Feat(addon): Store addon registry tokens in Secrets (#6935)

* feat(addon): Store addon registry tokens in Secrets

Previously, addon registry tokens were stored in plaintext within the 'vela-addon-registry' ConfigMap. This is not a secure practice for sensitive data.

This commit refactors the addon registry functionality to store tokens in Kubernetes Secrets. The ConfigMap now only contains a reference to the secret name, while the token itself is stored securely.

This change includes:
- Creating/updating secrets when a registry is added/updated.
- Loading tokens from secrets when a registry is listed/retrieved.
- Deleting secrets when a registry is deleted.

Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com>

* test(addon): Add tests for registry token secret storage

This commit introduces a comprehensive test suite for the addon registry feature.

It includes:
- Isolated unit tests for each CRUD operation (Add, Update, List, Get, Delete) to ensure each function works correctly in isolation.
- A stateful integration test to validate the complete lifecycle of an addon registry from creation to deletion.

The tests verify that tokens are handled correctly via Kubernetes Secrets, confirming the implementation of the secure token storage feature.

Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com>

* feat(addon): improve addon registry robustness and fix bugs

This commit introduces several improvements to the addon registry to make it more robust and fixes several bugs.

- When updating a secret, the existing secret is now fetched and updated to avoid potential conflicts.
- Deleting a non-existent registry now returns no error, making the operation idempotent.
- Getting a non-existent registry now returns a structured not-found error.
- Loading a token from a non-existent secret is now handled gracefully.
- When setting a token directly on a git-based addon source, the token secret reference is now cleared.
- The token secret reference is now correctly copied in `SafeCopy`.

Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com>

* Refactor(addon): Fix secret deletion and improve registry logic

This commit refactors the addon registry data store to fix a critical bug where deleting an addon registry would not delete its associated token secret.

The root cause was that the `GetRegistry` function, which was used by `DeleteRegistry`, would load the token from the secret and then clear the `TokenSecretRef` field on the in-memory object. This meant that when `DeleteRegistry` tried to find the secret to delete, the reference was already gone.

This has been fixed by:
1. Introducing a central `getRegistries` helper function to read the raw registry data from the ConfigMap.
2. Refactoring all data store methods (`List`, `Get`, `Add`, `Update`, `Delete`) to use this central helper, removing duplicate code.
3. Ensuring `DeleteRegistry` uses the raw, unmodified registry data so that the `TokenSecretRef` is always available for deletion.

Additionally, comprehensive unit tests for the new helper functions (`getRegistries`, `loadTokenFromSecret`, `createOrUpdateTokenSecret`) have been added to verify the fix and improve overall code quality and stability.

Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com>

* feat(addon): improve addon registry token security and logging

This commit enhances the security and observability of addon registry token handling.

- Adds a warning message to users when an insecure inline token is detected in an addon registry configuration, prompting them to migrate to a more secure secret-based storage.
- Implements info-level logging to create an audit trail for token migrations, providing administrators with visibility into security-related events.
- Refactors the token migration logic into a new `migrateInlineTokenToSecret` function, improving code clarity and maintainability.
- Introduces unit tests for the `TokenSource` interface methods and the `GetTokenSource` function to ensure correctness and prevent regressions.

Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com>

* Chore: remove comments to triger ci

Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com>

---------

Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com>

pkg/addon/registry.go

@@ -24,14 +24,43 @@ import (
 	v1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
 
 	velatypes "github.com/oam-dev/kubevela/apis/types"
 )
 
 const registryConfigMapName = "vela-addon-registry"
 const registriesKey = "registries"
+const tokenSecretNamePrefix = "addon-registry-"
+
+// TokenSource is an interface for addon source that has token
+type TokenSource interface {
+	// GetToken return the token of the source
+	GetToken() string
+	// SetToken set the token of the source
+	SetToken(string)
+	// SetTokenSecretRef set the token secret ref to the source
+	SetTokenSecretRef(string)
+	// GetTokenSecretRef return the token secret ref of the source
+	GetTokenSecretRef() string
+}
+
+// GetTokenSource return the token source of the registry
+func (r *Registry) GetTokenSource() TokenSource {
+	if r.Git != nil {
+		return r.Git
+	}
+	if r.Gitee != nil {
+		return r.Gitee
+	}
+	if r.Gitlab != nil {
+		return r.Gitlab
+	}
+	return nil
+}
 
 // Registry represent a addon registry model
 type Registry struct {
@@ -62,28 +91,49 @@ type registryImpl struct {
 	client client.Client
 }
 
-func (r registryImpl) ListRegistries(ctx context.Context) ([]Registry, error) {
+// getRegistries is a helper to fetch and unmarshal all registries from the ConfigMap
+func (r registryImpl) getRegistries(ctx context.Context) (map[string]Registry, *v1.ConfigMap, error) {
 	cm := &v1.ConfigMap{}
-	if err := r.client.Get(ctx, types.NamespacedName{Namespace: velatypes.DefaultKubeVelaNS, Name: registryConfigMapName}, cm); err != nil {
-		return nil, err
+	err := r.client.Get(ctx, types.NamespacedName{Namespace: velatypes.DefaultKubeVelaNS, Name: registryConfigMapName}, cm)
+	if err != nil {
+		return nil, nil, err
 	}
 	if _, ok := cm.Data[registriesKey]; !ok {
-		return nil, NewAddonError("Error addon registry configmap registry-key not exist")
+		return nil, nil, NewAddonError("error addon registry configmap registry-key not exist")
 	}
 	registries := map[string]Registry{}
 	if err := json.Unmarshal([]byte(cm.Data[registriesKey]), &registries); err != nil {
+		return nil, cm, err
+	}
+	return registries, cm, nil
+}
+
+func (r registryImpl) ListRegistries(ctx context.Context) ([]Registry, error) {
+	registries, _, err := r.getRegistries(ctx)
+	if err != nil {
+		if apierrors.IsNotFound(err) {
+			return []Registry{}, nil
+		}
 		return nil, err
 	}
+
 	var res []Registry
 	for _, registry := range registries {
+		if err := loadTokenFromSecret(ctx, r.client, &registry); err != nil {
+			return nil, err
+		}
 		res = append(res, registry)
 	}
 	return res, nil
 }
 
 func (r registryImpl) AddRegistry(ctx context.Context, registry Registry) error {
-	cm := &v1.ConfigMap{}
-	if err := r.client.Get(ctx, types.NamespacedName{Namespace: velatypes.DefaultKubeVelaNS, Name: registryConfigMapName}, cm); err != nil {
+	if err := createOrUpdateTokenSecret(ctx, r.client, &registry); err != nil {
+		return err
+	}
+
+	registries, cm, err := r.getRegistries(ctx)
+	if err != nil {
 		if apierrors.IsNotFound(err) {
 			b, err := json.Marshal(map[string]Registry{
 				registry.Name: registry,
@@ -91,7 +141,7 @@ func (r registryImpl) AddRegistry(ctx context.Context, registry Registry) error
 			if err != nil {
 				return err
 			}
-			cm = &v1.ConfigMap{
+			cm := &v1.ConfigMap{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      registryConfigMapName,
 					Namespace: velatypes.DefaultKubeVelaNS,
@@ -104,48 +154,110 @@ func (r registryImpl) AddRegistry(ctx context.Context, registry Registry) error
 		}
 		return err
 	}
-	registries := map[string]Registry{}
-	if err := json.Unmarshal([]byte(cm.Data[registriesKey]), &registries); err != nil {
-		return err
-	}
+
 	registries[registry.Name] = registry
 	b, err := json.Marshal(registries)
 	if err != nil {
 		return err
 	}
-	cm.Data = map[string]string{
-		registriesKey: string(b),
-	}
+	cm.Data[registriesKey] = string(b)
 	return r.client.Update(ctx, cm)
 }
 
+// createOrUpdateTokenSecret will create or update a secret to store registry token
+func createOrUpdateTokenSecret(ctx context.Context, cli client.Client, registry *Registry) error {
+	source := registry.GetTokenSource()
+	if source == nil {
+		return nil
+	}
+	token := source.GetToken()
+	if token == "" {
+		return nil
+	}
+	return migrateInlineTokenToSecret(ctx, cli, registry, source, token)
+}
+
+// migrateInlineTokenToSecret will migrate an inline token to a secret.
+// It will take the token from the registry object, create/update a secret, and set the secret ref on the registry object.
+func migrateInlineTokenToSecret(ctx context.Context, cli client.Client, registry *Registry, source TokenSource, token string) error {
+	log := logf.FromContext(ctx)
+	secretName := tokenSecretNamePrefix + registry.Name
+	source.SetTokenSecretRef(secretName)
+
+	secret := &v1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      secretName,
+			Namespace: velatypes.DefaultKubeVelaNS,
+		},
+		Type: v1.SecretTypeOpaque,
+		Data: map[string][]byte{
+			"token": []byte(token),
+		},
+	}
+
+	err := cli.Create(ctx, secret)
+	if err != nil {
+		if apierrors.IsAlreadyExists(err) {
+			existingSecret := &v1.Secret{}
+			if err := cli.Get(ctx, types.NamespacedName{Name: secretName, Namespace: velatypes.DefaultKubeVelaNS}, existingSecret); err != nil {
+				return err
+			}
+			existingSecret.Data = secret.Data
+			if err := cli.Update(ctx, existingSecret); err != nil {
+				return err
+			}
+			log.Info("Successfully updated secret for addon registry token", "registry", registry.Name, "secret", secretName)
+			return nil
+		}
+		return err
+	}
+	log.Info("Successfully created secret for addon registry token", "registry", registry.Name, "secret", secretName)
+	return nil
+}
+
 func (r registryImpl) DeleteRegistry(ctx context.Context, name string) error {
-	cm := &v1.ConfigMap{}
-	if err := r.client.Get(ctx, types.NamespacedName{Namespace: velatypes.DefaultKubeVelaNS, Name: registryConfigMapName}, cm); err != nil {
+	registries, cm, err := r.getRegistries(ctx)
+	if err != nil {
+		if apierrors.IsNotFound(err) {
+			return nil
+		}
 		return err
 	}
-	registries := map[string]Registry{}
-	if err := json.Unmarshal([]byte(cm.Data[registriesKey]), &registries); err != nil {
-		return err
+
+	reg, ok := registries[name]
+	if !ok {
+		return nil
 	}
+
+	if source := reg.GetTokenSource(); source != nil {
+		if secretName := source.GetTokenSecretRef(); secretName != "" {
+			secret := &v1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      secretName,
+					Namespace: velatypes.DefaultKubeVelaNS,
+				},
+			}
+			if err := r.client.Delete(ctx, secret); err != nil && !apierrors.IsNotFound(err) {
+				return err
+			}
+		}
+	}
+
 	delete(registries, name)
 	b, err := json.Marshal(registries)
 	if err != nil {
 		return err
 	}
-	cm.Data = map[string]string{
-		registriesKey: string(b),
-	}
+	cm.Data[registriesKey] = string(b)
 	return r.client.Update(ctx, cm)
 }
 
 func (r registryImpl) UpdateRegistry(ctx context.Context, registry Registry) error {
-	cm := &v1.ConfigMap{}
-	if err := r.client.Get(ctx, types.NamespacedName{Namespace: velatypes.DefaultKubeVelaNS, Name: registryConfigMapName}, cm); err != nil {
+	if err := createOrUpdateTokenSecret(ctx, r.client, &registry); err != nil {
 		return err
 	}
-	registries := map[string]Registry{}
-	if err := json.Unmarshal([]byte(cm.Data[registriesKey]), &registries); err != nil {
+	registries, cm, err := r.getRegistries(ctx)
+	if err != nil {
 		return err
 	}
 	if _, ok := registries[registry.Name]; !ok {
@@ -156,25 +268,50 @@ func (r registryImpl) UpdateRegistry(ctx context.Context, registry Registry) err
 	if err != nil {
 		return err
 	}
-	cm.Data = map[string]string{
-		registriesKey: string(b),
-	}
+	cm.Data[registriesKey] = string(b)
 	return r.client.Update(ctx, cm)
 }
 
 func (r registryImpl) GetRegistry(ctx context.Context, name string) (Registry, error) {
-	var res Registry
-	cm := &v1.ConfigMap{}
-	if err := r.client.Get(ctx, types.NamespacedName{Namespace: velatypes.DefaultKubeVelaNS, Name: registryConfigMapName}, cm); err != nil {
-		return res, err
+	registries, _, err := r.getRegistries(ctx)
+	if err != nil {
+		return Registry{}, err
 	}
-	registries := map[string]Registry{}
-	if err := json.Unmarshal([]byte(cm.Data[registriesKey]), &registries); err != nil {
-		return res, err
+	res, ok := registries[name]
+	if !ok {
+		return res, apierrors.NewNotFound(schema.GroupResource{Group: "addons.kubevela.io", Resource: "Registry"}, name)
 	}
-	var notExist bool
-	if res, notExist = registries[name]; !notExist {
-		return res, fmt.Errorf("registry name %s not found", name)
+	if err := loadTokenFromSecret(ctx, r.client, &res); err != nil {
+		return res, err
 	}
 	return res, nil
 }
+
+// loadTokenFromSecret will load token from secret if exists
+// and set it to the source of the registry object
+func loadTokenFromSecret(ctx context.Context, cli client.Client, registry *Registry) error {
+	source := registry.GetTokenSource()
+	if source == nil {
+		return nil
+	}
+	secretName := source.GetTokenSecretRef()
+	if secretName == "" {
+		if source.GetToken() != "" {
+			// For backward compatibility, token can be stored in configmap directly.
+			// This is not secure, so we print a warning and recommend user to upgrade.
+			// The upgrade can be done by editing and saving the addon registry again.
+			fmt.Printf("Warning: addon registry %s is using an insecure token stored in ConfigMap. Please edit and save this addon registry again to migrate the token to a secret.\n", registry.Name)
+		}
+		return nil
+	}
+	secret := &v1.Secret{}
+	if err := cli.Get(ctx, types.NamespacedName{Namespace: velatypes.DefaultKubeVelaNS, Name: secretName}, secret); err != nil {
+		if apierrors.IsNotFound(err) {
+			// If the secret is not found, we consider the token is empty
+			return nil
+		}
+		return err
+	}
+	source.SetToken(string(secret.Data["token"]))
+	return nil
+}

pkg/addon/registry_test.go

@@ -0,0 +1,643 @@
+/*
+Copyright 2021 The KubeVela Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package addon
+
+import (
+	"context"
+	"encoding/json"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	v1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+
+	velatypes "github.com/oam-dev/kubevela/apis/types"
+)
+
+func TestAddonRegistry(t *testing.T) {
+	ctx := context.Background()
+	testRegistry := Registry{
+		Name: "test-registry",
+		Git: &GitAddonSource{
+			URL:   "http://github.com/test/repo",
+			Token: "test-token",
+		},
+	}
+	scheme := runtime.NewScheme()
+	assert.NoError(t, v1.AddToScheme(scheme))
+	client := fake.NewClientBuilder().WithScheme(scheme).Build()
+	ds := NewRegistryDataStore(client)
+
+	t.Run("add registry", func(t *testing.T) {
+		err := ds.AddRegistry(ctx, testRegistry)
+		assert.NoError(t, err)
+
+		var cm v1.ConfigMap
+		err = client.Get(ctx, types.NamespacedName{Name: registryConfigMapName, Namespace: velatypes.DefaultKubeVelaNS}, &cm)
+		assert.NoError(t, err)
+		var registries map[string]Registry
+		err = json.Unmarshal([]byte(cm.Data[registriesKey]), &registries)
+		assert.NoError(t, err)
+		assert.Equal(t, 1, len(registries))
+		gotRegistry := registries["test-registry"]
+		assert.Equal(t, "", gotRegistry.Git.Token)
+		assert.Equal(t, "addon-registry-test-registry", gotRegistry.Git.TokenSecretRef)
+
+		var secret v1.Secret
+		err = client.Get(ctx, types.NamespacedName{Name: "addon-registry-test-registry", Namespace: velatypes.DefaultKubeVelaNS}, &secret)
+		assert.NoError(t, err)
+		assert.Equal(t, "test-token", string(secret.Data["token"]))
+	})
+
+	t.Run("update registry", func(t *testing.T) {
+		updatedRegistry := Registry{
+			Name: "test-registry",
+			Git: &GitAddonSource{
+				URL:   "http://github.com/test/repo-updated",
+				Token: "test-token-updated",
+			},
+		}
+		err := ds.UpdateRegistry(ctx, updatedRegistry)
+		assert.NoError(t, err)
+
+		var secret v1.Secret
+		err = client.Get(ctx, types.NamespacedName{Name: "addon-registry-test-registry", Namespace: velatypes.DefaultKubeVelaNS}, &secret)
+		assert.NoError(t, err)
+		assert.Equal(t, "test-token-updated", string(secret.Data["token"]))
+	})
+
+	t.Run("list and get registry", func(t *testing.T) {
+		registries, err := ds.ListRegistries(ctx)
+		assert.NoError(t, err)
+		assert.Equal(t, 1, len(registries))
+		assert.Equal(t, "test-token-updated", registries[0].Git.Token)
+
+		reg, err := ds.GetRegistry(ctx, "test-registry")
+		assert.NoError(t, err)
+		assert.Equal(t, "test-token-updated", reg.Git.Token)
+	})
+
+	t.Run("delete registry", func(t *testing.T) {
+		err := ds.DeleteRegistry(ctx, "test-registry")
+		assert.NoError(t, err)
+
+		var cm v1.ConfigMap
+		err = client.Get(ctx, types.NamespacedName{Name: registryConfigMapName, Namespace: velatypes.DefaultKubeVelaNS}, &cm)
+		assert.NoError(t, err)
+		var registries map[string]Registry
+		err = json.Unmarshal([]byte(cm.Data[registriesKey]), &registries)
+		assert.NoError(t, err)
+		assert.Equal(t, 0, len(registries))
+
+		var secret v1.Secret
+		err = client.Get(ctx, types.NamespacedName{Name: "addon-registry-test-registry", Namespace: velatypes.DefaultKubeVelaNS}, &secret)
+		assert.Error(t, err)
+		assert.True(t, apierrors.IsNotFound(err))
+	})
+}
+
+func TestGetTokenSource(t *testing.T) {
+	gitSource := &GitAddonSource{URL: "https://github.com/kubevela/catalog.git"}
+	giteeSource := &GiteeAddonSource{URL: "https://gitee.com/kubevela/catalog.git"}
+	gitlabSource := &GitlabAddonSource{URL: "https://gitlab.com/kubevela/catalog.git"}
+
+	testCases := []struct {
+		name           string
+		registry       *Registry
+		expectedSource TokenSource
+	}{
+		{
+			name: "git source",
+			registry: &Registry{
+				Git: gitSource,
+			},
+			expectedSource: gitSource,
+		},
+		{
+			name: "gitee source",
+			registry: &Registry{
+				Gitee: giteeSource,
+			},
+			expectedSource: giteeSource,
+		},
+		{
+			name: "gitlab source",
+			registry: &Registry{
+				Gitlab: gitlabSource,
+			},
+			expectedSource: gitlabSource,
+		},
+		{
+			name: "git and gitee source",
+			registry: &Registry{
+				Git:   gitSource,
+				Gitee: giteeSource,
+			},
+			expectedSource: gitSource,
+		},
+		{
+			name: "gitee and gitlab source",
+			registry: &Registry{
+				Gitee:  giteeSource,
+				Gitlab: gitlabSource,
+			},
+			expectedSource: giteeSource,
+		},
+		{
+			name: "all token sources",
+			registry: &Registry{
+				Git:    gitSource,
+				Gitee:  giteeSource,
+				Gitlab: gitlabSource,
+			},
+			expectedSource: gitSource,
+		},
+		{
+			name: "no token source",
+			registry: &Registry{
+				Helm: &HelmSource{},
+			},
+			expectedSource: nil,
+		},
+		{
+			name:           "empty registry",
+			registry:       &Registry{},
+			expectedSource: nil,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			source := tc.registry.GetTokenSource()
+			assert.Equal(t, tc.expectedSource, source)
+		})
+	}
+}
+
+func TestAddRegistry(t *testing.T) {
+	t.Run("Test adding a registry", func(t *testing.T) {
+		ctx := context.Background()
+		testRegistry := Registry{
+			Name: "test-registry",
+			Git: &GitAddonSource{
+				URL:   "http://github.com/test/repo",
+				Token: "test-token",
+			},
+		}
+		scheme := runtime.NewScheme()
+		assert.NoError(t, v1.AddToScheme(scheme))
+		client := fake.NewClientBuilder().WithScheme(scheme).Build()
+		ds := NewRegistryDataStore(client)
+
+		err := ds.AddRegistry(ctx, testRegistry)
+		assert.NoError(t, err)
+
+		var cm v1.ConfigMap
+		err = client.Get(ctx, types.NamespacedName{Name: registryConfigMapName, Namespace: velatypes.DefaultKubeVelaNS}, &cm)
+		assert.NoError(t, err)
+		var registries map[string]Registry
+		err = json.Unmarshal([]byte(cm.Data[registriesKey]), &registries)
+		assert.NoError(t, err)
+		assert.Equal(t, 1, len(registries))
+		gotRegistry := registries["test-registry"]
+		assert.Equal(t, "", gotRegistry.Git.Token)
+		assert.Equal(t, "addon-registry-test-registry", gotRegistry.Git.TokenSecretRef)
+
+		var secret v1.Secret
+		err = client.Get(ctx, types.NamespacedName{Name: "addon-registry-test-registry", Namespace: velatypes.DefaultKubeVelaNS}, &secret)
+		assert.NoError(t, err)
+		assert.Equal(t, "test-token", string(secret.Data["token"]))
+	})
+}
+
+func TestUpdateRegistry(t *testing.T) {
+	t.Run("Test updating a registry", func(t *testing.T) {
+		ctx := context.Background()
+		updatedRegistry := Registry{
+			Name: "test-registry",
+			Git: &GitAddonSource{
+				URL:   "http://github.com/test/repo-updated",
+				Token: "test-token-updated",
+			},
+		}
+		// Pre-existing state
+		existingRegistry := Registry{
+			Name: "test-registry",
+			Git: &GitAddonSource{
+				URL:            "http://github.com/test/repo",
+				TokenSecretRef: "addon-registry-test-registry",
+			},
+		}
+		registries := map[string]Registry{"test-registry": existingRegistry}
+		registriesBytes, err := json.Marshal(registries)
+		assert.NoError(t, err)
+		cm := &v1.ConfigMap{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      registryConfigMapName,
+				Namespace: velatypes.DefaultKubeVelaNS,
+			},
+			Data: map[string]string{
+				registriesKey: string(registriesBytes),
+			},
+		}
+		secret := &v1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "addon-registry-test-registry",
+				Namespace: velatypes.DefaultKubeVelaNS,
+			},
+			Data: map[string][]byte{
+				"token": []byte("test-token"),
+			},
+		}
+
+		scheme := runtime.NewScheme()
+		assert.NoError(t, v1.AddToScheme(scheme))
+		client := fake.NewClientBuilder().WithScheme(scheme).WithObjects(cm, secret).Build()
+		ds := NewRegistryDataStore(client)
+
+		err = ds.UpdateRegistry(ctx, updatedRegistry)
+		assert.NoError(t, err)
+
+		var updatedSecret v1.Secret
+		err = client.Get(ctx, types.NamespacedName{Name: "addon-registry-test-registry", Namespace: velatypes.DefaultKubeVelaNS}, &updatedSecret)
+		assert.NoError(t, err)
+		assert.Equal(t, "test-token-updated", string(updatedSecret.Data["token"]))
+
+		var updatedCm v1.ConfigMap
+		err = client.Get(ctx, types.NamespacedName{Name: registryConfigMapName, Namespace: velatypes.DefaultKubeVelaNS}, &updatedCm)
+		assert.NoError(t, err)
+		var updatedRegistries map[string]Registry
+		err = json.Unmarshal([]byte(updatedCm.Data[registriesKey]), &updatedRegistries)
+		assert.NoError(t, err)
+		assert.Equal(t, "http://github.com/test/repo-updated", updatedRegistries["test-registry"].Git.URL)
+	})
+}
+
+func TestListRegistry(t *testing.T) {
+	t.Run("Test listing registries", func(t *testing.T) {
+		ctx := context.Background()
+		// Pre-existing state
+		existingRegistry := Registry{
+			Name: "test-registry",
+			Git: &GitAddonSource{
+				URL:            "http://github.com/test/repo",
+				TokenSecretRef: "addon-registry-test-registry",
+			},
+		}
+		registries := map[string]Registry{"test-registry": existingRegistry}
+		registriesBytes, err := json.Marshal(registries)
+		assert.NoError(t, err)
+		cm := &v1.ConfigMap{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      registryConfigMapName,
+				Namespace: velatypes.DefaultKubeVelaNS,
+			},
+			Data: map[string]string{
+				registriesKey: string(registriesBytes),
+			},
+		}
+		secret := &v1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "addon-registry-test-registry",
+				Namespace: velatypes.DefaultKubeVelaNS,
+			},
+			Data: map[string][]byte{
+				"token": []byte("test-token"),
+			},
+		}
+
+		scheme := runtime.NewScheme()
+		assert.NoError(t, v1.AddToScheme(scheme))
+		client := fake.NewClientBuilder().WithScheme(scheme).WithObjects(cm, secret).Build()
+		ds := NewRegistryDataStore(client)
+
+		// Test List
+		listedRegistries, err := ds.ListRegistries(ctx)
+		assert.NoError(t, err)
+		assert.Equal(t, 1, len(listedRegistries))
+		assert.Equal(t, "test-token", listedRegistries[0].Git.Token)
+		assert.Equal(t, "http://github.com/test/repo", listedRegistries[0].Git.URL)
+	})
+}
+
+func TestGetRegistry(t *testing.T) {
+	t.Run("Test getting a single registry", func(t *testing.T) {
+		ctx := context.Background()
+		// Pre-existing state
+		existingRegistry := Registry{
+			Name: "test-registry",
+			Git: &GitAddonSource{
+				URL:            "http://github.com/test/repo",
+				TokenSecretRef: "addon-registry-test-registry",
+			},
+		}
+		registries := map[string]Registry{"test-registry": existingRegistry}
+		registriesBytes, err := json.Marshal(registries)
+		assert.NoError(t, err)
+		cm := &v1.ConfigMap{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      registryConfigMapName,
+				Namespace: velatypes.DefaultKubeVelaNS,
+			},
+			Data: map[string]string{
+				registriesKey: string(registriesBytes),
+			},
+		}
+		secret := &v1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "addon-registry-test-registry",
+				Namespace: velatypes.DefaultKubeVelaNS,
+			},
+			Data: map[string][]byte{
+				"token": []byte("test-token"),
+			},
+		}
+
+		scheme := runtime.NewScheme()
+		assert.NoError(t, v1.AddToScheme(scheme))
+		client := fake.NewClientBuilder().WithScheme(scheme).WithObjects(cm, secret).Build()
+		ds := NewRegistryDataStore(client)
+
+		// Test Get
+		reg, err := ds.GetRegistry(ctx, "test-registry")
+		assert.NoError(t, err)
+		assert.Equal(t, "test-token", reg.Git.Token)
+		assert.Equal(t, "http://github.com/test/repo", reg.Git.URL)
+	})
+}
+
+func TestDeleteRegistry(t *testing.T) {
+	t.Run("Test deleting a registry", func(t *testing.T) {
+		ctx := context.Background()
+		// Pre-existing state
+		existingRegistry := Registry{
+			Name: "test-registry",
+			Git: &GitAddonSource{
+				URL:            "http://github.com/test/repo",
+				TokenSecretRef: "addon-registry-test-registry",
+			},
+		}
+		registries := map[string]Registry{"test-registry": existingRegistry}
+		registriesBytes, err := json.Marshal(registries)
+		assert.NoError(t, err)
+		cm := &v1.ConfigMap{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      registryConfigMapName,
+				Namespace: velatypes.DefaultKubeVelaNS,
+			},
+			Data: map[string]string{
+				registriesKey: string(registriesBytes),
+			},
+		}
+		secret := &v1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "addon-registry-test-registry",
+				Namespace: velatypes.DefaultKubeVelaNS,
+			},
+			Data: map[string][]byte{
+				"token": []byte("test-token"),
+			},
+		}
+
+		scheme := runtime.NewScheme()
+		assert.NoError(t, v1.AddToScheme(scheme))
+		client := fake.NewClientBuilder().WithScheme(scheme).WithObjects(cm, secret).Build()
+		ds := NewRegistryDataStore(client)
+
+		err = ds.DeleteRegistry(ctx, "test-registry")
+		assert.NoError(t, err)
+
+		var updatedCm v1.ConfigMap
+		err = client.Get(ctx, types.NamespacedName{Name: registryConfigMapName, Namespace: velatypes.DefaultKubeVelaNS}, &updatedCm)
+		assert.NoError(t, err)
+		var updatedRegistries map[string]Registry
+		err = json.Unmarshal([]byte(updatedCm.Data[registriesKey]), &updatedRegistries)
+		assert.NoError(t, err)
+		assert.Equal(t, 0, len(updatedRegistries))
+
+		var deletedSecret v1.Secret
+		err = client.Get(ctx, types.NamespacedName{Name: "addon-registry-test-registry", Namespace: velatypes.DefaultKubeVelaNS}, &deletedSecret)
+		assert.Error(t, err)
+		assert.True(t, apierrors.IsNotFound(err))
+	})
+}
+
+func TestGetRegistries(t *testing.T) {
+	ctx := context.Background()
+	scheme := runtime.NewScheme()
+	assert.NoError(t, v1.AddToScheme(scheme))
+
+	// valid configmap with one registry
+	validRegistries := map[string]Registry{"test-registry": {Name: "test-registry"}}
+	validRegistriesBytes, err := json.Marshal(validRegistries)
+	assert.NoError(t, err)
+	validCm := &v1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{Name: registryConfigMapName, Namespace: velatypes.DefaultKubeVelaNS},
+		Data:       map[string]string{registriesKey: string(validRegistriesBytes)},
+	}
+
+	// configmap with invalid json
+	invalidJSONCm := &v1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{Name: registryConfigMapName, Namespace: velatypes.DefaultKubeVelaNS},
+		Data:       map[string]string{registriesKey: "invalid-json"},
+	}
+
+	// configmap with missing key
+	missingKeyCm := &v1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{Name: registryConfigMapName, Namespace: velatypes.DefaultKubeVelaNS},
+		Data:       map[string]string{"another-key": "some-data"},
+	}
+
+	testCases := map[string]struct {
+		client       client.Client
+		expectErr    bool
+		expectRegNum int
+	}{
+		"success": {
+			client:       fake.NewClientBuilder().WithScheme(scheme).WithObjects(validCm).Build(),
+			expectErr:    false,
+			expectRegNum: 1,
+		},
+		"configmap not found": {
+			client:    fake.NewClientBuilder().WithScheme(scheme).Build(),
+			expectErr: true,
+		},
+		"invalid json": {
+			client:    fake.NewClientBuilder().WithScheme(scheme).WithObjects(invalidJSONCm).Build(),
+			expectErr: true,
+		},
+		"registries key missing": {
+			client:    fake.NewClientBuilder().WithScheme(scheme).WithObjects(missingKeyCm).Build(),
+			expectErr: true,
+		},
+	}
+
+	for name, tc := range testCases {
+		t.Run(name, func(t *testing.T) {
+			ds := registryImpl{client: tc.client}
+			registries, _, err := ds.getRegistries(ctx)
+			if tc.expectErr {
+				assert.Error(t, err)
+			} else {
+				assert.NoError(t, err)
+				assert.Equal(t, tc.expectRegNum, len(registries))
+			}
+		})
+	}
+}
+
+func TestLoadTokenFromSecret(t *testing.T) {
+	ctx := context.Background()
+	scheme := runtime.NewScheme()
+	assert.NoError(t, v1.AddToScheme(scheme))
+
+	secret := &v1.Secret{
+		ObjectMeta: metav1.ObjectMeta{Name: "addon-registry-test", Namespace: velatypes.DefaultKubeVelaNS},
+		Data:       map[string][]byte{"token": []byte("test-token")},
+	}
+
+	testCases := map[string]struct {
+		client      client.Client
+		registry    *Registry
+		expectErr   bool
+		expectToken string
+	}{
+		"success": {
+			client: fake.NewClientBuilder().WithScheme(scheme).WithObjects(secret).Build(),
+			registry: &Registry{
+				Name: "test",
+				Git:  &GitAddonSource{URL: "http://github.com/test/repo", TokenSecretRef: "addon-registry-test"},
+			},
+			expectErr:   false,
+			expectToken: "test-token",
+		},
+		"secret not found": {
+			client: fake.NewClientBuilder().WithScheme(scheme).Build(),
+			registry: &Registry{
+				Name: "test",
+				Git:  &GitAddonSource{URL: "http://github.com/test/repo", TokenSecretRef: "addon-registry-test"},
+			},
+			expectErr:   false,
+			expectToken: "",
+		},
+		"no token source": {
+			client:      fake.NewClientBuilder().WithScheme(scheme).Build(),
+			registry:    &Registry{Name: "test"},
+			expectErr:   false,
+			expectToken: "",
+		},
+		"no secret ref": {
+			client:      fake.NewClientBuilder().WithScheme(scheme).Build(),
+			registry:    &Registry{Name: "test", Git: &GitAddonSource{URL: "http://github.com/test/repo"}},
+			expectErr:   false,
+			expectToken: "",
+		},
+	}
+
+	for name, tc := range testCases {
+		t.Run(name, func(t *testing.T) {
+			err := loadTokenFromSecret(ctx, tc.client, tc.registry)
+			if tc.expectErr {
+				assert.Error(t, err)
+			} else {
+				assert.NoError(t, err)
+				if tc.registry.Git != nil {
+					assert.Equal(t, tc.expectToken, tc.registry.Git.Token)
+				}
+			}
+		})
+	}
+}
+
+func TestCreateOrUpdateTokenSecret(t *testing.T) {
+	ctx := context.Background()
+	scheme := runtime.NewScheme()
+	assert.NoError(t, v1.AddToScheme(scheme))
+
+	existingSecret := &v1.Secret{
+		ObjectMeta: metav1.ObjectMeta{Name: "addon-registry-test", Namespace: velatypes.DefaultKubeVelaNS},
+		Data:       map[string][]byte{"token": []byte("old-token")},
+	}
+
+	testCases := map[string]struct {
+		client       client.Client
+		registry     *Registry
+		expectErr    bool
+		expectToken  string
+		expectSecret bool
+	}{
+		"create new secret": {
+			client: fake.NewClientBuilder().WithScheme(scheme).Build(),
+			registry: &Registry{
+				Name: "test",
+				Git:  &GitAddonSource{Token: "new-token"},
+			},
+			expectErr:    false,
+			expectToken:  "new-token",
+			expectSecret: true,
+		},
+		"update existing secret": {
+			client: fake.NewClientBuilder().WithScheme(scheme).WithObjects(existingSecret).Build(),
+			registry: &Registry{
+				Name: "test",
+				Git:  &GitAddonSource{Token: "updated-token"},
+			},
+			expectErr:    false,
+			expectToken:  "updated-token",
+			expectSecret: true,
+		},
+		"no token source": {
+			client:       fake.NewClientBuilder().WithScheme(scheme).Build(),
+			registry:     &Registry{Name: "test"},
+			expectErr:    false,
+			expectSecret: false,
+		},
+		"empty token": {
+			client:       fake.NewClientBuilder().WithScheme(scheme).Build(),
+			registry:     &Registry{Name: "test", Git: &GitAddonSource{Token: ""}},
+			expectErr:    false,
+			expectSecret: false,
+		},
+	}
+
+	for name, tc := range testCases {
+		t.Run(name, func(t *testing.T) {
+			err := createOrUpdateTokenSecret(ctx, tc.client, tc.registry)
+			if tc.expectErr {
+				assert.Error(t, err)
+			} else {
+				assert.NoError(t, err)
+				if tc.expectSecret {
+					var secret v1.Secret
+					err := tc.client.Get(ctx, types.NamespacedName{Name: "addon-registry-test", Namespace: velatypes.DefaultKubeVelaNS}, &secret)
+					assert.NoError(t, err)
+					assert.Equal(t, tc.expectToken, string(secret.Data["token"]))
+					assert.Equal(t, "addon-registry-test", tc.registry.GetTokenSource().GetTokenSecretRef())
+				} else {
+					var secret v1.Secret
+					err := tc.client.Get(ctx, types.NamespacedName{Name: "addon-registry-test", Namespace: velatypes.DefaultKubeVelaNS}, &secret)
+					assert.True(t, apierrors.IsNotFound(err))
+				}
+			}
+		})
+	}
+}

pkg/addon/source.go

@@ -56,37 +56,32 @@ type Source interface {
 
 // GitAddonSource defines the information about the Git as addon source
 type GitAddonSource struct {
-	URL   string `json:"url,omitempty" validate:"required"`
-	Path  string `json:"path,omitempty"`
-	Token string `json:"token,omitempty"`
+	URL            string `json:"url,omitempty" validate:"required"`
+	Path           string `json:"path,omitempty"`
+	Token          string `json:"token,omitempty"`
+	TokenSecretRef string `json:"tokenSecretRef,omitempty"`
 }
 
-// GiteeAddonSource defines the information about the Gitee as addon source
-type GiteeAddonSource struct {
-	URL   string `json:"url,omitempty" validate:"required"`
-	Path  string `json:"path,omitempty"`
-	Token string `json:"token,omitempty"`
+// GetToken returns the token of the source
+func (g *GitAddonSource) GetToken() string {
+	return g.Token
 }
 
-// GitlabAddonSource defines the information about the Gitlab as addon source
-type GitlabAddonSource struct {
-	URL   string `json:"url,omitempty" validate:"required"`
-	Repo  string `json:"repo,omitempty" validate:"required"`
-	Path  string `json:"path,omitempty"`
-	Token string `json:"token,omitempty"`
+// SetToken set the token of the source
+func (g *GitAddonSource) SetToken(token string) {
+	g.Token = token
+	g.TokenSecretRef = ""
 }
 
-// HelmSource  defines the information about the helm repo addon source
-type HelmSource struct {
-	URL             string `json:"url,omitempty" validate:"required"`
-	InsecureSkipTLS bool   `json:"insecureSkipTLS,omitempty"`
-	Username        string `json:"username,omitempty"`
-	Password        string `json:"password,omitempty"`
+// SetTokenSecretRef set the token secret ref to the source
+func (g *GitAddonSource) SetTokenSecretRef(secretName string) {
+	g.Token = ""
+	g.TokenSecretRef = secretName
 }
 
-// SafeCopier is an interface to copy Struct without sensitive fields, such as Token, Username, Password
-type SafeCopier interface {
-	SafeCopy() interface{}
+// GetTokenSecretRef return the token secret ref of the source
+func (g *GitAddonSource) GetTokenSecretRef() string {
+	return g.TokenSecretRef
 }
 
 // SafeCopy hides field Token
@@ -95,22 +90,85 @@ func (g *GitAddonSource) SafeCopy() *GitAddonSource {
 		return nil
 	}
 	return &GitAddonSource{
-		URL:  g.URL,
-		Path: g.Path,
+		URL:            g.URL,
+		Path:           g.Path,
+		TokenSecretRef: g.TokenSecretRef,
 	}
 }
 
+// GiteeAddonSource defines the information about the Gitee as addon source
+type GiteeAddonSource struct {
+	URL            string `json:"url,omitempty" validate:"required"`
+	Path           string `json:"path,omitempty"`
+	Token          string `json:"token,omitempty"`
+	TokenSecretRef string `json:"tokenSecretRef,omitempty"`
+}
+
+// GetToken return the token of the source
+func (g *GiteeAddonSource) GetToken() string {
+	return g.Token
+}
+
+// SetToken set the token of the source
+func (g *GiteeAddonSource) SetToken(token string) {
+	g.Token = token
+	g.TokenSecretRef = ""
+}
+
+// SetTokenSecretRef set the token secret ref to the source
+func (g *GiteeAddonSource) SetTokenSecretRef(secretName string) {
+	g.Token = ""
+	g.TokenSecretRef = secretName
+}
+
+// GetTokenSecretRef return the token secret ref of the source
+func (g *GiteeAddonSource) GetTokenSecretRef() string {
+	return g.TokenSecretRef
+}
+
 // SafeCopy hides field Token
 func (g *GiteeAddonSource) SafeCopy() *GiteeAddonSource {
 	if g == nil {
 		return nil
 	}
 	return &GiteeAddonSource{
-		URL:  g.URL,
-		Path: g.Path,
+		URL:            g.URL,
+		Path:           g.Path,
+		TokenSecretRef: g.TokenSecretRef,
 	}
 }
 
+// GitlabAddonSource defines the information about Gitlab as an addon source
+type GitlabAddonSource struct {
+	URL            string `json:"url,omitempty" validate:"required"`
+	Repo           string `json:"repo,omitempty" validate:"required"`
+	Path           string `json:"path,omitempty"`
+	Token          string `json:"token,omitempty"`
+	TokenSecretRef string `json:"tokenSecretRef,omitempty"`
+}
+
+// GetToken return the token of the source
+func (g *GitlabAddonSource) GetToken() string {
+	return g.Token
+}
+
+// SetToken set the token of the source
+func (g *GitlabAddonSource) SetToken(token string) {
+	g.Token = token
+	g.TokenSecretRef = ""
+}
+
+// SetTokenSecretRef set the token secret ref to the source
+func (g *GitlabAddonSource) SetTokenSecretRef(secretName string) {
+	g.Token = ""
+	g.TokenSecretRef = secretName
+}
+
+// GetTokenSecretRef return the token secret ref of the source
+func (g *GitlabAddonSource) GetTokenSecretRef() string {
+	return g.TokenSecretRef
+}
+
 // SafeCopy hides field Token
 func (g *GitlabAddonSource) SafeCopy() *GitlabAddonSource {
 	if g == nil {
@@ -123,6 +181,19 @@ func (g *GitlabAddonSource) SafeCopy() *GitlabAddonSource {
 	}
 }
 
+// HelmSource  defines the information about the helm repo addon source
+type HelmSource struct {
+	URL             string `json:"url,omitempty" validate:"required"`
+	InsecureSkipTLS bool   `json:"insecureSkipTLS,omitempty"`
+	Username        string `json:"username,omitempty"`
+	Password        string `json:"password,omitempty"`
+}
+
+// SafeCopier is an interface to copy struct without sensitive fields, such as Token, Username, Password
+type SafeCopier interface {
+	SafeCopy() interface{}
+}
+
 // SafeCopy hides field Username, Password
 func (h *HelmSource) SafeCopy() *HelmSource {
 	if h == nil {

pkg/addon/source_test.go

@@ -275,3 +275,47 @@ func TestSafeCopy(t *testing.T) {
 	assert.Empty(t, shelm.Password)
 	assert.Equal(t, "https://hub.vela.com/chartrepo/addons", shelm.URL)
 }
+
+func TestTokenSource(t *testing.T) {
+	t.Run("GitAddonSource", func(t *testing.T) {
+		source := &GitAddonSource{}
+		assert.Equal(t, "", source.GetToken())
+		assert.Equal(t, "", source.GetTokenSecretRef())
+
+		source.SetToken("test-token")
+		assert.Equal(t, "test-token", source.GetToken())
+		assert.Equal(t, "", source.GetTokenSecretRef())
+
+		source.SetTokenSecretRef("test-secret")
+		assert.Equal(t, "test-secret", source.GetTokenSecretRef())
+		assert.Equal(t, "", source.GetToken())
+	})
+
+	t.Run("GiteeAddonSource", func(t *testing.T) {
+		source := &GiteeAddonSource{}
+		assert.Equal(t, "", source.GetToken())
+		assert.Equal(t, "", source.GetTokenSecretRef())
+
+		source.SetToken("test-token")
+		assert.Equal(t, "test-token", source.GetToken())
+		assert.Equal(t, "", source.GetTokenSecretRef())
+
+		source.SetTokenSecretRef("test-secret")
+		assert.Equal(t, "test-secret", source.GetTokenSecretRef())
+		assert.Equal(t, "", source.GetToken())
+	})
+
+	t.Run("GitlabAddonSource", func(t *testing.T) {
+		source := &GitlabAddonSource{}
+		assert.Equal(t, "", source.GetToken())
+		assert.Equal(t, "", source.GetTokenSecretRef())
+
+		source.SetToken("test-token")
+		assert.Equal(t, "test-token", source.GetToken())
+		assert.Equal(t, "", source.GetTokenSecretRef())
+
+		source.SetTokenSecretRef("test-secret")
+		assert.Equal(t, "test-secret", source.GetTokenSecretRef())
+		assert.Equal(t, "", source.GetToken())
+	})
+}