fix: create imagePullSecret in deployment namespace, not default

create_registry_secret() hardcoded namespace="default" but deployments now run in dedicated laconic-* namespaces. The secret was invisible to pods in the deployment namespace, causing 401 on GHCR pulls. Accept namespace as parameter, passed from deploy_k8s.py which knows the correct namespace. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-18 19:08:52 +00:00 · 2026-03-18 19:08:52 +00:00 · ba39c991f1
commit ba39c991f1
parent 0b3e5559d0
2 changed files with 7 additions and 3 deletions
--- a/stack_orchestrator/deploy/deployment_create.py
+++ b/stack_orchestrator/deploy/deployment_create.py
@ -577,7 +577,9 @@ def _generate_and_store_secrets(config_vars: dict, deployment_name: str):
    return secrets


-def create_registry_secret(spec: Spec, deployment_name: str) -> Optional[str]:
+def create_registry_secret(
+    spec: Spec, deployment_name: str, namespace: str = "default"
+) -> Optional[str]:
    """Create K8s docker-registry secret from spec + environment.

    Reads registry configuration from spec.yml and creates a Kubernetes
@ -586,6 +588,7 @@ def create_registry_secret(spec: Spec, deployment_name: str) -> Optional[str]:
    Args:
        spec: The deployment spec containing image-registry config
        deployment_name: Name of the deployment (used for secret naming)
+        namespace: K8s namespace to create the secret in

    Returns:
        The secret name if created, None if no registry config
@ -633,7 +636,6 @@ def create_registry_secret(spec: Spec, deployment_name: str) -> Optional[str]:
            return None

    v1 = client.CoreV1Api()
-    namespace = "default"

    k8s_secret = client.V1Secret(
        metadata=client.V1ObjectMeta(name=secret_name),
--- a/stack_orchestrator/deploy/k8s/deploy_k8s.py
+++ b/stack_orchestrator/deploy/k8s/deploy_k8s.py
@ -541,7 +541,9 @@ class K8sDeployer(Deployer):
        # Create registry secret if configured
        from stack_orchestrator.deploy.deployment_create import create_registry_secret

-        create_registry_secret(self.cluster_info.spec, self.cluster_info.app_name)
+        create_registry_secret(
+            self.cluster_info.spec, self.cluster_info.app_name, self.k8s_namespace
+        )

        self._create_volume_data()
        self._create_deployment()