diff --git a/deploy/deployment.yaml b/deploy/deployment.yaml index a83c571c..2a1d5e9e 100644 --- a/deploy/deployment.yaml +++ b/deploy/deployment.yaml @@ -45,6 +45,10 @@ data: (@ else: @) image: (@= data.values.image_repo + ":" + data.values.image_tag @) (@ end @) + (@ if data.values.image_pull_dockerconfigjson: @) + imagePullSecrets: + - image-pull-secret + (@ end @) --- #@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "": apiVersion: v1 diff --git a/internal/controller/kubecertagent/creater_test.go b/internal/controller/kubecertagent/creater_test.go index d3d809ea..430ac83a 100644 --- a/internal/controller/kubecertagent/creater_test.go +++ b/internal/controller/kubecertagent/creater_test.go @@ -83,9 +83,10 @@ func TestCreaterControllerSync(t *testing.T) { // Set this at the last second to allow for injection of server override. subject = NewCreaterController( &AgentPodConfig{ - Namespace: agentPodNamespace, - ContainerImage: "some-agent-image", - PodNamePrefix: "some-agent-name-", + Namespace: agentPodNamespace, + ContainerImage: "some-agent-image", + PodNamePrefix: "some-agent-name-", + ContainerImagePullSecrets: []string{"some-image-pull-secret"}, }, &CredentialIssuerConfigLocationConfig{ Namespace: credentialIssuerConfigNamespaceName, diff --git a/internal/controller/kubecertagent/kubecertagent.go b/internal/controller/kubecertagent/kubecertagent.go index bd9c4bcd..00e5e00e 100644 --- a/internal/controller/kubecertagent/kubecertagent.go +++ b/internal/controller/kubecertagent/kubecertagent.go @@ -63,6 +63,10 @@ type AgentPodConfig struct { // The name prefix for each of the agent pods. PodNamePrefix string + + // ContainerImagePullSecrets is a list of names of Kubernetes Secret objects that will be used as + // ImagePullSecrets on the kube-cert-agent pods. + ContainerImagePullSecrets []string } type CredentialIssuerConfigLocationConfig struct { @@ -81,6 +85,17 @@ func (c *AgentPodConfig) Labels() map[string]string { func (c *AgentPodConfig) PodTemplate() *corev1.Pod { terminateImmediately := int64(0) + + imagePullSecrets := []corev1.LocalObjectReference{} + for _, imagePullSecret := range c.ContainerImagePullSecrets { + imagePullSecrets = append( + imagePullSecrets, + corev1.LocalObjectReference{ + Name: imagePullSecret, + }, + ) + } + pod := &corev1.Pod{ ObjectMeta: metav1.ObjectMeta{ Name: c.PodNamePrefix, @@ -89,6 +104,7 @@ func (c *AgentPodConfig) PodTemplate() *corev1.Pod { }, Spec: corev1.PodSpec{ TerminationGracePeriodSeconds: &terminateImmediately, + ImagePullSecrets: imagePullSecrets, Containers: []corev1.Container{ { Name: "sleeper", diff --git a/internal/controller/kubecertagent/kubecertagent_test.go b/internal/controller/kubecertagent/kubecertagent_test.go index e265fdc7..6c8da06a 100644 --- a/internal/controller/kubecertagent/kubecertagent_test.go +++ b/internal/controller/kubecertagent/kubecertagent_test.go @@ -87,6 +87,11 @@ func exampleControllerManagerAndAgentPods( }, Spec: corev1.PodSpec{ TerminationGracePeriodSeconds: &zero, + ImagePullSecrets: []corev1.LocalObjectReference{ + { + Name: "some-image-pull-secret", + }, + }, Containers: []corev1.Container{ { Name: "sleeper", diff --git a/internal/controllermanager/prepare_controllers.go b/internal/controllermanager/prepare_controllers.go index 18a64d7b..41f22ce7 100644 --- a/internal/controllermanager/prepare_controllers.go +++ b/internal/controllermanager/prepare_controllers.go @@ -92,9 +92,10 @@ func PrepareControllers(c *Config) (func(ctx context.Context), error) { // Configuration for the kubecertagent controllers created below. agentPodConfig := &kubecertagent.AgentPodConfig{ - Namespace: c.ServerInstallationNamespace, - ContainerImage: *c.KubeCertAgentConfig.Image, - PodNamePrefix: *c.KubeCertAgentConfig.NamePrefix, + Namespace: c.ServerInstallationNamespace, + ContainerImage: *c.KubeCertAgentConfig.Image, + PodNamePrefix: *c.KubeCertAgentConfig.NamePrefix, + ContainerImagePullSecrets: c.KubeCertAgentConfig.ImagePullSecrets, } credentialIssuerConfigLocationConfig := &kubecertagent.CredentialIssuerConfigLocationConfig{ Namespace: c.ServerInstallationNamespace, diff --git a/pkg/config/api/types.go b/pkg/config/api/types.go index 9e8857aa..a5052222 100644 --- a/pkg/config/api/types.go +++ b/pkg/config/api/types.go @@ -61,4 +61,8 @@ type KubeCertAgentSpec struct { // should contain at least 2 binaries: /bin/sleep and cat (somewhere on the $PATH). The default // for this value is "debian:latest". Image *string `json:"image"` + + // ImagePullSecrets is a list of names of Kubernetes Secret objects that will be used as + // ImagePullSecrets on the kube-cert-agent pods. + ImagePullSecrets []string } diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go index aec478b2..c641c515 100644 --- a/pkg/config/config_test.go +++ b/pkg/config/config_test.go @@ -39,6 +39,7 @@ func TestFromPath(t *testing.T) { KubeCertAgent: namePrefix: kube-cert-agent-name-prefix- image: kube-cert-agent-image + imagePullSecrets: [kube-cert-agent-image-pull-secret] `), wantConfig: &api.Config{ DiscoveryInfo: api.DiscoveryInfoSpec{ @@ -56,8 +57,9 @@ func TestFromPath(t *testing.T) { APIService: "pinniped-api", }, KubeCertAgentConfig: api.KubeCertAgentSpec{ - NamePrefix: stringPtr("kube-cert-agent-name-prefix-"), - Image: stringPtr("kube-cert-agent-image"), + NamePrefix: stringPtr("kube-cert-agent-name-prefix-"), + Image: stringPtr("kube-cert-agent-image"), + ImagePullSecrets: []string{"kube-cert-agent-image-pull-secret"}, }, }, },