From cccb6096a63715c8fdcab8c2764bd4601110a44c Mon Sep 17 00:00:00 2001
From: Daniel Pawlik <dpawlik@redhat.com>
Date: Tue, 2 Jul 2024 12:04:17 +0200
Subject: [PATCH] Add parameter to set global pull-secret secret

Some projects might want to have an access to secured registry,
but the credentials are not shared across projects.
This commit adds GLOBAL_SECURED_REGISTRIES parameter, that
will allow user to create similar pull-secret as it is done in
openshift-config namespace to be available for other projects [1].
For example, the openshift-marketplace can not start properly,
because it can not pull the image. We can add the pull-secret into the
/var/lib/kubelet/config.json, but after clustersetup.sh script finish
the Machine Config Pool would be marked as degraded (because there would
be a missmatch). Adding the pull secret globaly will help avoid issue,
that the image can not be downloaded. On the end, it can be deleted.

[1] https://docs.openshift.com/container-platform/4.15/openshift_images/managing_images/using-image-pull-secrets.html#images-allow-pods-to-reference-images-from-secure-registries_using-image-pull-secrets
---
 pkg/bundle/setup/clustersetup.sh | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/pkg/bundle/setup/clustersetup.sh b/pkg/bundle/setup/clustersetup.sh
index 0df803f0..cdad61fa 100644
--- a/pkg/bundle/setup/clustersetup.sh
+++ b/pkg/bundle/setup/clustersetup.sh
@@ -15,6 +15,7 @@ PASS_DEVELOPER="${PASS_DEVELOPER:-"_PASS_DEVELOPER_"}"
 PASS_KUBEADMIN="${PASS_KUBEADMIN:-"_PASS_KUBEADMIN_"}"
 PASS_REDHAT="${PASS_REDHAT:-"_PASS_REDHAT_"}"
 MAXIMUM_LOGIN_RETRY=500
+GLOBAL_SECURED_REGISTRIES="${GLOBAL_SECURED_REGISTRIES:-"false"}"
 
 pr_info() {
     echo "[INF] $1" | tee -a $LOG_FILE > /dev/null
@@ -182,6 +183,15 @@ patch_pull_secret() {
     sleep $STEPS_SLEEP_TIME
 }
 
+global_pull_secret() {
+    pr_info "adding pull-secret as global cluster pull secret"
+    oc get secret/pull-secret -n openshift-config --template='{{index .data ".dockerconfigjson" | base64decode}}' > /tmp/pull-secret.txt
+    oc create secret generic global-pull-secret --from-file=.dockercfg=/tmp/pull-secret.txt --type=kubernetes.io/dockercfg
+    stop_if_failed $? "failed to create global pull secret"
+    rm /tmp/pull-secret.txt
+    sleep $STEPS_SLEEP_TIME
+}
+
 create_certificate_and_patch_secret() {
     pr_info  "creating OpenShift secrets"
     openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout nip.key -out nip.crt -subj "/CN=$EIP.nip.io" -addext "subjectAltName=DNS:apps.$EIP.nip.io,DNS:*.apps.$EIP.nip.io,DNS:api.$EIP.nip.io"
@@ -262,6 +272,9 @@ stop_if_failed $? "failed to recover Cluster after $(expr $CLUSTER_HEALTH_RETRIE
 
 
 patch_pull_secret
+if [[ "$GLOBAL_SECURED_REGISTRIES" =~ True|true ]]; then
+    global_pull_secret
+fi
 wait_cluster_become_healthy "etcd|openshift-apiserver"
 stop_if_failed $? "failed to recover Cluster after $(expr $CLUSTER_HEALTH_RETRIES \* $CLUSTER_HEALTH_SLEEP) seconds"