Fix registry secret created in wrong namespace (#998)

`create_registry_secret()` was hardcoded to use the "default" namespace,
but pods are deployed to the spec's configured namespace. The secret
must be in the same namespace as the pods for `imagePullSecrets` to work.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Reviewed-on: #998
Co-authored-by: Prathamesh Musale <prathamesh.musale0@gmail.com>
Co-committed-by: Prathamesh Musale <prathamesh.musale0@gmail.com>

stack_orchestrator/deploy/deployment_create.py

@@ -577,7 +577,7 @@ def _generate_and_store_secrets(config_vars: dict, deployment_name: str):
     return secrets
 
 
-def create_registry_secret(spec: Spec, deployment_name: str) -> Optional[str]:
+def create_registry_secret(spec: Spec, deployment_name: str, namespace: str = "default") -> Optional[str]:
     """Create K8s docker-registry secret from spec + environment.
 
     Reads registry configuration from spec.yml and creates a Kubernetes
@@ -586,6 +586,7 @@ def create_registry_secret(spec: Spec, deployment_name: str) -> Optional[str]:
     Args:
         spec: The deployment spec containing image-registry config
         deployment_name: Name of the deployment (used for secret naming)
+        namespace: Kubernetes namespace to create the secret in
 
     Returns:
         The secret name if created, None if no registry config
@@ -633,7 +634,6 @@ def create_registry_secret(spec: Spec, deployment_name: str) -> Optional[str]:
             return None
 
     v1 = client.CoreV1Api()
-    namespace = "default"
 
     k8s_secret = client.V1Secret(
         metadata=client.V1ObjectMeta(name=secret_name),

stack_orchestrator/deploy/k8s/cluster_info.py

@@ -161,70 +161,66 @@ class ClusterInfo:
         return nodeports
 
     def get_ingress(
-        self, use_tls=False, certificates=None, cluster_issuer="letsencrypt-prod"
+        self, use_tls=False, certificate=None, cluster_issuer="letsencrypt-prod"
     ):
         # No ingress for a deployment that has no http-proxy defined, for now
         http_proxy_info_list = self.spec.get_http_proxy()
         ingress = None
         if http_proxy_info_list:
+            # TODO: handle multiple definitions
+            http_proxy_info = http_proxy_info_list[0]
+            if opts.o.debug:
+                print(f"http-proxy: {http_proxy_info}")
+            # TODO: good enough parsing for webapp deployment for now
+            host_name = http_proxy_info["host-name"]
             rules = []
-            tls = [] if use_tls else None
+            tls = (
-
+                [
-            for http_proxy_info in http_proxy_info_list:
+                    client.V1IngressTLS(
+                        hosts=certificate["spec"]["dnsNames"]
+                        if certificate
+                        else [host_name],
+                        secret_name=certificate["spec"]["secretName"]
+                        if certificate
+                        else f"{self.app_name}-tls",
+                    )
+                ]
+                if use_tls
+                else None
+            )
+            paths = []
+            for route in http_proxy_info["routes"]:
+                path = route["path"]
+                proxy_to = route["proxy-to"]
                 if opts.o.debug:
-                    print(f"http-proxy: {http_proxy_info}")
+                    print(f"proxy config: {path} -> {proxy_to}")
-                host_name = http_proxy_info["host-name"]
+                # proxy_to has the form <service>:<port>
-                certificate = (certificates or {}).get(host_name)
+                proxy_to_port = int(proxy_to.split(":")[1])
-
+                paths.append(
-                if use_tls:
+                    client.V1HTTPIngressPath(
-                    tls.append(
+                        path_type="Prefix",
-                        client.V1IngressTLS(
+                        path=path,
-                            hosts=certificate["spec"]["dnsNames"]
+                        backend=client.V1IngressBackend(
-                            if certificate
+                            service=client.V1IngressServiceBackend(
-                            else [host_name],
+                                # TODO: this looks wrong
-                            secret_name=certificate["spec"]["secretName"]
+                                name=f"{self.app_name}-service",
-                            if certificate
+                                # TODO: pull port number from the service
-                            else f"{self.app_name}-{host_name}-tls",
+                                port=client.V1ServiceBackendPort(number=proxy_to_port),
-                        )
+                            )
-                    )
+                        ),
-
-                paths = []
-                for route in http_proxy_info["routes"]:
-                    path = route["path"]
-                    proxy_to = route["proxy-to"]
-                    if opts.o.debug:
-                        print(f"proxy config: {path} -> {proxy_to}")
-                    # proxy_to has the form <service>:<port>
-                    proxy_to_port = int(proxy_to.split(":")[1])
-                    paths.append(
-                        client.V1HTTPIngressPath(
-                            path_type="Prefix",
-                            path=path,
-                            backend=client.V1IngressBackend(
-                                service=client.V1IngressServiceBackend(
-                                    # TODO: this looks wrong
-                                    name=f"{self.app_name}-service",
-                                    # TODO: pull port number from the service
-                                    port=client.V1ServiceBackendPort(
-                                        number=proxy_to_port
-                                    ),
-                                )
-                            ),
-                        )
-                    )
-                rules.append(
-                    client.V1IngressRule(
-                        host=host_name,
-                        http=client.V1HTTPIngressRuleValue(paths=paths),
                     )
                 )
-
+            rules.append(
+                client.V1IngressRule(
+                    host=host_name, http=client.V1HTTPIngressRuleValue(paths=paths)
+                )
+            )
             spec = client.V1IngressSpec(tls=tls, rules=rules)
 
             ingress_annotations = {
                 "kubernetes.io/ingress.class": "caddy",
             }
-            if not certificates:
+            if not certificate:
                 ingress_annotations["cert-manager.io/cluster-issuer"] = cluster_issuer
 
             ingress = client.V1Ingress(

stack_orchestrator/deploy/k8s/deploy_k8s.py

@@ -504,7 +504,7 @@ class K8sDeployer(Deployer):
         # Create registry secret if configured
         from stack_orchestrator.deploy.deployment_create import create_registry_secret
 
-        create_registry_secret(self.cluster_info.spec, self.cluster_info.app_name)
+        create_registry_secret(self.cluster_info.spec, self.cluster_info.app_name, self.k8s_namespace)
 
         self._create_volume_data()
         self._create_deployment()
@@ -513,19 +513,17 @@ class K8sDeployer(Deployer):
         http_proxy_info = self.cluster_info.spec.get_http_proxy()
         # Note: we don't support tls for kind (enabling tls causes errors)
         use_tls = http_proxy_info and not self.is_kind()
-        certificates = None
+        certificate = (
-        if use_tls:
+            self._find_certificate_for_host_name(http_proxy_info[0]["host-name"])
-            certificates = {}
+            if use_tls
-            for proxy in http_proxy_info:
+            else None
-                host_name = proxy["host-name"]
+        )
-                cert = self._find_certificate_for_host_name(host_name)
+        if opts.o.debug:
-                if cert:
+            if certificate:
-                    certificates[host_name] = cert
+                print(f"Using existing certificate: {certificate}")
-                    if opts.o.debug:
-                        print(f"Using existing certificate for {host_name}: {cert}")
 
         ingress = self.cluster_info.get_ingress(
-            use_tls=use_tls, certificates=certificates
+            use_tls=use_tls, certificate=certificate
         )
         if ingress:
             if opts.o.debug: