Need ability to provide imagePullSecrets for jobs generated by Plans for private registries

Question

Need ability to provide imagePullSecrets for jobs generated by Plans for private registries

zack-is-cool opened this issue 2 years ago · comments

Is your feature request related to a problem? Please describe.
I am currently trying to deploy this system-upgrade-controller and all related pods in an airgap. We utilize a private registry to pull containers from and I do not have the ability to insert imagePullSecrets into the apply-*-plan-on-* pods that are spun up by jobs - this affects both the rancher/rke2-upgrade and the rancher/kubectl containers

Describe the solution you'd like
I want to be able to add imagePullSecrets on the plan and have that flow through into the jobs' pod spec.

Describe alternatives you've considered
The only alternative right now is to enter credentials in the registries.yaml file when booting rke2. This is problematic as my deployment process usually has the rke2 cluster running before my private registry is available and the registry credentials are randomly generated

Max · Answer 1 · Fri May 06 2022 05:50:52 GMT+0800 (China Standard Time)

We found that configuring the serviceaccount to use imagepullsecrets also works as an alternative: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account but going to keep this open as the issue itself is still valid as an enhancement.

Zack A · Answer 2 · Fri May 06 2022 06:42:30 GMT+0800 (China Standard Time)

We found that configuring the serviceaccount to use imagepullsecrets also works as an alternative: kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account but going to keep this open as the issue itself is still valid as an enhancement.

incase anyone needs an example of this using fluxcd's kustomize controller:

apiVersion: kustomize.toolkit.fluxcd.io/v1beta1
kind: Kustomization
metadata:
  name: rke2-system-upgrade-controller
  namespace: bigbang
spec:
  interval: 1m
  sourceRef:
    kind: GitRepository
    name: rke2-system-upgrade-controller-repo
  path: .
  prune: true
  images:
  - name: rancher/system-upgrade-controller
    newName: private.registry/rancher/system-upgrade-controller
    newTag: v0.9.1
  patches:
    - patch: |-
        apiVersion: v1
        kind: ConfigMap
        metadata:
          name: default-controller-env
        data:
          SYSTEM_UPGRADE_JOB_KUBECTL_IMAGE: private.registry/rancher/kubectl:v1.22.6
      target:
        kind: ConfigMap
    - patch: |-
        apiVersion: apps/v1
        kind: Deployment
        metadata:
          name: system-upgrade-controller
          namespace: system-upgrade
        spec:
          template:
            spec:
              imagePullSecrets:
                - name: private-registry 
      target:
        kind: Deployment
    - patch: |-
        apiVersion: v1
        kind: ServiceAccount
        metadata:
          name: system-upgrade
          namespace: system-upgrade
        imagePullSecrets:
        - name: private-registry
      target:
        kind: ServiceAccount