Support internal OCP registry

The internal OCP registry is supported by default without a need of
providing any registry auth secret. The backup image is pushed to the
same namespace where the workspace is running. The token is
auto-generated and mounted from the SA definition.

Signed-off-by: Ales Raszka <[email protected]>

Author: Allda

apis/controller/v1alpha1/devworkspaceoperatorconfig_types.go

@@ -74,7 +74,7 @@ type CleanupCronJobConfig struct {
 
 type RegistryConfig struct {
 	// A registry where backup images are stored. Images are stored
-	// in {path}/${DEVWORKSPACE_NAMESPACE}:${DEVWORKSPACE_NAME}
+	// in {path}/${DEVWORKSPACE_NAMESPACE}/${DEVWORKSPACE_NAME}:latest
 	// +kubebuilder:validation:Required
 	Path string `json:"path,omitempty"`
 	// AuthSecret is the name of a Kubernetes secret of

controllers/backupcronjob/backupcronjob_controller.go

@@ -122,6 +122,15 @@ func (r *BackupCronJobReconciler) SetupWithManager(mgr ctrl.Manager) error {
 // +kubebuilder:rbac:groups=batch,resources=jobs,verbs=get;list;create;update;patch;delete
 // +kubebuilder:rbac:groups=controller.devfile.io,resources=devworkspaceoperatorconfigs,verbs=get;list;update;patch;watch
 // +kubebuilder:rbac:groups=workspace.devfile.io,resources=devworkspaces,verbs=get;list
+// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterrolebindings,verbs=get;list;create;update;patch;delete
+// +kubebuilder:rbac:groups="",resources=builds,verbs=get
+// +kubebuilder:rbac:groups="",resources=builds/details,verbs=update
+// +kubebuilder:rbac:groups="",resources=imagestreams,verbs=create
+// +kubebuilder:rbac:groups="",resources=imagestreams/layers,verbs=get;update
+// +kubebuilder:rbac:groups=build.openshift.io,resources=builds,verbs=get
+// +kubebuilder:rbac:groups=build.openshift.io,resources=builds/details,verbs=update
+// +kubebuilder:rbac:groups=image.openshift.io,resources=imagestreams,verbs=get;list;create;update;patch;delete
+// +kubebuilder:rbac:groups=image.openshift.io,resources=imagestreams/layers,verbs=get;update
 
 // Reconcile is the main reconciliation loop for the BackupCronJob controller.
 func (r *BackupCronJobReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
@@ -456,11 +465,11 @@ func (r *BackupCronJobReconciler) getWorkspacePVCName(ctx context.Context, works
 func (r *BackupCronJobReconciler) handleRegistryAuthSecret(ctx context.Context, workspace *dw.DevWorkspace,
 	dwOperatorConfig *controllerv1alpha1.DevWorkspaceOperatorConfig, log logr.Logger,
 ) (*corev1.Secret, error) {
-	if dwOperatorConfig.Config.Workspace.BackupCronJob.Registry.AuthSecret == "" {
+	secretName := dwOperatorConfig.Config.Workspace.BackupCronJob.Registry.AuthSecret
+	if secretName == "" {
 		// No auth secret configured - anonymous access to registry
 		return nil, nil
 	}
-	secretName := dwOperatorConfig.Config.Workspace.BackupCronJob.Registry.AuthSecret
 
 	// First check the workspace namespace for the secret
 	registryAuthSecret := &corev1.Secret{}
@@ -478,21 +487,18 @@ func (r *BackupCronJobReconciler) handleRegistryAuthSecret(ctx context.Context,
 	log.Info("Registry auth secret not found in workspace namespace, checking operator namespace", "secretName", secretName)
 
 	// If the secret is not found in the workspace namespace, check the operator namespace as fallback
-	if dwOperatorConfig.Config.Workspace.BackupCronJob.Registry.AuthSecret != "" {
-		err := r.NonCachingClient.Get(ctx, client.ObjectKey{
-			Name:      dwOperatorConfig.Config.Workspace.BackupCronJob.Registry.AuthSecret,
-			Namespace: dwOperatorConfig.Namespace,
-		}, registryAuthSecret)
-		if err != nil {
-			log.Error(err, "Failed to get registry auth secret for backup job", "secretName", dwOperatorConfig.Config.Workspace.BackupCronJob.Registry.AuthSecret)
-			return nil, err
-		}
-		log.Info("Successfully retrieved registry auth secret for backup job", "secretName", dwOperatorConfig.Config.Workspace.BackupCronJob.Registry.AuthSecret)
-		return r.copySecret(ctx, workspace, registryAuthSecret, log)
+	err = r.NonCachingClient.Get(ctx, client.ObjectKey{
+		Name:      secretName,
+		Namespace: dwOperatorConfig.Namespace}, registryAuthSecret)
+	if err != nil {
+		log.Error(err, "Failed to get registry auth secret for backup job", "secretName", secretName)
+		return nil, err
 	}
-	return nil, nil
+	log.Info("Successfully retrieved registry auth secret for backup job", "secretName", secretName)
+	return r.copySecret(ctx, workspace, registryAuthSecret, log)
 }
 
+// copySecret copies the given secret from the operator namespace to the workspace namespace.
 func (r *BackupCronJobReconciler) copySecret(ctx context.Context, workspace *dw.DevWorkspace, sourceSecret *corev1.Secret, log logr.Logger) (namespaceSecret *corev1.Secret, err error) {
 	existingNamespaceSecret := &corev1.Secret{}
 	err = r.NonCachingClient.Get(ctx, client.ObjectKey{

controllers/backupcronjob/backupcronjob_controller_test.go

@@ -39,6 +39,7 @@ import (
 	controllerv1alpha1 "github.com/devfile/devworkspace-operator/apis/controller/v1alpha1"
 	"github.com/devfile/devworkspace-operator/pkg/conditions"
 	"github.com/devfile/devworkspace-operator/pkg/constants"
+	"github.com/devfile/devworkspace-operator/pkg/infrastructure"
 )
 
 var _ = Describe("BackupCronJobReconciler", func() {
@@ -52,6 +53,10 @@ var _ = Describe("BackupCronJobReconciler", func() {
 
 	BeforeEach(func() {
 		ctx = context.Background()
+
+		// Initialize infrastructure for testing (defaults to Kubernetes)
+		infrastructure.InitializeForTesting(infrastructure.Kubernetes)
+
 		scheme := runtime.NewScheme()
 		Expect(controllerv1alpha1.AddToScheme(scheme)).To(Succeed())
 		Expect(dwv2.AddToScheme(scheme)).To(Succeed())

controllers/backupcronjob/rbac.go

@@ -21,8 +21,12 @@ import (
 
 	dw "github.com/devfile/api/v2/pkg/apis/workspaces/v1alpha2"
 	"github.com/devfile/devworkspace-operator/pkg/constants"
+	"github.com/devfile/devworkspace-operator/pkg/infrastructure"
 	corev1 "k8s.io/api/core/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 )
 
@@ -31,8 +35,9 @@ const (
 )
 
 func (r *BackupCronJobReconciler) ensureJobRunnerRBAC(ctx context.Context, workspace *dw.DevWorkspace) error {
+	saName := JobRunnerSAName + "-" + workspace.Status.DevWorkspaceId
 	sa := &corev1.ServiceAccount{
-		ObjectMeta: metav1.ObjectMeta{Name: JobRunnerSAName + "-" + workspace.Status.DevWorkspaceId, Namespace: workspace.Namespace, Labels: map[string]string{
+		ObjectMeta: metav1.ObjectMeta{Name: saName, Namespace: workspace.Namespace, Labels: map[string]string{
 			constants.DevWorkspaceIDLabel:          workspace.Status.DevWorkspaceId,
 			constants.DevWorkspaceWatchSecretLabel: "true",
 		}},
@@ -47,6 +52,86 @@ func (r *BackupCronJobReconciler) ensureJobRunnerRBAC(ctx context.Context, works
 		return fmt.Errorf("ensuring ServiceAccount: %w", err)
 	}
 
+	if infrastructure.IsOpenShift() {
+		// Create ClusterRoleBinding for image push role
+		if err := r.ensureImagePushRoleBinding(ctx, saName, workspace); err != nil {
+			return fmt.Errorf("ensuring image push ClusterRoleBinding: %w", err)
+		}
+		// Create ImageStream for backup images
+		if err := r.ensureImageStreamForBackup(ctx, workspace); err != nil {
+			return fmt.Errorf("ensuring ImageStream for backup: %w", err)
+		}
+	}
+
 	return nil
 
 }
+
+// ensureImagePushRoleBinding creates a ClusterRoleBinding to allow the given ServiceAccount to push images
+// to the OpenShift internal registry.
+func (r *BackupCronJobReconciler) ensureImagePushRoleBinding(ctx context.Context, saName string, workspace *dw.DevWorkspace) error {
+	// Create ClusterRoleBinding for system:image-builder role
+	clusterRoleBinding := &rbacv1.ClusterRoleBinding{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "devworkspace-image-builder-" + workspace.Status.DevWorkspaceId,
+			Labels: map[string]string{
+				constants.DevWorkspaceIDLabel: workspace.Status.DevWorkspaceId,
+			},
+		},
+		Subjects: []rbacv1.Subject{
+			{
+				Kind:      rbacv1.ServiceAccountKind,
+				Name:      saName,
+				Namespace: workspace.Namespace,
+			},
+		},
+		RoleRef: rbacv1.RoleRef{
+			Kind:     "ClusterRole",
+			Name:     "system:image-builder",
+			APIGroup: "rbac.authorization.k8s.io",
+		},
+	}
+
+	if _, err := controllerutil.CreateOrUpdate(ctx, r.Client, clusterRoleBinding, func() error { return nil }); err != nil {
+		return fmt.Errorf("ensuring ClusterRoleBinding: %w", err)
+	}
+	return nil
+}
+
+// ensureImageStreamForBackup creates an ImageStream for the backup images in OpenShift in case user
+// selects to use the internal registry. Push to non-existing ImageStream fails, so we need to create it first.
+func (r *BackupCronJobReconciler) ensureImageStreamForBackup(ctx context.Context, workspace *dw.DevWorkspace) error {
+	// Create ImageStream for backup images using unstructured to avoid scheme conflicts
+	imageStream := &unstructured.Unstructured{
+		Object: map[string]interface{}{
+			"apiVersion": "image.openshift.io/v1",
+			"kind":       "ImageStream",
+			"metadata": map[string]interface{}{
+				"name":      workspace.Name,
+				"namespace": workspace.Namespace,
+				"labels": map[string]interface{}{
+					constants.DevWorkspaceIDLabel: workspace.Status.DevWorkspaceId,
+				},
+			},
+			"spec": map[string]interface{}{
+				"lookupPolicy": map[string]interface{}{
+					"local": true,
+				},
+			},
+		},
+	}
+	imageStream.SetGroupVersionKind(schema.GroupVersionKind{
+		Group:   "image.openshift.io",
+		Version: "v1",
+		Kind:    "ImageStream",
+	})
+
+	if err := controllerutil.SetControllerReference(workspace, imageStream, r.Scheme); err != nil {
+		return err
+	}
+
+	if _, err := controllerutil.CreateOrUpdate(ctx, r.Client, imageStream, func() error { return nil }); err != nil {
+		return fmt.Errorf("ensuring ImageStream: %w", err)
+	}
+	return nil
+}