Implement imagePullSecrets #1421

jandubois · 2020-10-01T21:31:46Z

Is your feature request related to a problem? Please describe.

It should be possible to pull kubecf from a private registry requiring authentication. Or just a subset of images, like rootfs and buildpacks for a custom stack.

Describe the solution you'd like

We should support a global list of image pull secret names, say kube.image_pull_secrets. This would be a list of names, not of imagePullSecret objects (which are just maps with a single name element). This would allow the user to deploy with:

helm install ... --set kube.image_pull_secrets={foo,bar}

The secrets themselves will have to be created by the user before installing kubecf. We don't want to create the secrets as part of the kubecf helm chart because we don't want to make any assumption about how the secrets need to be specified.

These secrets will be added to the default service account. Since the namespace and service account already exist, it will be necessary to patch it using a helm pre-install hook. See for example helm patch default service account.

This also needs to be done to the service account of the Eirini namespace because the staging image will be pulled using that account.

The new kube.image_pull_secrets property needs to be added to the values.schema.yaml file as an "array of strings".

Describe alternatives you've considered

I originally considered defining imagePullSecrets for each release (and each non-bosh container image), and then setting them using the cf-operator facilities. However, imagePullSecrets are declared on the pod and not the container, so we would need to loop through all the jobs in an instance group to determine the list or required secrets. And for non cf-deployment based releases we only have the job name, but not the release name.

So this all gets pretty complex very quickly, but doesn't seem to provide any benefits over adding all the secrets to the service account, so I decided we should pursue the simpler alternative.

Additional context

cc @jbuns

The text was updated successfully, but these errors were encountered:

jbuns · 2020-10-02T09:15:07Z

Tying it to the Issue I created a few months back with:
#1003

jandubois · 2020-10-21T20:52:04Z

Implemented by #1482

jandubois added the Type: Enhancement New feature or request label Oct 1, 2020

jandubois assigned fargozhu Oct 1, 2020

jandubois mentioned this issue Oct 1, 2020

Configurable multi-stack support #1086

Closed

6 tasks

jandubois added the Priority: Medium label Oct 2, 2020

jandubois unassigned fargozhu Oct 2, 2020

jbuns self-assigned this Oct 2, 2020

jandubois mentioned this issue Oct 2, 2020

Ability to pull stemcell images from a private image repository #1003

Closed

fargozhu added this to the 2.6.0 milestone Oct 11, 2020

jbuns mentioned this issue Oct 14, 2020

feat: pull kubecf from a private registry requiring authentication #1482

Merged

7 tasks

fargozhu removed this from the 2.6.0 milestone Oct 21, 2020

jandubois closed this as completed Oct 21, 2020

fargozhu added this to the 2.6.0 milestone Oct 22, 2020

fargozhu added the changelog Issue must be present in the release notes. label Oct 26, 2020

fargozhu modified the milestones: 2.6.0, 2.7.0 Oct 26, 2020

fargozhu added the Status: Done Implemented and PR merged label Oct 26, 2020

fargozhu modified the milestones: 2.7.0, 2.6.0 Oct 26, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Implement imagePullSecrets #1421

Implement imagePullSecrets #1421

jandubois commented Oct 1, 2020

jbuns commented Oct 2, 2020

jandubois commented Oct 21, 2020

Implement imagePullSecrets #1421

Implement imagePullSecrets #1421

Comments

jandubois commented Oct 1, 2020

jbuns commented Oct 2, 2020

jandubois commented Oct 21, 2020