feat: add impress image mirroring and docs secret seeding

images.py: extend AMD64_ONLY_IMAGES with the three impress (La Suite Docs) images — impress-backend, impress-frontend, impress-y-provider. Always pull the amd64 manifest + layers by digest unconditionally before the blob check; the prior guard skipped the pull when the index blob was present but layers were missing, causing the OCI import to fail on arm64 hosts. secrets.py: add docs KV path (django-secret-key, collaboration-secret) to _seed_openbao so a fresh sunbeam seed generates all required credentials for the impress deployment.
2026-03-03 14:23:42 +00:00
parent 14dd685398
commit de12847cf1
2 changed files with 24 additions and 13 deletions
--- a/sunbeam/images.py
+++ b/sunbeam/images.py
@@ -15,8 +15,11 @@ MANAGED_NS = ["data", "devtools", "ingress", "lasuite", "media", "ory", "storage
              "vault-secrets-operator"]

 AMD64_ONLY_IMAGES = [
-    ("docker.io/lasuite/people-backend:latest",  "studio", "people-backend",  "latest"),
-    ("docker.io/lasuite/people-frontend:latest", "studio", "people-frontend", "latest"),
+    ("docker.io/lasuite/people-backend:latest",    "studio", "people-backend",    "latest"),
+    ("docker.io/lasuite/people-frontend:latest",   "studio", "people-frontend",   "latest"),
+    ("docker.io/lasuite/impress-backend:latest",   "studio", "impress-backend",   "latest"),
+    ("docker.io/lasuite/impress-frontend:latest",  "studio", "impress-frontend",  "latest"),
+    ("docker.io/lasuite/impress-y-provider:latest","studio", "impress-y-provider","latest"),
 ]

 _MIRROR_SCRIPT_BODY = r'''
@@ -137,17 +140,20 @@ def process(src, tgt, user, pwd):

    amd64_hex = amd64["digest"].replace("sha256:", "")

+    # Always pull by digest with --platform linux/amd64 to ensure all layer
+    # blobs are downloaded to the content store (the index pull in step 1 only
+    # fetches the manifest blob, not the layers, on an arm64 host).
+    print("    pulling amd64 manifest + layers by digest...")
+    repo_base = src.rsplit(":", 1)[0]
+    subprocess.run(
+        ["ctr", "-n", "k8s.io", "images", "pull",
+         "--platform", "linux/amd64",
+         f"{repo_base}@sha256:{amd64_hex}"],
+        capture_output=True,
+    )
    if not blob_exists(amd64_hex):
-        print("    pulling amd64 manifest + layers by digest...")
-        repo_base = src.rsplit(":", 1)[0]
-        subprocess.run(
-            ["ctr", "-n", "k8s.io", "images", "pull",
-             f"{repo_base}@sha256:{amd64_hex}"],
-            capture_output=True,
-        )
-        if not blob_exists(amd64_hex):
-            print("    failed: amd64 manifest blob missing after pull")
-            return
+        print("    failed: amd64 manifest blob missing after pull")
+        return

    amd64_bytes = read_blob(amd64_hex)