Use Remote Secret for push token

Signed-off-by: Mykola Morhun <[email protected]>

README.md

@@ -55,14 +55,16 @@ status:
   credentials:
     generationTimestamp: "2023-08-23T14:56:41Z"
     push-robot-account: test_ns_imagerepository_sample_101e4e2b63
-    push-secret: test-ns-imagerepository-sample-101e4e2b63
+    push-remote-secret: imagerepository-sample-image-push
+    push-secret: imagerepository-sample-image-push
   image:
     url: quay.io/my-org/test-ns/imagerepository-sample
     visibility: public
   state: ready
 ```
 where:
   - `push-robot-account` is the name of quay robot account in the configured quay organization with write premissions to the repository.
+  - `push-remote-secret` is an instance of `RemoteSecret` that manages the `Secret` specified in `push-secret`.
   - `push-secret` is a `Secret` of dockerconfigjson type that contains image repository push robot account token with write permissions.
 
 ### User defined image repository name
@@ -127,6 +129,8 @@ After any successful operation, `status.message` is cleared.
 
 ## AppStudio Component image repository
 
+### Image repository for Component builds
+
 There is a special use case for image repository that stores user's `Component` built images.
 
 To request image repository provision for the `Component`'s builds, the following labels must be added on `ImageRepository` creation:
@@ -141,15 +145,56 @@ Adding them later will have no effect.
 
 ---
 
-The key difference from general purpose workflow are:
- - second robot account and the corresponding `Secret` are created with read (pull) only access to the image repository.
+The key differences from the general purpose workflow are:
+ - second robot account and the corresponding `RemoteSecret` and `Secret` are created with read (pull) only access to the image repository.
  - the pull secret is propagated into all `Application` environments via `RemoteSecret`.
  - the secret with write (push) credentials is linked to the pipeline service account, so the `Component` build pipeline can push resulting images.
 
 If `spec.image.name` is omitted, then instead of `ImageRepository` object name, `application-name/component-name` is used for the image repository name.
 
 All other functionality is the same as for general purpose object.
 
+### Requesting image repository for Component builds
+
+To request an image repository for storing `Component` built images, one should create `ImageRepository` custom resource:
+```yaml
+apiVersion: appstudio.redhat.com/v1alpha1
+kind: ImageRepository
+metadata:
+  name: imagerepository-for-component-sample
+  namespace: test-ns
+  labels:
+    appstudio.redhat.com/component: my-component
+    appstudio.redhat.com/application: my-app
+```
+As a result, a public image repository `quay.io/my-org/test-ns/my-app/my-component` will be created.
+When `status.state` is set to `ready`, the image repository is ready for use.
+Additional information about the image repository one may obtain from the `ImageRepository` object `status`:
+```yaml
+apiVersion: appstudio.redhat.com/v1alpha1
+kind: ImageRepository
+metadata:
+  name: imagerepository-for-component-sample
+  namespace: test-ns
+spec:
+  image:
+    name: test-ns/my-app/my-component
+    visibility: public
+status:
+  credentials:
+    generationTimestamp: "2023-08-23T14:56:41Z"
+    push-robot-account: test_ns_my_app_my_component_e290bac4d
+    push-remote-secret: imagerepository-for-component-sample-image-push
+    push-secret: imagerepository-for-component-sample-image-push
+    pull-robot-account: test_ns_my_app_my_component_6a54e08b62_pull
+    pull-remote-secret: imagerepository-for-component-sample-image-pull
+    pull-secret: imagerepository-for-component-sample-image-pull
+  image:
+    url: quay.io/my-org/test-ns/my-app/my-component
+    visibility: public
+  state: ready
+```
+
 ## Legacy (deprecated) Component image repository
 
 To request the controller to setup an image repository for a component, annotate the `Component` with `image.redhat.com/generate: '{"visibility": "public"}'` or `image.redhat.com/generate: '{"visibility": "private"}'` depending on desired repository visibility.

api/v1alpha1/imagerepository_types.go

@@ -108,7 +108,7 @@ type CredentialsStatus struct {
 
 	// PullSecretName is present only if ImageRepository has labels that connect it to Application and Component.
 	// Holds name of the dockerconfig secret with credentials to pull only from the generated repository.
-	// The secret is not present in the same namespace as ImageRepository, but created in
+	// The secret might not be present in the same namespace as ImageRepository, but created in other environments.
 	PullSecretName string `json:"pull-secret,omitempty"`
 
 	// PushRobotAccountName holds name of the quay robot account with write (push and pull) permissions into the generated repository.
@@ -117,6 +117,13 @@ type CredentialsStatus struct {
 	// PullRobotAccountName is present only if ImageRepository has labels that connect it to Application and Component.
 	// Holds name of the quay robot account with real (pull only) permissions from the generated repository.
 	PullRobotAccountName string `json:"pull-robot-account,omitempty"`
+
+	// PushRemoteSecretName holds name of RemoteSecret object that manages push Secret and its linking to appstudio-pipeline Service Account.
+	PushRemoteSecretName string `json:"push-remote-secret,omitempty"`
+
+	// PullRemoteSecretName is present only if ImageRepository has labels that connect it to Application and Component.
+	// Holds the name of the RemoteSecret object that manages pull Secret.
+	PullRemoteSecretName string `json:"pull-remote-secret,omitempty"`
 }
 
 //+kubebuilder:object:root=true

config/crd/bases/appstudio.redhat.com_imagerepositories.yaml

@@ -82,6 +82,11 @@ spec:
                       were generated.
                     format: date-time
                     type: string
+                  pull-remote-secret:
+                    description: PullRemoteSecretName is present only if ImageRepository
+                      has labels that connect it to Application and Component. Holds
+                      the name of the RemoteSecret object that manages pull Secret.
+                    type: string
                   pull-robot-account:
                     description: PullRobotAccountName is present only if ImageRepository
                       has labels that connect it to Application and Component. Holds
@@ -92,8 +97,14 @@ spec:
                     description: PullSecretName is present only if ImageRepository
                       has labels that connect it to Application and Component. Holds
                       name of the dockerconfig secret with credentials to pull only
-                      from the generated repository. The secret is not present in
-                      the same namespace as ImageRepository, but created in
+                      from the generated repository. The secret might not be present
+                      in the same namespace as ImageRepository, but created in other
+                      environments.
+                    type: string
+                  push-remote-secret:
+                    description: PushRemoteSecretName holds name of RemoteSecret object
+                      that manages push Secret and its linking to appstudio-pipeline
+                      Service Account.
                     type: string
                   push-robot-account:
                     description: PushRobotAccountName holds name of the quay robot