Skip to content

fix(operator): make manager Deployment OCI-only#13

Closed
CMGS wants to merge 1 commit into
mainfrom
fix/operator-oci-deploy-manifest
Closed

fix(operator): make manager Deployment OCI-only#13
CMGS wants to merge 1 commit into
mainfrom
fix/operator-oci-deploy-manifest

Conversation

@CMGS

@CMGS CMGS commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Problem

main.go's buildRegistry() was switched to OCI-only: it now requires the OCI_REGISTRY env var (errors.New("OCI_REGISTRY must be set") when empty) and no longer reads EPOCH_URL. But the kustomize manager Deployment still set the removed EPOCH_URL env and never set OCI_REGISTRY, so any fresh install (kubectl apply -k config/default/) started an operator that immediately fatals.

Stale: config/manager/deployment.yaml:32EPOCH_URL env pointing at http://epoch.cocoon-system.svc:8080. It was the only lingering epoch reference in config/.

Fix

config/manager/deployment.yaml:

  • Removed the stale EPOCH_URL env.
  • Added OCI_REGISTRY=asia-southeast1-docker.pkg.dev/simular-note/cocoon-artifacts.
  • Wired GCP ADC auth for Artifact Registry (roles/artifactregistry.writer, needed by HasManifest/DeleteManifest): a gcp-ar-writer-key volume from Secret cocoon-ar-writer-key, a read-only mount at /var/run/secrets/gcp, and GOOGLE_APPLICATION_CREDENTIALS=/var/run/secrets/gcp/key.json. google.Keychain resolves this via ADC.

The Secret is created out-of-band at deploy time; no key material is committed.

Proof

kubectl kustomize config/default/ renders cleanly with OCI_REGISTRY + GOOGLE_APPLICATION_CREDENTIALS + the secret volume/mount, and zero epoch references (grep -ic epoch on the full render → 0).

Replace the stale EPOCH_URL env with OCI_REGISTRY and wire GCP ADC auth
for Artifact Registry so the OCI-only operator can start. Mount the
cocoon-ar-writer-key Secret and point GOOGLE_APPLICATION_CREDENTIALS at
it for artifactregistry.writer access.
@CMGS

CMGS commented Jul 1, 2026

Copy link
Copy Markdown
Contributor Author

Superseded: change landed directly on main as 9a5d5e0 per updated plan (commit-to-main, no PR).

@CMGS CMGS closed this Jul 1, 2026
@CMGS CMGS deleted the fix/operator-oci-deploy-manifest branch July 1, 2026 09:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant