feat: add support for image pull secrets for all components

[knrc]

This pull request adds support for image pull secrets, with the ability to specify them at the top level (inherited by all) or within individual components.

Summary by Sourcery

Add support for image pull secrets across all operator components

New Features:

• Introduce ImagePullSecrets field in CRD API types and schemas for top-level and individual components (CTlog, Fulcio, Rekor, Trillian, TimestampAuthority, TUF, Securesign)
• Add WithImagePullSecrets option in RBAC actions to propagate imagePullSecrets into ServiceAccount resources

Enhancements:

• Implement MergeImagePullSecrets utility to combine and deduplicate global and component-specific secret lists
• Update controllers to merge global and per-component ImagePullSecrets when ensuring sub-resources

Tests:

• Add unit tests for MergeImagePullSecrets covering edge and deduplication cases
• Add RBAC action tests to validate ServiceAccount imagePullSecrets behavior on create and update

[sourcery-ai]

Reviewer's Guide

This PR extends the operator to support configurable image pull secrets by augmenting CRD schemas and Spec types, adding deep copy logic and a merge utility, and integrating the secrets into RBAC ServiceAccounts and subresource ensure logic.

ER diagram for imagePullSecrets in CRDs

erDiagram
    SECURESIGN_SPEC ||--o{ LOCAL_OBJECT_REFERENCE : "imagePullSecrets"
    CTLOG_SPEC ||--o{ LOCAL_OBJECT_REFERENCE : "imagePullSecrets"
    FULCIO_SPEC ||--o{ LOCAL_OBJECT_REFERENCE : "imagePullSecrets"
    REKOR_SPEC ||--o{ LOCAL_OBJECT_REFERENCE : "imagePullSecrets"
    TRILLIAN_SPEC ||--o{ LOCAL_OBJECT_REFERENCE : "imagePullSecrets"
    TIMESTAMPAUTHORITY_SPEC ||--o{ LOCAL_OBJECT_REFERENCE : "imagePullSecrets"
    TUF_SPEC ||--o{ LOCAL_OBJECT_REFERENCE : "imagePullSecrets"
    LOCAL_OBJECT_REFERENCE {
        string name
    }

Loading

Class diagram for updated Spec types with imagePullSecrets

classDiagram
    class SecuresignSpec {
        Tuf: TufSpec
        Ctlog: CTlogSpec
        TimestampAuthority: TimestampAuthoritySpec
        ImagePullSecrets: LocalObjectReference[]
    }
    class TufSpec {
        Pvc: TufPvc
        ImagePullSecrets: LocalObjectReference[]
    }
    class CTlogSpec {
        MaxCertChainSize: int64
        ImagePullSecrets: LocalObjectReference[]
    }
    class FulcioSpec {
        TrustedCA: LocalObjectReference
        ImagePullSecrets: LocalObjectReference[]
    }
    class RekorSpec {
        MaxRequestBodySize: int64
        ImagePullSecrets: LocalObjectReference[]
    }
    class TrillianSpec {
        MaxRecvMessageSize: int64
        ImagePullSecrets: LocalObjectReference[]
    }
    class TimestampAuthoritySpec {
        MaxRequestBodySize: int64
        ImagePullSecrets: LocalObjectReference[]
    }
    SecuresignSpec --> TufSpec
    SecuresignSpec --> CTlogSpec
    SecuresignSpec --> TimestampAuthoritySpec
    TufSpec --> TufPvc
    FulcioSpec --> LocalObjectReference
    CTlogSpec --> LocalObjectReference
    RekorSpec --> LocalObjectReference
    TrillianSpec --> LocalObjectReference
    TimestampAuthoritySpec --> LocalObjectReference
    SecuresignSpec --> LocalObjectReference
    TufSpec --> LocalObjectReference

Loading

Class diagram for rbacAction and WithImagePullSecrets

classDiagram
    class rbacAction {
        componentName: string
        rbacName: string
        rules: PolicyRule[]
        canHandle: func(context.Context, T) bool
        imagePullSecrets: func(context.Context, T) []LocalObjectReference
    }
    class WithImagePullSecrets {
        <<function>>
    }
    rbacAction --> PolicyRule
    rbacAction --> LocalObjectReference
    rbacAction --> WithImagePullSecrets

Loading

Flow diagram for merging imagePullSecrets in ensure logic

flowchart TD
    A["SecuresignSpec.ImagePullSecrets"] --> C["MergeImagePullSecrets"]
    B["ComponentSpec.ImagePullSecrets"] --> C
    C --> D["ComponentSpec.ImagePullSecrets (merged)"]

Loading

File-Level Changes

Change	Details	Files
Extend CRD schemas with optional imagePullSecrets field	Add imagePullSecrets array definitions to all component CRD YAMLs	config/crd/bases/rhtas.redhat.com_securesigns.yaml config/crd/bases/rhtas.redhat.com_ctlogs.yaml config/crd/bases/rhtas.redhat.com_fulcios.yaml config/crd/bases/rhtas.redhat.com_rekors.yaml config/crd/bases/rhtas.redhat.com_timestampauthorities.yaml config/crd/bases/rhtas.redhat.com_trillians.yaml config/crd/bases/rhtas.redhat.com_tufs.yaml
Add ImagePullSecrets field to API Spec types	Define []LocalObjectReference ImagePullSecrets in each component Spec	api/v1alpha1/ctlog_types.go api/v1alpha1/fulcio_types.go api/v1alpha1/rekor_types.go api/v1alpha1/timestampauthority_types.go api/v1alpha1/trillian_types.go api/v1alpha1/tuf_types.go api/v1alpha1/securesign_types.go
Implement deep copy support for ImagePullSecrets	Copy ImagePullSecrets slices in generated deepcopy functions	api/v1alpha1/zz_generated.deepcopy.go
Introduce RBAC action option and integrate pull secrets	Add imagePullSecrets field and WithImagePullSecrets setter to rbacAction Extend handleServiceAccount to apply secrets on create/update Add service account tests covering secret scenarios	internal/action/rbac/action.go internal/action/rbac/action_test.go
Update controllers to pass ImagePullSecrets to RBAC actions	Invoke WithImagePullSecrets in NewRBACAction for all components	internal/controller/tuf/actions/rbac.go internal/controller/ctlog/actions/rbac.go internal/controller/fulcio/actions/rbac.go internal/controller/rekor/actions/server/rbac.go internal/controller/trillian/actions/logserver/rbac.go internal/controller/tsa/actions/rbac.go internal/controller/trillian/actions/db/rbac.go internal/controller/trillian/actions/logsigner/rbac.go
Merge top-level and component-level secrets in ensure controllers	Use utils.MergeImagePullSecrets in ensure_* handlers to combine global and component secrets	internal/controller/securesign/actions/ensure_ctlog.go internal/controller/securesign/actions/ensure_fulcio.go internal/controller/securesign/actions/ensure_rekor.go internal/controller/securesign/actions/ensure_trillian.go internal/controller/securesign/actions/ensure_tsa.go internal/controller/securesign/actions/ensure_tuf.go
Add MergeImagePullSecrets utility and unit tests	Implement MergeImagePullSecrets for deduplication and filtering Add unit tests covering merge logic edge cases	internal/utils/collections.go internal/utils/collections_test.go

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[qodo-code-review]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
🟢	No security concerns identified No security vulnerabilities detected by AI analysis. Human verification advised for critical code.
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Passed
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Passed
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: No auditing: The new logic for setting ServiceAccount image pull secrets and merging configurations adds critical state changes without any added auditing or logging of actions taken or outcomes. Referred Code func (i rbacAction[T]) handleServiceAccount(ctx context.Context, instance T) *action.Result { var err error l := labels.For(i.componentName, i.rbacName, instance.GetName()) opts := []func(*v1.ServiceAccount) error{ ensure.ControllerReference[*v1.ServiceAccount](instance, i.Client), ensure.Labels[*v1.ServiceAccount](slices.Collect(maps.Keys(l)), l), } var pullSecrets []v1.LocalObjectReference if i.imagePullSecrets != nil { pullSecrets = i.imagePullSecrets(ctx, instance) if len(pullSecrets) > 0 { opts = append(opts, func(sa *v1.ServiceAccount) error { sa.ImagePullSecrets = pullSecrets return nil }) } } if _, err = kubernetes.CreateOrUpdate(ctx, i.Client, &v1.ServiceAccount{ ... (clipped 6 lines)
Update

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[sourcery-ai]

Hey there - I've reviewed your changes - here's some feedback:

• handleServiceAccount does not clear existing ImagePullSecrets when the function returns an empty slice or nil on updates—consider explicitly setting or clearing the field to avoid stale secrets.
• MergeImagePullSecrets builds the result using a map, causing non-deterministic ordering; consider preserving a stable order (e.g. base entries first, then overrides) for predictable output.
• The CRD schema additions for ImagePullSecrets are copy-pasted across all component specs—consider factoring out common definitions or using schema templates to reduce repetition.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- handleServiceAccount does not clear existing ImagePullSecrets when the function returns an empty slice or nil on updates—consider explicitly setting or clearing the field to avoid stale secrets.
- MergeImagePullSecrets builds the result using a map, causing non-deterministic ordering; consider preserving a stable order (e.g. base entries first, then overrides) for predictable output.
- The CRD schema additions for ImagePullSecrets are copy-pasted across all component specs—consider factoring out common definitions or using schema templates to reduce repetition.

## Individual Comments

### Comment 1
<location> `api/v1alpha1/securesign_types.go:39-40` </location>
<code_context>
 	//+optional
 	MaxCertChainSize *int64 `json:"maxCertChainSize,omitempty"`
+
+	// ImagePullSecrets is an optional list of references to secrets for pulling container images.
+	//+optional
+	ImagePullSecrets []core.LocalObjectReference `json:"imagePullSecrets,omitempty"`
</code_context>

<issue_to_address>
**suggestion:** ImagePullSecrets field in SecuresignSpec is not marked as optional.

Adding '+optional' to ImagePullSecrets will ensure consistent CRD generation and validation, matching other spec fields.

```suggestion
	// ImagePullSecrets is an optional list of references to secrets for pulling container images.
	//+optional
	ImagePullSecrets []core.LocalObjectReference `json:"imagePullSecrets,omitempty"`
```
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[qodo-code-review]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
High-level	Consolidate ImagePullSecrets into a shared struct To reduce code duplication, move the ImagePullSecrets field from the various component Spec structs into the shared PodRequirements struct, which is already embedded in most of them. Examples: api/v1alpha1/fulcio_types.go [37-39] // ImagePullSecrets is an optional list of references to secrets for pulling container images. //+optional ImagePullSecrets []core.LocalObjectReference `json:"imagePullSecrets,omitempty"` api/v1alpha1/rekor_types.go [63-65] // ImagePullSecrets is an optional list of references to secrets for pulling container images. //+optional ImagePullSecrets []core.LocalObjectReference `json:"imagePullSecrets,omitempty"` Solution Walkthrough: Before: // In api/v1alpha1/fulcio_types.go type FulcioSpec struct { PodRequirements `json:",inline"` // ... other fields ImagePullSecrets []core.LocalObjectReference `json:"imagePullSecrets,omitempty"` } // In api/v1alpha1/rekor_types.go type RekorSpec struct { PodRequirements `json:",inline"` // ... other fields ImagePullSecrets []core.LocalObjectReference `json:"imagePullSecrets,omitempty"` } // ... and so on for other specs After: // In a shared types file (e.g., podrequirements_types.go) type PodRequirements struct { // ... existing fields like Affinity, Resources etc. ImagePullSecrets []core.LocalObjectReference `json:"imagePullSecrets,omitempty"` } // In api/v1alpha1/fulcio_types.go type FulcioSpec struct { PodRequirements `json:",inline"` // ... other fields // ImagePullSecrets is now in PodRequirements } // ... and so on for other specs Suggestion importance[1-10]: 8 __ Why: The suggestion correctly identifies significant code duplication and proposes a valid refactoring that improves the design by centralizing the ImagePullSecrets field into the PodRequirements struct, which is a logical location for it.	Medium
Possible issue	Sort merged secrets for deterministic order To prevent unnecessary reconciliations, sort the merged ImagePullSecrets slice by name to ensure a deterministic order before returning it. internal/utils/collections.go [16-41] // MergeImagePullSecrets merges two lists of ImagePullSecrets func MergeImagePullSecrets(base, override []v1.LocalObjectReference) []v1.LocalObjectReference { if len(base) == 0 && len(override) == 0 { return nil } secrets := make(map[string]v1.LocalObjectReference) addSecrets := func(list []v1.LocalObjectReference) { for _, secret := range list { if secret.Name != "" { secrets[secret.Name] = secret } } } addSecrets(base) addSecrets(override) result := make([]v1.LocalObjectReference, 0, len(secrets)) for _, secret := range secrets { result = append(result, secret) } + // Sort for deterministic order + slices.SortFunc(result, func(a, b v1.LocalObjectReference) int { + return cmp.Compare(a.Name, b.Name) + }) + return result } Apply / Chat Suggestion importance[1-10]: 6 __ Why: The suggestion correctly identifies that iterating over a map in Go is non-deterministic, which could cause unnecessary reconciliations. Sorting the result ensures stable output, improving controller performance and predictability.	Low
General	Return nil for empty merged secrets Standardize the MergeImagePullSecrets function to always return nil when there are no secrets to return, resolving the inconsistent behavior of returning either nil or an empty slice. internal/utils/collections.go [16-41] // MergeImagePullSecrets merges two lists of ImagePullSecrets func MergeImagePullSecrets(base, override []v1.LocalObjectReference) []v1.LocalObjectReference { if len(base) == 0 && len(override) == 0 { return nil } secrets := make(map[string]v1.LocalObjectReference) -... + + addSecrets := func(list []v1.LocalObjectReference) { + for _, secret := range list { + if secret.Name != "" { + secrets[secret.Name] = secret + } + } + } + addSecrets(base) addSecrets(override) + + if len(secrets) == 0 { + return nil + } result := make([]v1.LocalObjectReference, 0, len(secrets)) for _, secret := range secrets { result = append(result, secret) } return result } [To ensure code accuracy, apply this suggestion manually] Suggestion importance[1-10]: 5 __ Why: The suggestion correctly points out an inconsistency in return values (nil vs. empty slice), which can matter in Kubernetes. Standardizing the return value for an empty set of secrets improves code consistency and predictability.	Low
Update

[osmman]

ImagePullSecrets for this CRD behave differently compare to other CRDs. It will require document that behavior and it will be good to provide some tests to not broke it in feature changes.

[knrc]

Yes to documentation, I've already reached out to Aron about creating the docs issues. Or are you referring to having a comment?

I'll add some tests

[knrc]

I add a comment to SecuresignSpec and some higher level tests to complement the lower level ones

[osmman]

Unfortunately adding comment like you dud will not modify CRD's OpenAPI which is main source for documentation of CRDs.

For example:

oc explain securesign.spec

[knrc]

Ah okay, now I understand what you are after. I'll take a look

[knrc]

@osmman crdify is complaining about the extra text, so I've reverted that

[osmman]

I know about the limitations of inlining that is reason why I give you two options how it could be solved. I do not see any changes in SecuresignSpec which will document usage of that parameter for Securesign CRD.

Crdify failures in descriptions aro not problem, these are mainly introduces from kubernetes changes in API spec and most of time could be waived.

[knrc]

okay, I can waive them.

[knrc]

Looking at this previous changes, it seems to be a different issue and I rushed the change while at KubeCon. I'll fix it properly and update the PR.

Update: double checking the change it was correct, so it does need waiving

[knrc]

@osmman I've worked out how to waive the crdify checks for documentation, the PR has been updated to include that change

[osmman]

Please remove context.Context parameter from function. The parameter is not used and I do not expect that will be useful in feature.

[knrc]

It's usually good practice to pass that in, for example many functions may get the logger from the context. This is presumably the reason for canHandle doing the same.

[osmman]

I appreciate the point about passing context.Context for future use cases like logging. However, I'd still recommend removing it for now because there is no current usage. We can easily add it back when need arises.

[knrc]

I'll keep it in, if it needs to be used then I can add logging in

[knrc]

@osmman I decided just to remove the context, as you say this can be added back in future if necessary.

[qodo-code-review]

CI Feedback 🧐

A test triggered by this PR failed. Here is an AI-generated analysis of the failure:

Action: Test upgrade operator

Failed stage: Run tests [❌]

Failed test name: Operator upgrade [It] Upgrade operator

Failure summary: The GitHub Action failed because an end-to-end test timed out during the operator upgrade scenario: - Test suite: "Trusted Artifact Signer E2E Suite" - Failed spec: "Operator upgrade [It] Upgrade operator" - Failure detail: Timed out after 300.001s waiting for a condition to become true - File and line: /home/runner/work/secure-sign-operator/secure-sign-operator/test/e2e/upgrade_test.go:176 - Context shows catalog ready and existing operator version (rhtas-operator version: 1.3.1 ready: true), but the upgrade did not complete within the timeout.

Relevant error logs: 1: Runner name: 'ubuntu-4core_58ed0b012533' 2: Runner group name: 'default' ... 366: configmap/ingress-nginx-controller created 367: service/ingress-nginx-controller created 368: service/ingress-nginx-controller-admission created 369: deployment.apps/ingress-nginx-controller created 370: job.batch/ingress-nginx-admission-create created 371: job.batch/ingress-nginx-admission-patch created 372: ingressclass.networking.k8s.io/nginx created 373: validatingwebhookconfiguration.admissionregistration.k8s.io/ingress-nginx-admission created 374: pod/ingress-nginx-controller-bcdf75cfc-s74tt condition met 375: ##[group]Run # Download the bundle.yaml 376: �[36;1m# Download the bundle.yaml�[0m 377: �[36;1mcurl -sL https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.84.0/bundle.yaml -o bundle.yaml �[0m 378: �[36;1m�[0m 379: �[36;1m# Check if the download was successful and the file is not empty�[0m 380: �[36;1mif [ ! -s "bundle.yaml" ]; then�[0m 381: �[36;1m echo "Error: Downloaded bundle.yaml is empty or failed to download."�[0m 382: �[36;1m exit 1�[0m ... 709: go: downloading github.com/go-openapi/swag v0.23.0 710: go: downloading github.com/google/certificate-transparency-go v1.2.1 711: go: downloading github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 712: go: downloading github.com/sigstore/timestamp-authority v1.2.2 713: go: downloading github.com/transparency-dev/merkle v0.0.2 714: go: downloading golang.org/x/term v0.22.0 715: go: downloading github.com/fsnotify/fsnotify v1.7.0 716: go: downloading github.com/mitchellh/mapstructure v1.5.0 717: go: downloading github.com/sagikazarmark/slog-shim v0.1.0 718: go: downloading github.com/spf13/afero v1.11.0 719: go: downloading github.com/spf13/cast v1.6.0 720: go: downloading github.com/cenkalti/backoff/v3 v3.2.2 721: go: downloading github.com/go-jose/go-jose/v4 v4.0.2 722: go: downloading github.com/hashicorp/errwrap v1.1.0 723: go: downloading github.com/hashicorp/go-cleanhttp v0.5.2 724: go: downloading github.com/hashicorp/go-multierror v1.1.1 725: go: downloading github.com/hashicorp/go-retryablehttp v0.7.7 ... 747: go: downloading github.com/aws/aws-sdk-go-v2/service/sso v1.22.4 748: go: downloading github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.4 749: go: downloading github.com/aws/aws-sdk-go-v2/service/sts v1.30.3 750: go: downloading github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.15 751: go: downloading github.com/containerd/stargz-snapshotter/estargz v0.14.3 752: go: downloading github.com/google/go-cmp v0.6.0 753: go: downloading github.com/docker/docker v26.1.4+incompatible 754: go: downloading github.com/google/go-github/v55 v55.0.0 755: go: downloading golang.org/x/oauth2 v0.22.0 756: go: downloading github.com/xanzy/go-gitlab v0.107.0 757: go: downloading k8s.io/api v0.28.3 758: go: downloading k8s.io/client-go v0.28.3 759: go: downloading github.com/theupdateframework/go-tuf v0.7.0 760: go: downloading k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 761: go: downloading github.com/moby/term v0.5.0 762: go: downloading github.com/go-openapi/errors v0.22.0 763: go: downloading github.com/go-openapi/validate v0.24.0 ... 937: IMG: ghcr.io/securesign/secure-sign-operator:dev-f409266299879ca840ff79f877ea7dc2b39a3f30 938: BUNDLE_IMG: ghcr.io/securesign/secure-sign-operator-bundle:dev-f409266299879ca840ff79f877ea7dc2b39a3f30 939: CATALOG_IMG: ghcr.io/securesign/secure-sign-operator-fbc:dev-f409266299879ca840ff79f877ea7dc2b39a3f30 940: NEW_OLM_CHANNEL: rhtas-operator.v1.4.0 941: OCP_VERSION: v4.19 942: REGISTRY_AUTH_FILE: /tmp/config.json 943: TEST_BASE_CATALOG: registry.redhat.io/redhat/redhat-operator-index:v4.19 944: TEST_TARGET_CATALOG: ghcr.io/securesign/secure-sign-operator-fbc:dev-f409266299879ca840ff79f877ea7dc2b39a3f30 945: ##[endgroup] 946: Running Suite: Trusted Artifact Signer E2E Suite - /home/runner/work/secure-sign-operator/secure-sign-operator/test/e2e 947: ======================================================================================================================= 948: Random Seed: �[1m1764018001�[0m 949: Will run �[1m8�[0m of �[1m8�[0m specs 950: �[38;5;10m•�[0m�[38;5;10m•�[0m�[38;5;10m•�[0m 951: �[38;5;243m------------------------------�[0m 952: �[38;5;9m• [FAILED] [301.383 seconds]�[0m 953: �[0mOperator upgrade �[38;5;9m�[1m[It] Upgrade operator�[0m 954: �[38;5;243m/home/runner/work/secure-sign-operator/secure-sign-operator/test/e2e/upgrade_test.go:158�[0m 955: �[38;5;243mTimeline >>�[0m 956: �[38;5;9m[FAILED]�[0m in [It] - /home/runner/work/secure-sign-operator/secure-sign-operator/test/e2e/upgrade_test.go:176 �[38;5;243m@ 11/24/25 21:09:24.891�[0m 957: ----------------------- Dumping operator resources ----------------------- 958: Catalog: 959: rhtas-operator-catalog ready: true 960: Extension: 961: rhtas-operator version: 1.3.1 ready: true 962: ----------------------- Dumping namespace upgrade-test-qrdfr ----------------------- 963: �[38;5;243m<< Timeline�[0m 964: �[38;5;9m[FAILED] Timed out after 300.001s. 965: Expected 966: <bool>: false 967: to be true�[0m 968: �[38;5;9mIn �[1m[It]�[0m�[38;5;9m at: �[1m/home/runner/work/secure-sign-operator/secure-sign-operator/test/e2e/upgrade_test.go:176�[0m �[38;5;243m@ 11/24/25 21:09:24.891�[0m 969: �[38;5;243m------------------------------�[0m 970: �[38;5;14mS�[0m�[38;5;14mS�[0m�[38;5;14mS�[0m�[38;5;14mS�[0m 971: �[38;5;9m�[1mSummarizing 1 Failure:�[0m 972: �[38;5;9m[FAIL]�[0m �[0mOperator upgrade �[38;5;9m�[1m[It] Upgrade operator�[0m 973: �[38;5;243m/home/runner/work/secure-sign-operator/secure-sign-operator/test/e2e/upgrade_test.go:176�[0m 974: �[38;5;9m�[1mRan 4 of 8 Specs in 563.858 seconds�[0m 975: �[38;5;9m�[1mFAIL!�[0m -- �[38;5;10m�[1m3 Passed�[0m | �[38;5;9m�[1m1 Failed�[0m | �[38;5;11m�[1m0 Pending�[0m | �[38;5;14m�[1m4 Skipped�[0m 976: --- FAIL: TestE2e (563.86s) 977: FAIL ... 980: ? github.com/securesign/operator/test/e2e/support [no test files] 981: ? github.com/securesign/operator/test/e2e/support/condition [no test files] 982: ? github.com/securesign/operator/test/e2e/support/kubernetes [no test files] 983: ? github.com/securesign/operator/test/e2e/support/kubernetes/olm [no test files] 984: ? github.com/securesign/operator/test/e2e/support/steps [no test files] 985: ? github.com/securesign/operator/test/e2e/support/tas [no test files] 986: ? github.com/securesign/operator/test/e2e/support/tas/cli [no test files] 987: ? github.com/securesign/operator/test/e2e/support/tas/ctlog [no test files] 988: ? github.com/securesign/operator/test/e2e/support/tas/fulcio [no test files] 989: ? github.com/securesign/operator/test/e2e/support/tas/rekor [no test files] 990: ? github.com/securesign/operator/test/e2e/support/tas/securesign [no test files] 991: ? github.com/securesign/operator/test/e2e/support/tas/trillian [no test files] 992: ? github.com/securesign/operator/test/e2e/support/tas/tsa [no test files] 993: ? github.com/securesign/operator/test/e2e/support/tas/tuf [no test files] 994: FAIL 995: ##[error]Process completed with exit code 1. 996: ##[group]Run actions/upload-artifact@v4

[osmman]

Suggested change

	// ImagePullSecrets is an optional list of references to secrets for pulling container images.
	// ImagePullSecrets is an optional list of references to secrets in the same namespace
	// to use for pulling container images. If specified, these secrets will be used by the
	// component's ServiceAccount to authenticate to container registries when pulling images.
	// More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod

[osmman]

Suggested change

	ServiceAccountRequirements `json:",inline"`
	// ImagePullSecrets is an optional list of references to secrets in the same namespace
	// to use for pulling container images. These secrets serve as base configuration and
	// will be propagated to all child component CRDs (Rekor, Fulcio, CTLog, TUF, Trillian,
	// and TSA). During component CRD creation, they are merged with component-specific
	// imagePullSecrets (e.g., spec.rekor.imagePullSecrets), with component-specific secrets
	// taking precedence.
	// More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod
	//+optional
	ImagePullSecrets []core.LocalObjectReference `json:"imagePullSecrets,omitempty"`

[osmman]

Suggested change

// Service account settings defined at this level (such as imagePullSecrets) are inherited by all components.