feat: pass registry auth secret as --image-pull-secret to func CLI

creydr · creydr · commit be701963d47b · 2026-05-05T12:56:24.000+02:00
When spec.registry.authSecretRef is set, pass the secret name via
--image-pull-secret so the func CLI sets imagePullSecrets directly
on the function's pod spec.
diff --git a/internal/controller/function_controller_test.go b/internal/controller/function_controller_test.go
@@ -530,6 +530,72 @@ var _ = Describe("Function Controller", func() {
 				},
 			}),
 		)
+
+		It("should pass ImagePullSecret to deploy when registry authSecretRef is set", func() {
+			registrySecretName := "my-registry-secret"
+
+			By("Creating the registry auth secret")
+			secret := &v1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      registrySecretName,
+					Namespace: resourceNamespace,
+				},
+				Type: v1.SecretTypeDockerConfigJson,
+				Data: map[string][]byte{
+					v1.DockerConfigJsonKey: []byte(`{"auths":{"registry.example.com":{"auth":"dGVzdDp0ZXN0"}}}`),
+				},
+			}
+			Expect(k8sClient.Create(ctx, secret)).To(Succeed())
+			defer func() { _ = k8sClient.Delete(ctx, secret) }()
+
+			By("Creating the Function with registry authSecretRef")
+			spec := functionsdevv1alpha1.FunctionSpec{
+				Repository: functionsdevv1alpha1.FunctionSpecRepository{
+					URL:    "https://github.com/foo/bar",
+					Branch: "my-branch",
+				},
+				Registry: functionsdevv1alpha1.FunctionSpecRegistry{
+					AuthSecretRef: &v1.LocalObjectReference{
+						Name: registrySecretName,
+					},
+				},
+			}
+			Expect(createFunctionResource(resourceName, resourceNamespace, spec)).To(Succeed())
+
+			By("Setting up mocks")
+			funcCliManagerMock := funccli.NewMockManager(GinkgoT())
+			gitManagerMock := git.NewMockManager(GinkgoT())
+
+			funcCliManagerMock.EXPECT().Describe(mock.Anything, functionName, resourceNamespace).Return(functions.Instance{
+				Middleware: functions.Middleware{Version: "v1.0.0"},
+			}, nil)
+			funcCliManagerMock.EXPECT().GetLatestMiddlewareVersion(mock.Anything, mock.Anything, mock.Anything).Return("v2.0.0", nil)
+
+			funcCliManagerMock.EXPECT().Deploy(mock.Anything, mock.Anything, resourceNamespace, mock.MatchedBy(func(opts funccli.DeployOptions) bool {
+				return opts.ImagePullSecret == registrySecretName && opts.RegistryAuthFile != ""
+			})).Return(nil)
+
+			gitManagerMock.EXPECT().CloneRepository(mock.Anything, "https://github.com/foo/bar", "", "my-branch", mock.Anything).Return(createTmpGitRepo(functions.Function{Name: "func-go"}), nil)
+
+			operatorNs := fmt.Sprintf("func-operator-%s", rand.String(6))
+			Expect(createNamespace(operatorNs)).To(Succeed())
+			Expect(createControllerConfig(operatorNs, nil)).To(Succeed())
+
+			By("Reconciling")
+			controllerReconciler := &FunctionReconciler{
+				Client:            k8sClient,
+				Scheme:            k8sClient.Scheme(),
+				Recorder:          &events.FakeRecorder{},
+				FuncCliManager:    funcCliManagerMock,
+				GitManager:        gitManagerMock,
+				OperatorNamespace: operatorNs,
+			}
+
+			_, err := controllerReconciler.Reconcile(ctx, reconcile.Request{
+				NamespacedName: typeNamespacedName,
+			})
+			Expect(err).NotTo(HaveOccurred())
+		})
 	})
 })
 
diff --git a/internal/controller/function_deploy.go b/internal/controller/function_deploy.go
@@ -49,6 +49,7 @@ func (r *FunctionReconciler) deploy(ctx context.Context, function *v1alpha1.Func
 		defer os.Remove(authFile)
 
 		deployOptions.RegistryAuthFile = authFile
+		deployOptions.ImagePullSecret = function.Spec.Registry.AuthSecretRef.Name
 	}
 
 	logger.Info("Deploying function", "deployOptions", deployOptions)
diff --git a/internal/funccli/manager.go b/internal/funccli/manager.go
@@ -43,6 +43,7 @@ type Manager interface {
 
 type DeployOptions struct {
 	RegistryAuthFile string
+	ImagePullSecret  string
 }
 
 var _ Manager = &managerImpl{}
@@ -223,6 +224,10 @@ func (m *managerImpl) Deploy(ctx context.Context, repoPath string, namespace str
 		deployArgs = append(deployArgs, "--registry-authfile", opts.RegistryAuthFile)
 	}
 
+	if opts.ImagePullSecret != "" {
+		deployArgs = append(deployArgs, "--image-pull-secret", opts.ImagePullSecret)
+	}
+
 	out, err := m.Run(ctx, repoPath, deployArgs...)
 	if err != nil {
 		return fmt.Errorf("failed to deploy function: %q. %w", out, err)

Original file line number	Diff line number	Diff line change
`@@ -49,6 +49,7 @@ func (r FunctionReconciler) deploy(ctx context.Context, function v1alpha1.Func`
`49`	`49`	`defer os.Remove(authFile)`
`50`	`50`
`51`	`51`	`deployOptions.RegistryAuthFile = authFile`
	`52`	`+ deployOptions.ImagePullSecret = function.Spec.Registry.AuthSecretRef.Name`
`52`	`53`	`}`
`53`	`54`
`54`	`55`	`logger.Info("Deploying function", "deployOptions", deployOptions)`