Allows multiple imagePullSecrets in the helm chart.

[AlessioCasco]

Hello

Proposed changes

This allows multiple imagePullSecrets in the helm chart as discussed in #4589

Adds 1 new helm value: imagePullSecretsNames that with time will replace imagePullSecretName.
For compatibility reasons, both values work now.

I have not edited any release or changelog file for now, let me know if this is automated or if you want me to add the info.

Tests:

• Setting imagePullSecretsNames to something other than an array, raises:

Error: values don't meet the specifications of the schema(s) in the following chart(s):
nginx-ingress:
- controller.serviceAccount.imagePullSecretsNames: Invalid type. Expected: array, given: string

• Setting imagePullSecretName to "" and imagePullSecretsNames to [] renders:

# Source: nginx-ingress/templates/controller-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: nginx-nginx-ingress
  namespace: default
  labels:
    helm.sh/chart: nginx-ingress-1.0.2
    app.kubernetes.io/name: nginx-ingress
    app.kubernetes.io/instance: nginx
    app.kubernetes.io/version: "3.3.2"
    app.kubernetes.io/managed-by: Helm

• Setting imagePullSecretName to "secret_1" and imagePullSecretsNames to [] renders:

# Source: nginx-ingress/templates/controller-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: nginx-nginx-ingress
  namespace: default
  labels:
    helm.sh/chart: nginx-ingress-1.0.2
    app.kubernetes.io/name: nginx-ingress
    app.kubernetes.io/instance: nginx
    app.kubernetes.io/version: "3.3.2"
    app.kubernetes.io/managed-by: Helm
imagePullSecrets:
- name: secret_1

• Setting imagePullSecretName to "" and imagePullSecretsNames to [secret_2_from_list] renders:

# Source: nginx-ingress/templates/controller-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: nginx-nginx-ingress
  namespace: default
  labels:
    helm.sh/chart: nginx-ingress-1.0.2
    app.kubernetes.io/name: nginx-ingress
    app.kubernetes.io/instance: nginx
    app.kubernetes.io/version: "3.3.2"
    app.kubernetes.io/managed-by: Helm
imagePullSecrets:
- name: secret_2_from_list

• Setting imagePullSecretName to "secret_1" and imagePullSecretsNames to [secret_2_from_list] renders:

# Source: nginx-ingress/templates/controller-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: nginx-nginx-ingress
  namespace: default
  labels:
    helm.sh/chart: nginx-ingress-1.0.2
    app.kubernetes.io/name: nginx-ingress
    app.kubernetes.io/instance: nginx
    app.kubernetes.io/version: "3.3.2"
    app.kubernetes.io/managed-by: Helm
imagePullSecrets:
- name: secret_1
- name: secret_2_from_list

• Setting imagePullSecretName to "secret_1" and imagePullSecretsNames to [secret_2_from_list, secret_3_from_list] renders:

# Source: nginx-ingress/templates/controller-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: nginx-nginx-ingress
  namespace: default
  labels:
    helm.sh/chart: nginx-ingress-1.0.2
    app.kubernetes.io/name: nginx-ingress
    app.kubernetes.io/instance: nginx
    app.kubernetes.io/version: "3.3.2"
    app.kubernetes.io/managed-by: Helm
imagePullSecrets:
- name: secret_1
- name: secret_2_from_list
- name: secret_3_from_list

Checklist

Before creating a PR, run through this checklist and mark each as complete.

• I have read the CONTRIBUTING doc
• I have added tests that prove my fix is effective or that my feature works
• I have checked that all unit tests pass after adding my changes
• I have updated necessary documentation
• I have rebased my branch onto main
• I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

[haywoodsh]

Hi @AlessioCasco I checked out your branch, and it seems to work for me! One thing I noticed, though, is that we currently don't have a mechanism in place to prevent both imagePullSecretName and imagePullSecretsNames from being used simultaneously.

One possible solution could be to introduce some restrictions to the JSON schema, like so:

"oneOf": [
   {
     "required": ["imagePullSecretName"],
     "not": {
       "required": ["imagePullSecretsNames"]
     }
   },
   {
     "required": ["imagePullSecretsNames"],
     "not": {
       "required": ["imagePullSecretName"]
     }
   }
 ]

[AlessioCasco]

Hi! @haywoodsh
I hope I have done what you asked. I must say that I LOOOOOOVE JSON SCHEMA! :-D
I know, it doesn't look pretty at all, but this is the only way I managed to make it work. The error is not perfect but acceptable IMHO.

Alternatives

If the solution doesn't look good to you we can also do:

• Set imagePullSecretName to be both string or array, depending on how ppl set it up, and keep one variable only. The naming is not perfect I know.
• Move the logic from the JSON schema to the templates.

Tests

I've tested all combinations and all seem to work well now:

Both set

imagePullSecretName: "test"
imagePullSecretsNames: [alessio,casco]

Returns

walk.go:74: found symbolic link in path: /Users/alessio/gitrep/AlessioCasco/kubernetes-ingress/charts/nginx-ingress/crds resolves to /Users/alessio/gitrep/AlessioCasco/kubernetes-ingress/config/crd/bases. Contents of linked file included and used
Error: values don't meet the specifications of the schema(s) in the following chart(s):
nginx-ingress:
- controller.serviceAccount: Must validate one and only one schema (oneOf)
- controller.serviceAccount.imagePullSecretName: String length must be less than or equal to 0

---0---

Both null

imagePullSecretName: ""
imagePullSecretsNames: []

renders

apiVersion: v1
kind: ServiceAccount
metadata:
  name: nginx-nginx-ingress
  namespace: default
  labels:
    helm.sh/chart: nginx-ingress-1.0.2
    app.kubernetes.io/name: nginx-ingress
    app.kubernetes.io/instance: nginx
    app.kubernetes.io/version: "3.3.2"
    app.kubernetes.io/managed-by: Helm
---

---0---

Only one null

imagePullSecretName: ""

renders

apiVersion: v1
kind: ServiceAccount
metadata:
  name: nginx-nginx-ingress
  namespace: default
  labels:
    helm.sh/chart: nginx-ingress-1.0.2
    app.kubernetes.io/name: nginx-ingress
    app.kubernetes.io/instance: nginx
    app.kubernetes.io/version: "3.3.2"
    app.kubernetes.io/managed-by: Helm
---

---0---

The other one null

imagePullSecretsNames: []

renders

apiVersion: v1
kind: ServiceAccount
metadata:
  name: nginx-nginx-ingress
  namespace: default
  labels:
    helm.sh/chart: nginx-ingress-1.0.2
    app.kubernetes.io/name: nginx-ingress
    app.kubernetes.io/instance: nginx
    app.kubernetes.io/version: "3.3.2"
    app.kubernetes.io/managed-by: Helm
---

---0---

No values defined

apiVersion: v1
kind: ServiceAccount
metadata:
  name: nginx-nginx-ingress
  namespace: default
  labels:
    helm.sh/chart: nginx-ingress-1.0.2
    app.kubernetes.io/name: nginx-ingress
    app.kubernetes.io/instance: nginx
    app.kubernetes.io/version: "3.3.2"
    app.kubernetes.io/managed-by: Helm
---

---0---

Only array set

 imagePullSecretsNames: [alessio,casco]

renders

kind: ServiceAccount
metadata:
  name: nginx-nginx-ingress
  namespace: default
  labels:
    helm.sh/chart: nginx-ingress-1.0.2
    app.kubernetes.io/name: nginx-ingress
    app.kubernetes.io/instance: nginx
    app.kubernetes.io/version: "3.3.2"
    app.kubernetes.io/managed-by: Helm
imagePullSecrets:
- name: alessio
- name: casco
---

---0---

Only array set + null the other

 imagePullSecretName: ""
 imagePullSecretsNames: [alessio,casco]

renders

kind: ServiceAccount
metadata:
  name: nginx-nginx-ingress
  namespace: default
  labels:
    helm.sh/chart: nginx-ingress-1.0.2
    app.kubernetes.io/name: nginx-ingress
    app.kubernetes.io/instance: nginx
    app.kubernetes.io/version: "3.3.2"
    app.kubernetes.io/managed-by: Helm
imagePullSecrets:
- name: alessio
- name: casco
---

---0---

Null the array + set the string

imagePullSecretName: "test"
imagePullSecretsNames: []

renders

apiVersion: v1
kind: ServiceAccount
metadata:
  name: nginx-nginx-ingress
  namespace: default
  labels:
    helm.sh/chart: nginx-ingress-1.0.2
    app.kubernetes.io/name: nginx-ingress
    app.kubernetes.io/instance: nginx
    app.kubernetes.io/version: "3.3.2"
    app.kubernetes.io/managed-by: Helm
imagePullSecrets:
- name: test

---0---

Only string set

imagePullSecretName: "test"

renders

apiVersion: v1
kind: ServiceAccount
metadata:
  name: nginx-nginx-ingress
  namespace: default
  labels:
    helm.sh/chart: nginx-ingress-1.0.2
    app.kubernetes.io/name: nginx-ingress
    app.kubernetes.io/instance: nginx
    app.kubernetes.io/version: "3.3.2"
    app.kubernetes.io/managed-by: Helm
imagePullSecrets:
- name: test
---

[shaun-nx]

@AlessioCasco thank you very much for providing such comprehensive tests!
I've approved & run the pipeline.
There is one reported linter issue with charts/nginx-ingress/README.md that needs to be fixed and then we should be good to merge 🙂

[AlessioCasco]

Hi!
Just saw that sorry, let me fix that now.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (39f9fa3) 52.09% compared to head (6417a19) 52.09%.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #4656   +/-   ##
=======================================
  Coverage   52.09%   52.09%           
=======================================
  Files          59       59           
  Lines       17033    17033           
=======================================
  Hits         8873     8873           
  Misses       7862     7862           
  Partials      298      298           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[AlessioCasco]

Hi!

If you roughly know already when you want to deprecate imagePullSecretName let me know and I will be more than happy to create the issue + PR at that time, otherwise feel free to assign to me the issue you'll create and I'll issue the PR.

[shaun-nx]

@AlessioCasco sounds good, and thank you again for contributing! 🎉
We will typically follow the regular depreciation pattern of 3 releases to give folks enough time to move over their configuration 🙂