Skip to content

Support static secret name reference for private repository clone strategy #234

New issue
New issue
Closed
#235
Closed
Support static secret name reference for private repository clone strategy#234
#235
Assignees
zmotso
Labels
enhancementNew feature or request
@zmotso

Description

@zmotso
zmotso
opened on Nov 4, 2025

The current implementation of the codebase-operator creates a new temporary Kubernetes secret with credentials (named repository-codebase-%v-temp) when cloning from private repositories. This process is managed dynamically by the operator as part of the codebase onboarding flow using the 'clone' strategy.

This approach should be improved to support a static secret that is managed outside of the operator. Administrators must be able to create the secret as a prerequisite and specify the secret name in the Codebase Custom Resource (CR) during creation. This enables dev teams and admins to manage credentials through an external process (e.g., via External Secrets Operator, KMS, Vault) while the operator simply references a pre-existing, statically named secret in the cluster.

Both approaches—temporarily created secrets and referencing a static, externally managed secret—should be supported for backward compatibility.

Acceptance Criteria

  • The Codebase CR spec supports an optional field to specify the K8s secret name containing repository credentials for the 'clone' strategy.
  • When this secret name is specified, the operator does not create a temporary secret, using the referenced static secret instead.
  • If no secret name is specified, the operator continues to generate the temporary secret as before for backward compatibility.
  • The solution must be clearly documented for both approaches (static and dynamic secret management).
  • The UI (if applicable) and API must validate existence/access to the static secret if the field is set during codebase creation.
  • Error handling is implemented: if the referenced secret does not exist or is misconfigured, the operator should log the error and update the Codebase status accordingly.
  • Ensure compatibility with secrets managed by External Secrets Operator and typical KubeRocketCI RBAC policies.
  • Example CR snippet for static secret usage is provided in documentation or release notes.

Example Spec Addition

spec:
  ...
  cloneCredentialsSecret: my-git-credentials-secret

Metadata

Metadata

Assignees

Labels

enhancementNew feature or request

Type

No type

Projects

KubeRocketCI

Status

Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions