Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add option for imagePullSecrets in podOptions #1350

Open
sandert-k8s opened this issue Feb 6, 2025 · 3 comments
Open

Add option for imagePullSecrets in podOptions #1350

sandert-k8s opened this issue Feb 6, 2025 · 3 comments
Assignees
@oliverbaehler
Labels
blocked-needs-validation Issue need triage and validation

Comments

@sandert-k8s
Copy link

sandert-k8s commented Feb 6, 2025
edited
Loading

Describe the feature

Add imagePullSecrets to the tenant CR, .spec.podOptions.imagePullSecrets. These imagePullSecrets gets automatically appended to the pod spec when a pod in the tenant is deployed. This is great when a GlobalTenantResource with imagePullSecrets is used, so these imagePullSecrets are automatically added and the tenantUser/owner doesn't have to do a thing for it :)

What would the new user story look like?

How would the new interaction with Capsule look like? E.g.

  1. Tenant owner creates a new Pod
  2. The imagePullSecrets are added to the Pod
  3. The tenant owner is happy and worryfree about these imagePullSecrets that we manage for him and he doesn't have to think about adding it to his podSpec.
apiVersion: capsule.clastix.io/v1beta2
kind: Tenant
metadata:
  name: tenant-a
  labels:
    tenant: a
spec:
  podOptions:
    imagePullSecrets:
        - name: secret-proxy-docker
        - name: secret-proxy-ghcr
  contianerRegistries:
    allowed:
      - thisismy.containerregistry.io

And just for reference, to get the global picture, the globaltenantresource:

apiVersion: capsule.clastix.io/v1beta2
kind: GlobalTenantResource
metadata:
  name: pullsecrets-tenant-a
spec:
  tenantSelector:
    matchLabels:
      tenant: a
  resyncPeriod: 60s
  resources:
    - namespacedItems:
        - apiVersion: v1
          kind: Secret
          namespace: tenant-a-secrets
          selector:
            matchLabels:
              imagePullSecret: thisismy.containerregistry.io

Expected behavior

ImagePullSecrets are automatically added to all pods in a tenant.
@sandert-k8s sandert-k8s added the blocked-needs-validation Issue need triage and validation label Feb 6, 2025
@oliverbaehler oliverbaehler self-assigned this Feb 6, 2025
@oliverbaehler
Copy link
Collaborator

Same here as with the annotations, we will add a new Hook system, Kyverno like, to apply such patches based on selected tenants or namespaces, decoupling it from tenants

@sandert-k8s
Copy link
Author

Yup that sounds good to me! 👍

@prometherion
Copy link
Member

In the meanwhile, since you're using Tenant Resources, you could update the default ServiceAccount on each Namespace where the secret is replicated to use the provided image pull secret.

https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-image-pull-secret-to-service-account

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@oliverbaehler oliverbaehler

Labels
blocked-needs-validation Issue need triage and validation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@prometherion @oliverbaehler @sandert-k8s