feat(charts): use flag to define image pull secrets

Updates the kubewarden-controller Helm chart to use the new controller
CLI flag that allow users to define a list of secrets with the data to
allowing container image download from private registries.

Signed-off-by: José Guilherme Vanz <jguilhermevanz@suse.com>
Assisted-by: Github Copilot

Author: jvanz

charts/kubewarden-controller/templates/_helpers.tpl

@@ -112,6 +112,24 @@ Create the name of the service account to use for kubewarden-controller
 {{- end -}}
 {{- end -}}
 
+{{/*
+Build a comma-separated list of Secret names from .Values.imagePullSecrets,
+for use with the controller --image-pull-secrets flag. Handles both string
+entries and {name: ...} objects. Returns an empty string when no secrets
+are configured.
+*/}}
+{{- define "policyServerImagePullSecretNames" -}}
+{{- $names := list -}}
+{{- range .Values.imagePullSecrets -}}
+  {{- if kindIs "string" . -}}
+    {{- $names = append $names . -}}
+  {{- else -}}
+    {{- $names = append $names .name -}}
+  {{- end -}}
+{{- end -}}
+{{- join "," $names -}}
+{{- end -}}
+
 {{- define "audit-scanner.command" -}}
 {{- $parallelNamespaces := .Values.auditScanner.parallelNamespaces | int -}}
 {{- $parallelResources := .Values.auditScanner.parallelResources | int -}}

charts/kubewarden-controller/templates/deployment.yaml

@@ -58,6 +58,10 @@ spec:
        {{- if .Values.mTLS.enable }}
         - --client-ca-configmap-name={{ .Values.mTLS.configMapName }}
        {{- end }}
+       {{- $imagePullSecretNames := include "policyServerImagePullSecretNames" . }}
+       {{- if $imagePullSecretNames }}
+        - --image-pull-secrets={{ $imagePullSecretNames }}
+       {{- end }}
        {{- if or .Values.telemetry.metrics .Values.telemetry.tracing }}
        {{- if eq .Values.telemetry.mode "sidecar" }}
         - --enable-otel-sidecar

charts/kubewarden-controller/tests/image_pull_secrets_test.yaml

@@ -0,0 +1,38 @@
+suite: image-pull-secrets flag
+templates:
+  - deployment.yaml
+tests:
+  - it: "should not include --image-pull-secrets when imagePullSecrets is empty (default)"
+    asserts:
+      - notContains:
+          path: spec.template.spec.containers[0].args
+          content: "--image-pull-secrets"
+          any: true
+
+  - it: "should include --image-pull-secrets when imagePullSecrets contains a string entry"
+    set:
+      imagePullSecrets:
+        - my-registry-secret
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].args
+          content: "--image-pull-secrets=my-registry-secret"
+
+  - it: "should include --image-pull-secrets when imagePullSecrets contains an object entry"
+    set:
+      imagePullSecrets:
+        - name: my-registry-secret
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].args
+          content: "--image-pull-secrets=my-registry-secret"
+
+  - it: "should include multiple imagePullSecrets as a comma-separated list"
+    set:
+      imagePullSecrets:
+        - secret-one
+        - secret-two
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].args
+          content: "--image-pull-secrets=secret-one,secret-two"

charts/kubewarden-controller/values.yaml

@@ -109,7 +109,9 @@ global:
 nameOverride: ""
 # fullnameOverride completely replaces the generated release name
 fullnameOverride: ""
-# Secrets to pull container images from private registries
+# Secrets to pull container images from private registries. When set, the
+# secret names are passed to the controller via --image-pull-secrets and added
+# to the spec.template.spec.imagePullSecrets of every policy-server Deployment.
 imagePullSecrets: []
 # -- Additional labels to add to all resources
 additionalLabels: {}