fix: grant pipeline RBAC secrets read access for image pull secret validation

creydr · creydr · commit 92ca8a32e786 · 2026-05-06T12:32:09.000+02:00
The func CLI now validates that the referenced image pull secret exists
before deploying. Grant get/list on secrets to the deploy-function Role
so the Tekton func-deploy step can perform this validation.

Also wrap the e2e imagePullSecrets check in Eventually to handle timing.
diff --git a/internal/controller/function_rbac.go b/internal/controller/function_rbac.go
@@ -70,6 +70,10 @@ func (r *FunctionReconciler) ensureDeployFunctionRole(ctx context.Context, names
 				APIGroups: []string{""},
 				Resources: []string{"services", "pods"},
 				Verbs:     []string{"create", "delete", "get", "list", "patch", "update", "watch"},
+			}, {
+				APIGroups: []string{""},
+				Resources: []string{"secrets"},
+				Verbs:     []string{"get", "list"},
 			}, {
 				APIGroups: []string{"http.keda.sh"},
 				Resources: []string{"httpscaledobjects"},
diff --git a/test/e2e/func_deploy_test.go b/test/e2e/func_deploy_test.go
@@ -860,20 +860,21 @@ var _ = Describe("Operator", func() {
 
 			Eventually(functionBecomesReady(functionName, functionNamespace)).Should(Succeed())
 
-			// Verify the Knative Service has imagePullSecrets set on its pod template
-			cmd := exec.Command("kubectl", "get", "ksvc", deployedFunctionName,
-				"-n", functionNamespace,
-				"-o", "jsonpath={.spec.template.spec.imagePullSecrets}")
-			out, err := utils.Run(cmd)
-			Expect(err).NotTo(HaveOccurred())
-
-			var pullSecrets []v1.LocalObjectReference
-			err = json.Unmarshal([]byte(out), &pullSecrets)
-			Expect(err).NotTo(HaveOccurred())
-
-			Expect(pullSecrets).To(ContainElement(v1.LocalObjectReference{
-				Name: secret.Name,
-			}))
+			// Verify the Knative Service has imagePullSecrets set on its pod template.
+			Eventually(func(g Gomega) {
+				cmd := exec.Command("kubectl", "get", "ksvc", deployedFunctionName,
+					"-n", functionNamespace,
+					"-o", "jsonpath={.spec.template.spec.imagePullSecrets}")
+				out, err := utils.Run(cmd)
+				g.Expect(err).NotTo(HaveOccurred())
+				g.Expect(out).NotTo(BeEmpty(), "imagePullSecrets not set on Knative Service %s", deployedFunctionName)
+
+				var pullSecrets []v1.LocalObjectReference
+				g.Expect(json.Unmarshal([]byte(out), &pullSecrets)).To(Succeed())
+				g.Expect(pullSecrets).To(ContainElement(v1.LocalObjectReference{
+					Name: secret.Name,
+				}))
+			}, 2*time.Minute).Should(Succeed())
 		})
 	})
 })
