
+	}
+	return &installCAPIComponentsTask{}
+}
+
+func (s *updateSecretsCreate) Name() string {
+	return "update-secrets-create"
+}
+
+func (s *updateSecretsCreate) Checkpoint() *task.CompletedTask {
+	return &task.CompletedTask{
+		Checkpoint: nil,
+	}
+}
+
+func (s *updateSecretsCreate) Restore(ctx context.Context, commandContext *task.CommandContext, completedTask *task.CompletedTask) (task.Task, error) {
+	return nil, nil
+}