capsule icon indicating copy to clipboard operation
capsule copied to clipboard

Published 20 hours ago verified publisher icon projectcapsule

Add option for imagePullSecrets in podOptions

Open sandert-k8s opened this issue 9 months ago • 4 comments

Describe the feature

Add imagePullSecrets to the tenant CR, .spec.podOptions.imagePullSecrets. These imagePullSecrets gets automatically appended to the pod spec when a pod in the tenant is deployed. This is great when a GlobalTenantResource with imagePullSecrets is used, so these imagePullSecrets are automatically added and the tenantUser/owner doesn't have to do a thing for it :)

What would the new user story look like?

How would the new interaction with Capsule look like? E.g.

  1. Tenant owner creates a new Pod
  2. The imagePullSecrets are added to the Pod
  3. The tenant owner is happy and worryfree about these imagePullSecrets that we manage for him and he doesn't have to think about adding it to his podSpec.
apiVersion: capsule.clastix.io/v1beta2
kind: Tenant
metadata:
  name: tenant-a
  labels:
    tenant: a
spec:
  podOptions:
    imagePullSecrets:
        - name: secret-proxy-docker
        - name: secret-proxy-ghcr
  contianerRegistries:
    allowed:
      - thisismy.containerregistry.io

And just for reference, to get the global picture, the globaltenantresource:

apiVersion: capsule.clastix.io/v1beta2
kind: GlobalTenantResource
metadata:
  name: pullsecrets-tenant-a
spec:
  tenantSelector:
    matchLabels:
      tenant: a
  resyncPeriod: 60s
  resources:
    - namespacedItems:
        - apiVersion: v1
          kind: Secret
          namespace: tenant-a-secrets
          selector:
            matchLabels:
              imagePullSecret: thisismy.containerregistry.io

Expected behavior

ImagePullSecrets are automatically added to all pods in a tenant.

sandert-k8s avatar Feb 06 '25 14:02 sandert-k8s

Same here as with the annotations, we will add a new Hook system, Kyverno like, to apply such patches based on selected tenants or namespaces, decoupling it from tenants

oliverbaehler avatar Feb 06 '25 14:02 oliverbaehler

Yup that sounds good to me! 👍

sandert-k8s avatar Feb 06 '25 14:02 sandert-k8s

In the meanwhile, since you're using Tenant Resources, you could update the default ServiceAccount on each Namespace where the secret is replicated to use the provided image pull secret.

https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-image-pull-secret-to-service-account

prometherion avatar Feb 12 '25 21:02 prometherion

This pull request has been automatically closed because it has been inactive for more than 60 days. Please reopen if you still intend to submit this pull request.

github-actions[bot] avatar May 21 '25 00:05 github-actions[bot]