feat(helm): support imagePullSecrets and make all images overridable (#70)

Add a global imagePullSecrets value that applies to every pod spec in
the chart and propagates to controller-managed agent pods via env var.
Also extract the hardcoded alpine:3.21 in the Keycloak provision job
into keycloak.provisionImage for consistency.

Signed-off-by: Tomas Pilar <thomas7pilar@gmail.com>

Author: pilartomas

deploy/helm/humr/templates/_helpers.tpl

@@ -45,6 +45,28 @@ Chart label
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
+{{/*
+imagePullSecrets — renders the imagePullSecrets list if non-empty.
+*/}}
+{{- define "humr.imagePullSecrets" -}}
+{{- with .Values.imagePullSecrets }}
+imagePullSecrets:
+  {{- toYaml . | nindent 2 }}
+{{- end }}
+{{- end }}
+
+{{/*
+nameList — comma-separated .name values from a list of objects.
+Usage: {{ include "humr.nameList" .Values.someList }}
+*/}}
+{{- define "humr.nameList" -}}
+{{- $names := list }}
+{{- range . }}
+{{- $names = append $names .name }}
+{{- end }}
+{{- join "," $names }}
+{{- end }}
+
 {{/* ---- Public URLs (derived from domain + port + scheme) ---- */}}
 
 {{/*

deploy/helm/humr/templates/apiserver/app.yaml

@@ -39,6 +39,7 @@ spec:
         {{- include "humr.labels" . | nindent 8 }}
         app.kubernetes.io/component: apiserver
     spec:
+      {{- include "humr.imagePullSecrets" . | nindent 6 }}
       serviceAccountName: {{ include "humr.apiserver.serviceAccountName" . }}
       containers:
         - name: apiserver

deploy/helm/humr/templates/controller/deployment.yaml

@@ -21,6 +21,7 @@ spec:
         {{- include "humr.selectorLabels" . | nindent 8 }}
         app.kubernetes.io/component: controller
     spec:
+      {{- include "humr.imagePullSecrets" . | nindent 6 }}
       serviceAccountName: {{ include "humr.controller.serviceAccountName" . }}
       containers:
         - name: controller
@@ -58,6 +59,10 @@ spec:
               value: {{ .Values.controller.caCertInitImage | default "busybox:stable" }}
             - name: AGENT_IMAGE_PULL_POLICY
               value: {{ .Values.controller.agentImagePullPolicy | default "IfNotPresent" }}
+            {{- with .Values.controller.agentImagePullSecrets }}
+            - name: AGENT_IMAGE_PULL_SECRETS
+              value: {{ include "humr.nameList" . }}
+            {{- end }}
             - name: HUMR_IDLE_TIMEOUT
               value: {{ .Values.controller.idleTimeout | default "1h" | quote }}
             - name: HUMR_TERMINATION_GRACE_PERIOD

deploy/helm/humr/templates/keycloak/app.yaml

@@ -43,6 +43,7 @@ spec:
         app.kubernetes.io/component: keycloak
       annotations: {}
     spec:
+      {{- include "humr.imagePullSecrets" . | nindent 6 }}
       initContainers:
         - name: wait-for-postgres
           image: {{ .Values.postgres.image }}

deploy/helm/humr/templates/keycloak/provision-job.yaml

@@ -19,6 +19,7 @@ spec:
         {{- include "humr.labels" . | nindent 8 }}
         app.kubernetes.io/component: keycloak-provision
     spec:
+      {{- include "humr.imagePullSecrets" . | nindent 6 }}
       restartPolicy: OnFailure
       initContainers:
         - name: config-cli
@@ -64,7 +65,7 @@ spec:
                keycloak-config-cli cannot modify realm-management authorizationSettings
                reliably, so we use the Admin REST API after realm import. */}}
         - name: token-exchange-setup
-          image: alpine:3.21
+          image: {{ .Values.keycloak.provisionImage }}
           env:
             - name: KC_URL
               value: "http://{{ $appName }}:{{ .Values.keycloak.port }}"

deploy/helm/humr/templates/onecli/app.yaml

@@ -63,6 +63,7 @@ spec:
         {{- include "humr.labels" . | nindent 8 }}
         app.kubernetes.io/component: onecli
     spec:
+      {{- include "humr.imagePullSecrets" . | nindent 6 }}
       initContainers:
         - name: wait-for-postgres
           image: {{ .Values.postgres.image }}

deploy/helm/humr/templates/postgres.yaml

@@ -62,6 +62,7 @@ spec:
         app.kubernetes.io/component: postgres
         app.kubernetes.io/instance: {{ .Release.Name }}
     spec:
+      {{- include "humr.imagePullSecrets" . | nindent 6 }}
       containers:
         - name: postgres
           image: {{ .Values.postgres.image }}

deploy/helm/humr/templates/ui/app.yaml

@@ -84,6 +84,7 @@ spec:
       annotations:
         checksum/nginx-config: {{ toYaml .Values.ui | sha256sum }}
     spec:
+      {{- include "humr.imagePullSecrets" . | nindent 6 }}
       containers:
         - name: ui
           image: "{{ .Values.ui.image.repository }}:{{ .Values.ui.image.tag | default .Chart.AppVersion }}"

deploy/helm/humr/values.yaml

@@ -6,6 +6,13 @@ port: "4444"
 # -- URL scheme (http for local dev, https for production)
 scheme: http
 
+# -- Pull secrets for all pods managed by this chart.
+# Agent pods (managed by the controller) also inherit these secrets.
+# Example:
+#   imagePullSecrets:
+#     - name: my-registry-secret
+imagePullSecrets: []
+
 # -- Target namespace for agent workloads (instances, templates, schedules)
 agentNamespace: humr-agents
 
@@ -107,6 +114,7 @@ keycloak:
   enabled: true
   image: quay.io/keycloak/keycloak:26.5.4
   configCliImage: adorsys/keycloak-config-cli:latest-26.5.4
+  provisionImage: alpine:3.21
   port: 8080
 
   # -- Admin credentials (for Keycloak admin console)
@@ -205,6 +213,9 @@ controller:
     pullPolicy: IfNotPresent
   caCertInitImage: busybox:stable
   agentImagePullPolicy: IfNotPresent
+  # -- Pull secrets for agent pods (in agentNamespace, separate from chart-level imagePullSecrets).
+  # The referenced secrets must exist in agentNamespace.
+  agentImagePullSecrets: []
   replicas: 1
   # -- Idle timeout before auto-hibernating running instances (Go duration, 0 = disabled)
   idleTimeout: "1h"

packages/controller/pkg/config/config.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"os"
 	"strconv"
+	"strings"
 	"time"
 )
 
@@ -22,6 +23,7 @@ type Config struct {
 	LeaseName        string // Leader election lease name
 	PodName          string // This pod's name (from downward API)
 	AgentImagePullPolicy      string        // ImagePullPolicy for agent pods (default: IfNotPresent)
+	AgentImagePullSecrets     []string      // Pull secret names for agent pods (comma-separated via env)
 	IdleTimeout               time.Duration // Idle timeout before auto-hibernation (0 = disabled, default: 1h)
 	TerminationGracePeriod    int64         // Termination grace period in seconds for agent pods (default: 5)
 	CACertInitImage      string // Image for the CA cert init container (default: busybox:stable)
@@ -55,6 +57,13 @@ func LoadFromEnv() (*Config, error) {
 	}
 	cfg.CACertInitImage = envOrDefault("CA_CERT_INIT_IMAGE", "busybox:stable")
 	cfg.AgentImagePullPolicy = envOrDefault("AGENT_IMAGE_PULL_POLICY", "IfNotPresent")
+	if v := os.Getenv("AGENT_IMAGE_PULL_SECRETS"); v != "" {
+		for _, s := range strings.Split(v, ",") {
+			if name := strings.TrimSpace(s); name != "" {
+				cfg.AgentImagePullSecrets = append(cfg.AgentImagePullSecrets, name)
+			}
+		}
+	}
 	cfg.IdleTimeout = envOrDefaultDuration("HUMR_IDLE_TIMEOUT", 1*time.Hour)
 	cfg.TerminationGracePeriod = int64(envOrDefaultInt("HUMR_TERMINATION_GRACE_PERIOD", 5))
 	return cfg, nil