internal registry fixes

[bennyz]

Summary by CodeRabbit

• New Features
  • Container and disk image URLs are translated for external registry access when service-account authentication is enabled.
  • Flash-enabled image builds can use external registry credentials from configured registry secrets.
  • Partitions annotation is now applied only when explicitly configured; default fallback is removed and push messaging updated (multi-layer post-pull guidance removed).

[coderabbitai]

📝 Walkthrough

Walkthrough

Resolve external registry route in build listing and translate image URLs when service-account auth is used; make default-partitions annotation conditional in artifact push script and remove multi-layer pull guidance; extend imagebuild reconciler to read registry credentials from a SecretRef and create a flash-oci-auth secret when appropriate.

Changes

Cohort / File(s)	Summary
Build API — external URL translation internal/buildapi/server.go	One-time resolve of external registry route in listBuilds; translate ContainerImage and DiskImage to external URLs when UseServiceAccountAuth is enabled; emit translated values in build list output.
Artifact push script — conditional annotation internal/common/tasks/scripts/push_artifact.sh	Remove hardcoded fallback for default_partitions; add conditional default-partitions annotation only when configured; always include arch; remove post-push multi-layer pull guidance and commands.
Image build controller — flash registry credentials internal/controller/imagebuild/controller.go	When flash is enabled and SecretRef + flash image ref exist, read REGISTRY_USERNAME/REGISTRY_PASSWORD from the referenced registry secret; if both present, create flash-oci-auth secret with credentials and owner refs; log & skip on partial credentials.

Sequence Diagram(s)

sequenceDiagram
participant Reconciler
participant K8sAPI
participant RegistrySecret
participant FlashProcess

Reconciler->>K8sAPI: Get ImageBuild CR
Reconciler->>K8sAPI: Read SecretRef (if present)
K8sAPI-->>Reconciler: Secret data (REGISTRY_USERNAME, REGISTRY_PASSWORD)
alt both username and password present
  Reconciler->>K8sAPI: Create `flash-oci-auth` Secret (username/password, owner refs)
  K8sAPI-->>Reconciler: Secret created
  Reconciler->>FlashProcess: Provide flash-oci-auth secret reference
else partial or missing creds
  Reconciler->>Reconciler: Log and skip secret creation
  Reconciler->>FlashProcess: Continue with SA-token or other auth path
end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• introduce internal registry #81: Overlaps with build API changes that translate internal image URLs to external routes when service-account auth is enabled.
• fix flashing to internal registry #86: Related to flash credential handling and auth-file–style credential forwarding for flashing.

Suggested reviewers

• bkhizgiy

Poem

🐰 A tiny rabbit hops the code so neat,
Routes turned outside where images meet,
Secrets whispered soft for flashing’s art,
Annotations chosen — precise from the start,
Hooray for builds that now leap and fleet! 🥕

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'internal registry fixes' is vague and generic, using non-descriptive terms that don't convey specific information about the actual changes (external registry route resolution, artifact annotation handling, and flash credential management).	Consider a more specific title that highlights the main change, such as 'Support external registry routes in image URL translation' or 'Add external registry credential handling for flash builds'.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

No actionable comments were generated in the recent review. 🎉

🧹 Recent nitpick comments

internal/controller/imagebuild/controller.go (1)

538-578: External registry credential handling looks correct.

The new branch properly reads credentials from the referenced secret, creates the flash-oci-auth secret with an AlreadyExists guard, and mirrors the structure of the SA-token path above.

One minor inconsistency: line 535 creates the secret via clientset.CoreV1().Secrets(…).Create(…) (raw client-go), while line 576 uses r.Create(ctx, ociSecret) (controller-runtime client). Both work, but mixing API styles in adjacent branches can confuse future readers.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@internal/controller/imagebuild/controller.go`:
- Around line 538-577: The creation of the flash-OCI auth Secret (ociSecret /
flashOCIAuthSecretName) via r.Create can return AlreadyExists during
reconciliation retries and should be guarded; update the block that calls
r.Create(ctx, ociSecret) to detect and ignore metav1.IsAlreadyExists (or
apierrors.IsAlreadyExists) errors so reconciliation continues (treat existing
secret as success), and return real errors for other cases—apply the same
AlreadyExists handling pattern used elsewhere (e.g., the SA-token secret
creation) to the flash-oci-auth secret creation for imageBuild.
- Around line 549-551: The code currently checks REGISTRY_USERNAME and
REGISTRY_PASSWORD bytes and silently skips creating the flash-oci-auth secret
when only one is present; update the logic in the function where registrySecret,
regUser and regPass are used (the block that creates the flash-oci-auth secret)
to detect partial credentials (one present and the other empty) and either log a
clear warning via the same logger used elsewhere or return an explicit error
instead of no-oping; reference the registrySecret, regUser, regPass and the
secret-creation branch to implement the check and emit a helpful message that
indicates which key is missing and that credential creation was skipped.

🧹 Nitpick comments (2)

internal/controller/imagebuild/controller.go (1)

553-576: Significant duplication with SA-token secret creation block (lines 514–537).

The secret structure (labels, owner refs, type, data keys) is nearly identical between the two branches. Consider extracting a helper like createFlashOCIAuthSecret(name, namespace, imageBuild, username, password) to reduce drift risk.

internal/common/tasks/scripts/push_artifact.sh (1)

279-290: Verify JSON validity when default_partitions_annotation is non-empty.

The interpolated annotation fragment (line 286) relies on default_partitions_annotation starting with ,\n and the arch line having no trailing comma. This works, but is fragile if anyone later adds a field after arch without adjusting. A brief cat "$annotations_file" | python3 -m json.tool > /dev/null sanity check could guard against silent breakage, though this is optional given the current simplicity.