feat: foward image pull secrets#1583
Conversation
github-project-automation
Bot
moved this to Pending review
in Kubewarden Admission Controller
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #1583 +/- ##
==========================================
+ Coverage 75.04% 75.22% +0.18%
==========================================
Files 170 170
Lines 21062 21064 +2
==========================================
+ Hits 15805 15846 +41
+ Misses 5043 5006 -37
+ Partials 214 212 -2
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
| # Secrets to pull container images from private registries | ||
| # Secrets to pull container images from private registries. When set, the | ||
| # secret names are passed to the controller via --image-pull-secrets and added | ||
| # to the spec.template.spec.imagePullSecrets of every policy-server Deployment. |
There was a problem hiding this comment.
I think we can remove this comment addition, it's an implementation detail, and is only partially true. This also happens for the audit-scanner CronJob and the controller Deployment.
Adds a new controller CLI flag to allow used to define a list of secret that must be set in the policy server deployments to allow the container image to be downloaded from a private registry. Signed-off-by: José Guilherme Vanz <jguilhermevanz@suse.com> Assisted-by: Github Copilot
Updates the kubewarden-controller Helm chart to use the new controller CLI flag that allow users to define a list of secrets with the data to allowing container image download from private registries. Signed-off-by: José Guilherme Vanz <jguilhermevanz@suse.com> Assisted-by: Github Copilot
flavio
left a comment
flavio
left a comment
There was a problem hiding this comment.
thanks for the fix and for the changes you've done
| // inside the policy-server container so that the policy-server binary can | ||
| // pull OCI policy artifacts from private registries at runtime. Note: this | ||
| // secret is not used to pull the policy-server container image itself; use | ||
| // the controller's --image-pull-secrets flag for that purpose. |
There was a problem hiding this comment.
I think this has too many implementation details as it ends in the PolicyServer CRDs end-user docs. I wouldn't mention the controller --image-pull-secrets flag, as users can't set that by hand. Nor I would mention that it is mounted inside the policy-server container, as we have PolicyServer CRs so users don't need to understand the implementation details.
I would mention that it is used for pulling policies from repositories (I wouldn't say private registries, they don't particularly need to be..), and have the note that is note used for container images if anything.
Signed-off-by: Víctor Cuadrado Juan <vcuadradojuan@suse.de>
3 participants
Description
Adds a new controller CLI flag to allow used to define a list of secret that must be set in the policy server deployments to allow the container image to be downloaded from a private registry. Also update the Helm chart to expose this new CLI flag to users.
Fix #1576