feat(main): add image parameters for air-gapped cases

[Andrey Kolkov (androndo)]

Summary by CodeRabbit

Release Notes

• New Features

  • Added per-cluster etcd image overrides (spec.image: repository, tag, pullPolicy) plus spec.imagePullSecrets to pull member (and restore initContainer) images from private registries.
  • Added an operator-wide default etcd image repository (Helm value/CLI flag) used when no per-cluster override is set.

• Bug Fixes

  • Improved reconciliation and in-place adoption to detect and apply image/pull-secret changes consistently.

• Documentation

  • Updated installation and migration guides for the new override and pull-secret behavior.

• Tests

  • Added unit and end-to-end coverage for image resolution and pull-secret propagation.

[coderabbitai]

Warning

Review limit reached

@androndo, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 34 minutes and 40 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1061a47c-9a8c-4ca9-b251-2ac7c190e710

📥 Commits

Reviewing files that changed from the base of the PR and between dfa8611 and c62e793.

📒 Files selected for processing (21)

• Makefile
• api/v1alpha2/etcdcluster_types.go
• api/v1alpha2/etcdmember_types.go
• api/v1alpha2/zz_generated.deepcopy.go
• charts/etcd-operator/crd-bases/etcd-operator.cozystack.io_etcdclusters.yaml
• charts/etcd-operator/crd-bases/etcd-operator.cozystack.io_etcdmembers.yaml
• charts/etcd-operator/templates/deployment.yaml
• charts/etcd-operator/values.yaml
• controllers/etcdcluster_controller.go
• controllers/etcdmember_controller.go
• controllers/etcdmember_controller_test.go
• controllers/helpers.go
• controllers/helpers_test.go
• docs/installation.md
• docs/migration.md
• hack/e2e.sh
• internal/migrate/adopt.go
• internal/migrate/translate.go
• internal/migrate/translate_test.go
• main.go
• test/e2e/image_override_test.go

📝 Walkthrough

Walkthrough

Adds EtcdImageSpec to the v1alpha2 API, enabling per-cluster etcd image repository, tag, and pull policy overrides and imagePullSecrets. A new resolveEtcdImage helper and EtcdImageRepository field wire operator-wide defaults through EtcdMemberReconciler. Migration tooling preserves legacy image settings, CRD schemas and Helm chart values are extended, and e2e tests validate the full override flow.

Changes

Etcd Image Override and Pull Secrets

Layer / File(s)	Summary
EtcdImageSpec API contracts and deepcopy api/v1alpha2/etcdcluster_types.go, api/v1alpha2/etcdmember_types.go, api/v1alpha2/zz_generated.deepcopy.go	Defines EtcdImageSpec struct with Repository, Tag, PullPolicy; adds Image/ImagePullSecrets fields to EtcdClusterSpec, EtcdMemberSpec, and ObservedClusterSpec; generates deepcopy methods for the new type and updated structs.
CRD OpenAPI schema extensions charts/etcd-operator/crd-bases/etcd-operator.cozystack.io_etcdclusters.yaml, charts/etcd-operator/crd-bases/etcd-operator.cozystack.io_etcdmembers.yaml	Extends EtcdCluster and EtcdMember CRD schemas with spec.image (with pullPolicy enum defaulting to IfNotPresent), spec.imagePullSecrets, and matching status.observed fields.
Helm chart values, deployment env, and Makefile flag injection charts/etcd-operator/values.yaml, charts/etcd-operator/templates/deployment.yaml, Makefile	Adds etcdImage.repository chart value defaulting to quay.io/coreos/etcd, injects ETCD_IMAGE_REPOSITORY env var into the manager Deployment, and enables HELM_EXTRA_ARGS injection in the deploy Makefile target.
resolveEtcdImage helper function controllers/helpers.go	Adds resolveEtcdImage with repository/tag/pullPolicy precedence logic: member spec override, then operator default, then built-in fallback, with version-derived tag default.
EtcdMemberReconciler field, main.go flag, and buildPod integration controllers/etcdmember_controller.go, main.go	Adds EtcdImageRepository field to EtcdMemberReconciler; adds --etcd-image-repository CLI flag wired from ETCD_IMAGE_REPOSITORY env var; updates buildPod to call resolveEtcdImage and wire ImagePullSecrets into Pod spec.
EtcdClusterReconciler image propagation and drift detection controllers/etcdcluster_controller.go	Propagates Image/ImagePullSecrets from cluster spec to member specs during bootstrap and scale-up; latches them in status.observed via snapshotSpecIntoObserved; detects image drift in specEqualsObserved for adoption triggers.
resolveEtcdImage and buildPod unit tests controllers/helpers_test.go, controllers/etcdmember_controller_test.go	Adds TestResolveEtcdImage table-driven test covering all resolution precedence cases and TestBuildPod_ImageOverrideAndPullSecrets verifying Pod spec wiring for default and override scenarios.
Migration translation of legacy image and pull-secret settings internal/migrate/translate.go	Adds etcdImageOverride helper to compute EtcdImageSpec overrides from legacy pod-template images; updates translatePodTemplate to map imagePullSecrets instead of dropping; removes imagePullSecrets from dropped-field warnings.
Migration adoption of image fields internal/migrate/adopt.go	BuildAdoption now populates adopted EtcdMember specs with Image/ImagePullSecrets from legacy cluster; pre-fills adopted EtcdCluster status ObservedClusterSpec with the same values.
Migration image and pull-secret test coverage internal/migrate/translate_test.go	Adds TestTranslateCluster_ImageAndPullSecrets with subtests covering mirror registry preservation, tag handling, digest-pinned image recovery, and upstream-default cases; validates imagePullSecrets propagation without warnings.
E2E test for operator-wide and per-cluster image resolution test/e2e/image_override_test.go	Adds TestEtcdImageOverride to validate operator-wide default image resolution and per-cluster spec.image override precedence; includes helpers for cluster creation, Pod lookup, and container image extraction; asserts imagePullSecrets propagation to member Pods.
E2E infrastructure and hack/e2e.sh image mirror setup hack/e2e.sh	Preloads upstream etcd image, retags for mirror registries, side-loads into kind, and passes HELM_EXTRA_ARGS to set etcdImage.repository operator default during deployment.
Installation and migration documentation updates docs/installation.md, docs/migration.md	Updates installation.md with two-level mirror model documentation (chart-wide etcdImage.repository vs per-cluster spec.image overrides), documents new Helm values, and clarifies imagePullSecrets scope; updates migration.md to document image and pull-secret preservation.

Sequence Diagram(s)

sequenceDiagram
  participant User as User/Helm
  participant Operator as etcd-operator (main.go)
  participant ClusterCtrl as EtcdClusterReconciler
  participant MemberCtrl as EtcdMemberReconciler
  participant resolveEtcdImage as resolveEtcdImage helper
  participant Pod as etcd member Pod

  User->>Operator: --etcd-image-repository (ETCD_IMAGE_REPOSITORY env)
  Operator->>MemberCtrl: EtcdImageRepository field set
  User->>ClusterCtrl: EtcdCluster with spec.image / spec.imagePullSecrets
  ClusterCtrl->>ClusterCtrl: snapshotSpecIntoObserved (latches Image + ImagePullSecrets)
  ClusterCtrl->>ClusterCtrl: specEqualsObserved detects image drift
  ClusterCtrl->>MemberCtrl: EtcdMember.Spec.Image + ImagePullSecrets propagated
  MemberCtrl->>resolveEtcdImage: resolveEtcdImage(member, EtcdImageRepository)
  resolveEtcdImage-->>MemberCtrl: resolved image string + pullPolicy
  MemberCtrl->>Pod: container.Image, ImagePullPolicy, spec.ImagePullSecrets

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• cozystack/etcd-operator#328: Both PRs modify the Makefile's Helm-driven deploy target; this PR further extends that same command to inject $(HELM_EXTRA_ARGS).

Suggested reviewers

• kvaps
• Kirill-Garbar
• BROngineer
• lllamnyp

Poem

🐇 Hops through registries, near and far,
Mirrors reflect each etcd star.
With image specs and pull-secret keys,
Air-gapped clusters do as they please!
No more hard-coded image strings—
Override with whatever the operator brings. 🌟

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 72.73% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately reflects the main feature: adding image parameters (repository, tag, pull policy, pull secrets) to support air-gapped/mirrored registry scenarios across the codebase.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/overrides-for-airgappeed-envs

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[gemini-code-assist]

Code Review

This pull request introduces support for custom etcd container images and image pull secrets, primarily targeting air-gapped environments. It adds image and imagePullSecrets fields to EtcdCluster, ObservedCluster, and EtcdMember specs, allowing both operator-wide default overrides (via the --etcd-image-repository flag or Helm chart values) and per-cluster overrides. It also updates the migration logic to preserve custom images and pull secrets from legacy configurations, adds comprehensive unit and end-to-end tests, and updates the documentation. There are no review comments to provide feedback on.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/e2e/image_override_test.go`:
- Around line 76-80: The test assertion checking the pull policy on line 78 is
incorrect because it expects an empty string, but Kubernetes API server defaults
imagePullPolicy to IfNotPresent when the field is omitted and the image tag is
fixed (non-:latest). Since etcdMemberImage reads the actual persisted Pod from
the cluster, it will return the Kubernetes-defaulted value IfNotPresent, not an
empty string. Update the assertion condition from policy != "" to expect policy
== "IfNotPresent" instead, and update the error message to reflect that
IfNotPresent is the expected Kubernetes-defaulted behavior.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 956b0115-4973-464f-8ee9-2122df51fdea

📥 Commits

Reviewing files that changed from the base of the PR and between c35ee67 and e6fbd9e.

📒 Files selected for processing (21)

• Makefile
• api/v1alpha2/etcdcluster_types.go
• api/v1alpha2/etcdmember_types.go
• api/v1alpha2/zz_generated.deepcopy.go
• charts/etcd-operator/crd-bases/etcd-operator.cozystack.io_etcdclusters.yaml
• charts/etcd-operator/crd-bases/etcd-operator.cozystack.io_etcdmembers.yaml
• charts/etcd-operator/templates/deployment.yaml
• charts/etcd-operator/values.yaml
• controllers/etcdcluster_controller.go
• controllers/etcdmember_controller.go
• controllers/etcdmember_controller_test.go
• controllers/helpers.go
• controllers/helpers_test.go
• docs/installation.md
• docs/migration.md
• hack/e2e.sh
• internal/migrate/adopt.go
• internal/migrate/translate.go
• internal/migrate/translate_test.go
• main.go
• test/e2e/image_override_test.go

[Timofei Larkin (lllamnyp)]

Request changes — narrow this to the operator-wide repository flag (+ pull secrets)

Thanks for tackling the air-gap case. The operator-wide repository default is the right primitive and I want to merge that part. But the per-cluster spec.image block introduces a second source of truth for the etcd version that can silently disagree with spec.version, and that's not something I'm willing to take on. Concretely:

Keep:

• --etcd-image-repository / ETCD_IMAGE_REPOSITORY on the binary, the chart's etcdImage.repository value, and the env wiring in the Deployment.
• spec.imagePullSecrets (cluster → member mirror, status.observed latching, and the migrate carry-through). A private mirror needs credentials, and pull secrets have none of the version-ambiguity problem below — they only affect whether the pull authenticates, never what version runs.

The repository flag cleanly serves the mirror-once-per-fleet case: it only changes where the image is pulled from, never what version runs.

Please drop (for now):

• EtcdCluster.spec.image (EtcdImageSpec — repository, tag, pullPolicy) and its mirror on EtcdMember.spec.image
• the status.observed.image latching and the resolveEtcdImage tag/pull-policy handling
• the migrate etcdImageOverride reconstruction

The blocking problem is spec.image.tag. The operator treats spec.version as the source of truth for the running etcd version — it's injected as ETCD_VERSION and drives the restore version-compat pre-flight, the latched target, and drift detection. spec.image.tag feeds none of that; it only changes the pulled reference. So a spec where image.tag resolves to a different minor than spec.version is internally contradictory: the container runs one version while the operator reasons about another. Nothing validates that they agree, and the most damaging consequence lands exactly on the air-gap path this PR targets — the restore initContainer rebuilds the data dir to spec.version's format, then a mismatched binary boots on it. Adding a second, unvalidated way to set the version is a footgun I'd rather not introduce, even guarded by docs.

---

Future work (not blocking — please open issues, don't fold into this PR):

1. Observed member version in status. spec.version communicates intent but is currently relied on as the source of truth. The member should determine the etcd version it's actually running at runtime and write it to its status; the operator's version-dependent logic should key off that observed value, not the spec field. This is the principled fix for the conflict above and would make a version override safe to reconsider later.

2. Multi-version restore agent. The restore agent ships a single compiled etcdutl (3.6.x in this build), so restore is silently pinned to the operator's own etcd minor regardless of spec.version. If we want the operator to support running multiple etcd versions, the restore agent needs to run a matching etcdutl per target version too — otherwise restore is unsupported for any cluster off the operator's minor.